Committee of Sponsor... 23-02-2022 10.29 PM

Committee of Sponsoring Organizations
of the Treadway Commission (COSO)
Executive Summary
990025P_Executive_Summary_final_may20_e.pdf
.
May 2013
Committee of Sponsoring Organizations of the Treadway Commission
Board Members
David L. Landsittel Mark S. Beasley Richard F. Chambers
COSO Chair Douglas F. Prawitt The Institute of Internal Auditors
American Accounting Association
Charles E. Landes Marie N. Hollein Sandra Richtermeyer
American Institute of Certified Public Financial Executives International Jeffrey C. Thomson

Accountants
Institute of Management
Accountants
PwC—Author
Principal Contributors
Miles E.A. Everson Stephen E. Soske Frank J. Martens
Internal Use Only

Exported on 23/02/2022 10:29 pm © All rights are reserved. Page 1
Engagement Leader Project Lead Partner Project Lead Director
New York, USA Boston, USA Vancouver, Canada
Cara M. Beston Charles E. Harris J. Aaron Garcia
Partner Partner Director
San Jose, USA Florham Park, USA San Diego, USA
Catherine I. Jourdan Jay A. Posklensky Sallie Jo Perraglia
Director Director Manager
Paris, France Florham Park, USA New York, USA
Advisory Council
Sponsoring Organizations Representatives
Audrey A. Gramling Steven E. Jameson J. Stephen McNally
Bellarmine University Community Trust Bank Campbell Soup Company Finance

Director/Controller
Fr. Raymond J. Treece Executive Vice President and Chief
Endowed Chair Internal Audit & Risk Officer
Internal Use Only

Ray Purcell William D. Schneider Sr.
Pfizer AT&T
Director of Financial Controls Director of Accounting
Members at Large
Jennifer Burns James DeLoach Trent Gazzaway
Deloitte Protiviti Grant Thornton
Deloitte Managing Director Partner
Partner
Cees Klumper Thomas Montminy Alan Paulus
The Global Fund to Fight AIDS, PwC Ernst & Young

Tuberculosis and Malaria
PwC Ernst & Young
Chief Risk Officer
Partner LLP Partner
Thomas Ray Dr. Larry E. Rittenberg Sharon Todd
Baruch College University of Wisconsin KPMG
Emeritus Professor of Accounting Partner
Internal Use Only

Chair Emeritus COSO
Kenneth L. Vander Wal
ISACA
ISACA
International President
2011-2012
Regulatory Observers and Other Observers
James Dalkin Harrison E. Greene Jr. Federal Christian Peo

Deposit Insurance
Government Accountability Office Securities and Exchange

Corporation Commission
Director in the Financial
Management and Assistant Chief Accountant Securities and Exchange
Commission
Assurance Team
Professional Accounting Fellow
(Through June 2012)
Amy Steele Vincent Tophoff Keith Wilson
Securities and Exchange International Federation of Public Company Accounting

Accountants
Internal Use Only

Securities and Exchange Senior Technical Manager Public Company Accounting
Commission Oversight Board
Associate Chief Accountant Deputy Chief Auditor
(Commencing July 2012)
Foreword
In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal
Control — Integrated Framework (the original framework). The original framework has gained broad acceptance
and is widely used around the world. It is recognized as a leading framework for designing, implementing, and
conducting internal control and assessing the effectiveness of internal control.
In the twenty years since the inception of the original framework, business and operating environments have
changed dramatically, becoming increasingly complex, technologically driven, and global. At the same time,
stakeholders are more engaged, seeking greater transparency and accountability for the integrity of systems of
internal control that support business decisions and governance of the organization.
COSO is pleased to present the updated Internal Control — Integrated Framework (Framework). COSO
believes the Framework will enable organizations to effectively and efficiently develop and maintain systems of
internal control that can enhance the likelihood of achieving the entity's objectives and adapt to changes in the
business and operating environments.
The experienced reader will find much that is familiar in the Framework, which builds on what has proven useful
in the original version. It retains the core definition of internal control and the five components of internal control.
The requirement to consider the five components to assess the effectiveness of a system of internal control
remains unchanged fundamentally. Also, the Framework continues to emphasize the importance of
management judgment in designing, implementing, and conducting internal control, and in assessing the
effectiveness of a system of internal control.
At the same time, the Framework includes enhancements and clarifications that are intended to ease use and
application. One of the more significant enhancements is the formalization of fundamental concepts that were
introduced in the original framework. In the updated Framework, these concepts are now principles, which are
associated with the five components, and which provide clarity for the user in designing and implementing
systems of internal control and for understanding requirements for effective internal control.
Internal Use Only
The Framework has been enhanced by expanding the financial reporting category of objectives to include other
important forms of reporting, such as non-financial and internal reporting. Also, the Framework reflects
considerations of many changes in the business and operating environments over the past several decades,
including:
 Expectations for governance oversight

 Globalization of markets and operations
 Changes and greater complexities of business
 Demands and complexities in laws, rules, regulations, and standards
 Expectations for competencies and accountabilities
 Use of, and reliance on, evolving technologies
 Expectations relating to preventing and detecting fraud
This Executive Summary, provides a high-level overview intended for the board of directors, chief executive
officer, and other senior management. The Framework and Appendices publication sets out the Framework,
defining internal control, describing requirements for effective internal control including components and relevant
principles, and providing direction for all levels of management to use in designing, implementing, and
conducting internal control and in assessing its effectiveness. Appendices within the Framework and Appendices
provide additional reference, but are not considered a part of the Framework. The Illustrative Tools for Assessing
Effectiveness of a System of Internal Control, provides templates and scenarios that may be useful in applying
the Framework.
In addition to the Framework, Internal Control over External Financial Reporting: A Compendium of Approaches
and Examples has been published concurrently to provide practical approaches and examples that illustrate how
the components and principles set forth in the Framework can be applied in preparing external financial
statements.
COSO previously issued Guidance on Monitoring Internal Control Systems to help organizations understand and
apply monitoring activities within a system of internal control. While this guidance was prepared to assist in
applying the original framework, COSO believes this guidance has similar applicability to the updated
Framework.
COSO may, in the future, issue other documents to provide assistance in applying the Framework. However,
neither the Internal Control over External Financial Reporting: A Compendium of Approaches and Examples,
Guidance on Monitoring Internal Control Systems, nor any other past or future guidance takes precedence over
the Framework.
Among other publications published by COSO is the Enterprise Risk Management— Integrated Framework
(ERM Framework). The ERM Framework and the Framework are intended to be complementary, and neither
Internal Use Only

supersedes the other. Yet, while these frameworks are distinct and provide a different focus, they do overlap.
The ERM Framework encompasses internal control, with several portions of the text of the original Internal
Control - Integrated Framework reproduced. Consequently, the ERM Framework remains viable and suitable for
designing, implementing, conducting, and assessing enterprise risk management.
Finally, COSO would like to thank PwC and the Advisory Council for their contributions in developing the
Framework and related documents. Their full consideration of input provided by many stakeholders and their
insight were instrumental in ensuring that the core strengths of the original framework have been preserved,
clarified, and strengthened.
David L. Landsittel
COSO Chair
Executive Summary
Internal control helps entities achieve important objectives and sustain and improve performance. COSO's
Internal Control — Integrated Framework (Framework) enables organizations to effectively and efficiently
develop systems of internal control that adapt to changing business and operating environments, mitigate risks
to acceptable levels, and support sound decision making and governance of the organization.
Designing and implementing an effective system of internal control can be challenging; operating that system
effectively and efficiently every day can be daunting. New and rapidly changing business models, greater use
and dependence on technology, increasing regulatory requirements and scrutiny, globalization, and other
challenges demand any system of internal control to be agile in adapting to changes in business, operating and
regulatory environments.
An effective system of internal control demands more than rigorous adherence to policies and procedures: it
requires the use of judgment. Management and boards of directors1 use judgment to determine how much
control is enough. Management and other personnel use judgment every day to select, develop, and deploy
controls across the entity. Management and internal auditors, among other personnel, apply judgment as they
monitor and assess the effectiveness of the system of internal control.
The Framework assists management, boards of directors, external stakeholders, and others interacting with the
entity in their respective duties regarding internal control without being overly prescriptive. It does so by
providing both understanding of what constitutes a system of internal control and insight into when internal
control is being applied effectively.
For management and boards of directors, the Framework provides:
Internal Use Only

 A means to apply internal control to any type of entity, regardless of industry or legal structure, at the levels of
entity, operating unit, or function
 A principles-based approach that provides flexibility and allows for judgment in designing, implementing, and
conducting internal control — principles that can be applied at the entity, operating, and functional levels
 Requirements for an effective system of internal control by considering how components and principles are
present and functioning and how components operate together
 A means to identify and analyze risks, and to develop and manage approver ate responses to risks within
acceptable levels and with a greater focus on anti-fraud measures
 An opportunity to expand the application of internal control beyond financial reporting to other forms of reporting,
operations, and compliance objectives
 An opportunity to eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing
risks to the achievement of the entity's objectives
For external stakeholders of an entity and others that interact with the entity, application of this Framework
provides:
 Greater confidence in the board of directors' oversight of internal control systems

 Greater confidence regarding the achievement of entity objectives
 Greater confidence in the organization's ability to identify, analyze, and respond to risk and changes in the
business and operating environments
 Greater understanding of the requirement of an effective system of internal control
 Greater understanding that through the use of judgment, management may be able to eliminate ineffective,
redundant, or inefficient controls
Internal control is not a serial process but a dynamic and integrated process. The Framework applies to all
entities: large, mid-size, small, for-profit and not-for-profit, and government bodies. However, each organization
may choose to implement internal control differently. For instance, a smaller entity's system of internal control
may be less formal and less structured, yet still have effective internal control.
The remainder of this Executive Summary provides an overview of internal control, including a definition,
categories of objective, description of the requisite components and associated principles, and requirement of an
effective system of internal control. It also includes a discussion of limitations — the reasons why no system of
internal control can be perfect. Finally, it offers considerations on how various parties may use the Framework.
Defining Internal Control

Internal control is defined as follows:
Internal Use Only

Internal control is a process, effected by an entity's board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives relating to operations,
reporting, and compliance.
This definition reflects certain fundamental concepts. Internal control is:
 Geared to the achievement of objectives in one or more categories — operations, reporting, and compliance
 A process consisting of ongoing tasks and activities — a means to an end, not an end in itself
 Effected by people — not merely about policy and procedure manuals, systems, and forms, but about people
and the actions they take at every level of an organization to affect internal control
 Able to provide reasonable assurance — but not absolute assurance, to an entity's senior management and
board of directors
 Adaptable to the entity structure — flexible in application for the entire entity or for a particular subsidiary,
division, operating unit, or business process
This definition is intentionally broad. It captures important concepts that are fundamental to how organizations
design, implement, and conduct internal control, providing a basis for application across organizations that
operate in different entity structures, industries, and geographic regions.
Objectives
The Framework provides for three categories of objectives, which allow organizations to focus on differing
aspects of internal control:
 Operations Objectives — These pertain to effectiveness and efficiency of the entity's operations, including
operational and financial performance goals, and safeguarding assets against loss.
 Reporting Objectives — These pertain to internal and external financial and non-financial reporting and may
encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard
setters, or the entity's policies.
 Compliance Objectives — These pertain to adherence to laws and regulations to which the entity is subject.
Components of Internal Control

Internal control consists of five integrated components.
Control Environment
The control environment is the set of standards, processes, and structures that provide the basis for carrying out
internal control across the organization. The board of directors and senior management establish the tone at the
top regarding the importance of internal control including expected standards of conduct. Management
Internal Use Only
reinforces expectations at the various levels of the organization. The control environment comprises the integrity
and ethical values of the organization; the parameters enabling the board of directors to carry out its governance
oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process
for attracting, developing, and retaining competent individuals; and the rigor around performance measures,
incentives, and rewards to drive accountability for performance. The resulting control environment has a
pervasive impact on the overall system of internal control.
Risk Assessment
Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an
event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and
iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement
of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk
assessment forms the basis for determining how risks will be managed.
A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity.
Management specifies objectives within categories relating to operations, reporting, and compliance with
sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the
suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of
possible changes in the external environment and within its own business model that may render internal control
ineffective.
Control Activities
Control activities are the actions established through policies and procedures that help ensure that
management's directives to mitigate risks to the achievement of objectives are carried out. Control activities are
performed at all levels of the entity, at various stages within business processes, and over the technology
environment. They may be preventive or detective in nature and may encompass a range of manual and
automated activities such as authorizations and approvals, verifications, reconciliations, and business
performance reviews. Segregation of duties is typically built into the selection and development of control
activities. Where segregation of duties is not practical, management selects and develops alternative control
activities.
Information and Communication
Information is necessary for the entity to carry out internal control responsibilities to support the achievement of
its objectives. Management obtains or generates and uses relevant and quality information from both internal
and external sources to support the functioning of other components of internal control. Communication is the
continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is
the means by which information is disseminated throughout the organization, flowing up, down, and across the
Internal Use Only

entity. It enables personnel to receive a clear message from senior management that control responsibilities
must be taken seriously. External communication is twofold: it enables inbound communication of relevant
external information, and it provides information to external parties in response to requirements and
expectations.
Monitoring Activities
Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each
of the five components of internal control, including controls to effect the principles within each component, is
present and functioning. Ongoing evaluations, built into business processes at different levels of the entity,
provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency
depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations.
Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or
management and the board of directors, and deficiencies are communicated to management and the board of
directors as appropriate.
Relationship of Objectives and Components
A direct relationship exists between objectives, which are what an entity strives to achieve, components, which
represent what is required to achieve the objectives, and the organizational structure of the entity (the operating
units, legal entities, and other). The relationship can be depicted in the form of a cube.
 The three categories of objectives — operations, reporting, and compliance — are represented by the columns.
 The five components are represented by the rows.
 An entity's organizational structure is represented by the third dimension.
Internal Use Only

Components and Principles
The Framework sets out seventeen principles representing the fundamental concepts associated with each
component. Because these principles are drawn directly from the components, an entity can achieve effective
internal control by applying all principles. All principles apply to operations, reporting, and compliance objectives.
The principles supporting the components of internal control are listed below.
Control Environment
1. The organization2 demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the
development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in
alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of
objectives.
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment
of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes
risks as a basis for determining how the risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal
control.
Control Activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the
achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and
procedures that put policies into action.

Internal Use Only
13. The organization obtains or generates and uses relevant, quality information to support the
functioning of internal control.

14. The organization internally communicates information, including objectives and responsibilities for
internal control, necessary to support the functioning of internal control.

15. The organization communicates with external parties regarding matters affecting the functioning of
internal control.
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to
those parties responsible for taking corrective action, including senior management and the board of
directors, as appropriate.
Effective Internal Control

The Framework sets forth the requirements for an effective system of internal control. An effective system
provides reasonable assurance regarding achievement of an entity's objectives. An effective system of internal
control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two,
or all three categories of objectives. It requires that:
 Each of the five components and relevant principles is present and functioning. "Present" refers to the
determination that the components and relevant principles exist in the design and implementation of the system
of internal control to achieve specified objectives. "Functioning" refers to the determination that the components
and relevant principles continue to exist in the operations and conduct of the system of internal control to
achieve specified objectives.
 The five components operate together in an integrated manner. "Operating together" refers to the determination
that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective.
Components should not be considered discretely; instead, they operate together as an integrated system.
Components are interdependent with a multitude of interrelationships and linkages among them, particularly the
manner in which principles interact within and across components.
When a major deficiency exists with respect to the presence and functioning of a component or relevant
principle, or with respect to the components operating together in an integrated manner, the organization cannot
conclude that it has met the requirements for an effective system of internal control.
Internal Use Only
When a system of internal control is determined to be effective, senior management and the board of directors
have reasonable assurance, relative to the application within the entity structure, that the organization:
 Achieves effective and efficient operations when external events are considered unlikely to have a significant
impact on the achievement of objectives or where the organization can reasonably predict the nature and timing
of external events and mitigate the impact to an acceptable level
 Understands the extent to which operations are managed effectively and efficiently when external events may
have a significant impact on the achievement of objectives or where the organization can reasonably predict the
nature and timing of external events and mitigate the impact to an acceptable level
 Prepares reports in conformity with applicable rules, regulations, and standards or with the entity's specified
reporting objectives
 Complies with applicable laws, rules, regulations, and external standards
The Framework requires judgment in designing, implementing, and conducting internal control and assessing its
effectiveness. The use of judgment, within the boundaries established by laws, rules, regulations, and standards,
enhances management's ability to make better decisions about internal control, but cannot guarantee perfect
outcomes.
Limitations
The Framework recognizes that while internal control provides reasonable assurance of achieving the entity's
objectives, limitations do exist. Internal control cannot prevent bad judgment or decisions, or external events that
can cause an organization to fail to achieve its operational goals. In other words, even an effective system of
internal control can experience a failure. Limitations may result from the:
 Suitability of objectives established as a precondition to internal control

 Reality that human judgment in decision making can be faulty and subject to bias
 Breakdowns that can occur because of human failures such as simple errors
 Ability of management to override internal control
 Ability of management, other personnel, and/or third parties to circumvent controls through collusion
 External events beyond the organization's control
These limitations preclude the board and management from having absolute assurance of the achievement of
the entity's objectives — that is, internal control provides reasonable but not absolute assurance.
Notwithstanding these inherent limitations, management should be aware of them when selecting, developing,
and deploying controls that minimize, to the extent practical, these limitations.
Using the Internal Control — Integrated Framework

Internal Use Only
How this report can be used depends on the roles of the interested parties:
 The Board of Directors — The board should discuss with senior management the state of the entity's system of
internal control and provide oversight as needed. Senior management is accountable for internal control and to
the board of directors, and the board needs to establish its policies and expectations of how members should
provide oversight of the entity's internal control. The board should be apprised of the risks to the achievement of
the entity's objectives, the assessments of internal control deficiencies, the management actions deployed to
mitigate such risks and deficiencies, and how management assesses the effectiveness of the entity's system of
internal control. The board should challenge management and ask the tough questions, as necessary, and seek
input and support from internal auditors, external auditors, and others.Sub-committees of the board often can
assist the board by addressing some of these oversight activities.
 Senior Management — Senior management should assess the entity's system of internal control in relation to
the Framework, focusing on how the organization applies the seventeen principles in support of the components
of internal control. Where management has applied the 1992 edition of the framework, it should first review the
updates made to this version (as noted in Appendix F of the Framework), and consider implications of those
updates to the entity's system of internal control. Management may consider using the Illustrative Tools as part
of this initial comparison and as an ongoing evaluation of the overall effectiveness of the entity's system of
internal control.
 Other Management and Personnel — Managers and other personnel should review the changes made to this
version and assess implications of those changes on the entity's system of internal control. In addition, they
should consider how they are conducting their responsibilities in light of the Framework and discuss with more
senior personnel ideas for strengthening internal control. More specifically, they should consider how existing
controls affect the relevant principles within the five components of internal control.
 Internal Auditors — Internal auditors should review their internal audit plans and how they applied the 1992
edition of the Framework. Internal auditors also should review in detail the changes made to this version and
consider possible implications of those changes on audit plans, evaluations, and any reporting on the entity's
system of internal control.
 Independent Auditors — In some jurisdictions, an independent auditor is engaged to audit or examine the
effectiveness of the client's internal control over financial reporting in addition to auditing the entity's financial
statements. Auditors can assess the entity's system of internal control in relation to the Framework, focusing on
how the organization has selected, developed, and deployed controls that affect the principles within the
components of internal control. Auditors, similar to management, may use the Illustrative Tools as part of this
evaluation of the overall effectiveness of the entity's system of internal control.
 Other Professional Organizations — Other professional organizations providing guidance on operations,
reporting, and compliance may consider their standards and guidance in comparison to the Framework. To the
extent diversity in concepts and terminology is eliminated, all parties benefit.
Internal Use Only

 Educators — With the presumption that the Framework attains broad acceptance, its concepts and terms should
find their way into university curricula.
Footnotes
1 The Framework uses the term "board of directors," which encompasses the governing body, including
board, board of trustees, general partners, owner, or supervisory board.
2 For purposes of the Framework, the term "organization" is used to collectively capture the board,
management, and other personnel, as reflected in the definition of internal control.
Framework and Appendices
Framework_FRM01_update.pdf
.
May 2013
This project was commissioned by COSO, which is dedicated to providing thought leadership through the
development of comprehensive frameworks and guidance on internal control, enterprise risk management, and
fraud deterrence designed to improve organizational performance and oversight and to reduce the extent of
fraud in organizations. COSO is a private sector initiative, jointly sponsored and funded by:
 American Accounting Association (AAA)

 American Institute of Certified Public Accountants (AICPA)
 Financial Executives International (FEI)
 Institute of Management Accountants (IMA)
 The Institute of Internal Auditors (IIA)
Board Members
Internal Use Only

American Institute of Certified Public Financial Executives International Jeffrey C. Thomson

Accountants
Accountants
PwC—Author
Miles E.A. Everson Stephen E. Frank J. Martens
Engagement Leader Soske Project Lead Director Vancouver,

Canada
Project Lead Partner
New York, USA
Boston, USA
Catherine I. Jourdan Jay A. Posklensky Sallie Jo Perraglia
Internal Use Only

Director Director Manager
Paris, France Florham Park, USA New York, USA
Advisory Council
Bellarmine University Community Trust Bank Campbell Soup Company
Fr. Raymond J. Treece Executive Vice President and Chief Finance Director/Controller
Pfizer AT&T
Members at Large
Internal Use Only

Partner Managing Director Partner
The Global Fund to Fight AIDS, PwC Ernst & Young LLP
Partner Partner
Chief Risk Officer
Chair Emeritus COSO
ISACA
2011-2012
James Dalkin Harrison E. Greene Jr. Christian Peo
Government Accountability Offic Federal Deposit Insurance Securities and Exchange

Commission
Director in the Financial Corporation
Internal Use Only

Management and Assistant Chief Accountant Professional Accounting Fellow
Assurance Team (Through June 2012)

Accountants
Commission Oversight Board
Senior Technical Manager
Associate Chief Accountant Deputy Chief Auditor
Additional PwC Contributors
Joseph Atkinson Jeffrey Boyle Glenn Brady
Partner Partner Partner
New York, USA Tokyo, Japan St. Louis, USA
James Chang Mark Cohen Andrew Dahle
Beijing, China San Francisco, USA Chicago, USA
Internal Use Only

Mary Grace Davenport Megan Haas Junya Hakoda
Partner Partner Partner (Retired)
New York, USA Hong Kong, China Tokyo, Japan
Diana Hillier Steve Hirt Brian Kinman
London, England Boston, USA St. Louis, USA
Barbara Kipp Hans Koopmans Sachin Mandal
Boston, USA Singapore Florham Park, USA
Alan Martin Pat McNamee Jonathan Mullins
Frankfurt, Germany Florham Park, USA Dallas, USA
Simon Perry Andrew Reinsel Kristin Rivera
Internal Use Only

London, England Cincinnati, USA San Francisco, USA
Valerie Wieman Alexander Young David Albright
Partner Partner Principal
Florham Park, USA Toronto, Canada Washington, D.C., USA
Charles Yovino Eric M. Bloesch Christopher Michaelson
Principal Managing Director Director
Atlanta, USA Philadelphia, USA Minneapolis, USA
John Morrow Tracy Walker Qiao Pan
Director Director Senior Associate
Florham Park, USA Bangkok, Thailand New York, USA
Foreword
Internal Use Only
In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal
Control—Integrated Framework (the original framework). The original framework has gained broad acceptance
and is widely used around the world. It is recognized as a leading framework for designing, implementing, and
conducting internal control and assessing the effectiveness of internal control.
In the twenty years since the inception of the original framework, business and operating environments have
stakeholders are more engaged, seeking greater transparency and accountability for the integrity of systems of
internal control that support business decisions and governance of the organization.
COSO is pleased to present the updated Internal Control—Integrated Framework (Framework). COSO believes
the Framework will enable organizations to effectively and efficiently develop and maintain systems of internal
control that can enhance the likelihood of achieving the entity's objectives and adapt to changes in the business
and operating environments.
The experienced reader will find much that is familiar in the Framework, which builds on what has proven useful
in the original version. It retains the core definition of internal control and the five components of internal control.
The requirement to consider the five components to assess the effectiveness of a system of internal control
remains fundamentally unchanged. Also, the Framework continues to emphasize the importance of
management judgment in designing, implementing, and conducting internal control, and in assessing the
effectiveness of a system of internal control.
At the same time, the Framework includes enhancements and clarifications that are intended to ease use and
application. One of the more significant enhancements is the formalization of fundamental concepts that were
introduced in the original framework. In the Framework, these concepts are now principles, which are associated
with the five components, and which provide clarity for the user in designing and implementing systems of
internal control and for understanding requirements for effective internal control.
The Framework has been enhanced by expanding the financial reporting category of objectives to include other
important forms of reporting, such as non-financial and internal reporting. Also, the Framework reflects
considerations of many changes in the business and operating environments over the past several decades,
including:
 Expectations for governance oversight

 Globalization of markets and operations
 Changes and greater complexities in business
 Demands and complexities in laws, rules, regulations, and standards
 Expectations for competencies and accountabilities
 Use of, and reliance on, evolving technologies
 Expectations relating to preventing and detecting fraud
Internal Use Only
An Executive Summary provides a high-level overview intended for the board of directors, chief executive officer,
and other senior management. This Framework and Appendices publication sets out the Framework, including
the definition of internal control, requirements for effective internal control including components and relevant
principles, and direction for all levels of management in designing, implementing, and conducting internal control
and in assessing its effectiveness. Included within the Framework and Appendices publication are ten chapters
that constitute the Framework.
Appendices within the Framework and Appendices publication provide reference, but are not considered a part
of the Framework. The Illustrative Tools for Assessing Effectiveness of a System of Internal Control provides
templates and scenarios that may be useful in applying the Framework.
In addition to the Framework, Internal Control over External Financial Reporting: A Compendium of Approaches
and Examples has been published concurrently to provide practical approaches and examples that illustrate how
the components and principles set forth in this Framework can be applied in preparing external financial
statements.
COSO previously issued Guidance on Monitoring Internal Control Systems to assist organizations in
understanding and applying monitoring activities within a system of internal control. While this guidance was
prepared to help in applying the original framework, COSO believes that it has similar applicability to the updated
Framework. COSO may, in the future, issue other documents to provide assistance in applying the Framework.
However, neither the Internal Control over External Financial Reporting: A Compendium of Approaches and
Examples, Guidance on Monitoring Internal Control Systems, nor any other past or future guidance takes
precedence over the Framework.
Among other publications published by COSO is the Enterprise Risk Management Integrated Framework (ERM
Framework). The ERM Framework and the Framework are intended to be complementary, and neither
supersedes the other. Yet, while these frameworks are distinct and provide a different focus, they do overlap.
The ERM Framework encompasses internal control, with several portions of the text of the original framework
reproduced within that document. The ERM Framework remains a viable and suitable framework for designing,
implementing, and conducting and assessing the effectiveness of enterprise risk management.
Finally, the COSO Board would like to thank PwC and the Advisory Council for their contributions in developing
the Framework and related documents. Their full consideration of input provided by many stakeholders and their
insight were instrumental in ensuring that the core strengths of the original framework have been preserved,
clarified, and strengthened.
David L. Landsittel
COSO Chair
Internal Use Only

1. Definition of Internal Control
The purpose of this Internal Control — Integrated Framework (Framework) is to help management better control
the organization and to provide a board of directors1 with an added ability to oversee internal control. A system
of internal control allows manmanagement to stay focused on the organization's pursuit of its operations and
financial performance goals, while operating within the confines of relevant laws and minimizing surprises along
the way. Internal control enables an organization to deal more effectively with changing economic and
competitive environments, leadership, priorities, and evolving business models.
Understanding Internal Control
Internal control is a process, effected by an entity's board of directors, management, and other personnel,
This definition emphasizes that internal control is:
 Geared to the achievement of objectives in one or more separate but overlapping categories — operations,
reporting, and compliance
 A process consisting of ongoing tasks and activities — a means to an end, not an end in itself
 Effected by people — not merely about policy and procedure manuals, systems, and forms, but about people
and the actions they take at every level of an organization to effect internal control
 Able to provide reasonable assurance — but not absolute assurance, to an entity's senior management and
board of directors
 Adaptable to the entity structure — flexible in application for the entire entity or for a particular subsidiary,
division, operating unit, or business process
This definition of internal control is intentionally broad for two reasons. First, it captures important concepts that
are fundamental to how organizations design, implement, and conduct internal control and assess effectiveness
of their system of internal control, providing a basis for application across various types of organizations,
industries, and geographic regions. Second, the definition accommodates subsets of internal control.
Those who want to may focus separately, for example, on internal control over reporting or controls relating to
complying with laws and regulations. Similarly, a directed focus on controls in particular units or activities of an
entity can be accommodated.
Internal Use Only

It also provides flexibility in application, allowing an organization to sustain internal control across the entire
entity; at a subsidiary, division, or operating unit level; or within a function relevant to the entity's operations,
reporting, or compliance objectives, based on the entity's specific needs or circumstances.
Geared to the Achievement of Objectives
The Framework sets forth three categories of objectives, which allow organizations to focus on separate aspects
of internal control:
operational and financial performance goals, and safeguarding assets against loss.
 Reporting Objectives — These pertain to internal and external financial and non-financial reporting and may
encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the
entity's policies.
 Compliance Objectives — These pertain to adherence to laws and regulations to which the entity is subject.
These distinct but overlapping categories — a particular objective can fall under more than one category —
address different needs and may be the direct responsibility of different individuals. The three categories also
indicate what can be expected from internal control.
A system of internal control is expected to provide an organization with reasonable assurance that those
objectives relating to external reporting and compliance with laws and regulations will be achieved. Achieving
those objectives, which are based largely on laws, rules, regulations, or standards established by legislators,
regulators, and standard setters, depends on how activities within the entity's control are performed. Generally,
management and/or the board have greater discretion in setting internal reporting objectives that are not driven
primarily by such external parties. However, the organization may choose to align its internal and external
reporting objectives to allow internal reporting to better support the entity's external reporting.
Achievement of some operations objectives — such as a particular return on investment, market share, or
maintaining safe operations — is not always within the organization's control. For instance, suppose an airline
has specified an objective to depart 90% of all flights on time. Adverse weather such as hurricanes and
snowstorms are external events beyond management's control that have the potential to significantly impact the
achievement of that objective. For these types of operations objectives, systems of internal control can only
provide reasonable assurance that management and the board are made aware, in a timely manner, of the
extent to which the entity is moving toward those objectives.
Where external events are unlikely to have a significant impact on the achievement of specified operations
objectives or where the organization can reasonably predict the nature and timing of external events and
mitigate the impact to an acceptable level, the entity may be able to attain reasonable assurance that these
objectives can be achieved. For instance, suppose management specifies an objective to conduct routine
Internal Use Only
servicing of equipment every 500 hours of operation. Management believes that achievement of this objective is
largely within its control, while recognizing that there may be external events — such as a pandemic that could
cause significant reductions in the workforce and related reductions in maintenance hours — that have the
potential to impact the achievement of the objective, but that are unlikely to occur.
A Process
Internal control is not one event or circumstance, but a dynamic and iterative process2 — actions that permeate
an entity's activities and that are inherent in the way management runs the entity. Embedded within this process
are controls consisting of policies and procedures. These policies reflect management or board statements of
what should be done to effect internal control. Such statements may be documented, explicitly stated in other
management communications, or implied through management actions and decisions. Procedures consist of
actions that implement a policy.
Business processes, which are conducted within or across operating units or functional areas, are managed
through the fundamental management activities, such as planning, executing, and checking. Internal control is
integrated with these processes. Internal control embedded within these business processes and activities are
likely more effective and efficient than stand-alone controls.
Effected by People
Internal control is effected by the board of directors, management, and other personnel. It is accomplished by
the people of an organization, by what they do and say. People establish the entity's objectives and put actions
in place to achieve specified objectives.
The board's oversight responsibilities include providing advice and direction to management, constructively
challenging management, approving policies and transactions,and monitoring management's activities.
Consequently, the board of directors is an important element of internal control. The board and senior
management establish the tone for the organization concerning the importance of internal control and the
expected standards of conduct across the entity.
Issues arise every day in managing an entity. People may not fully understand the nature of such issues or
alternatives available to them, communicate effectively, or perform consistently. Each individual brings to the
workplace a unique background and ability, and each has different needs and priorities. These individual
differences can be inherently valuable and beneficial to innovation and productivity, but if not properly aligned
with the entity's objectives they can be counterproductive. Yet, people must know their responsibilities and limits
of authority. Accordingly, a clear and close linkage needs to exist between people's roles and responsibilities
and the way in which these duties are communicated, carried out, and aligned with the entity's objectives.
Provides Reasonable Assurance
Internal Use Only

An effective system of internal control provides management and the board of directors with reasonable
assurance regarding achievement of an entity's objectives. The term "reasonable assurance" rather than
"absolute assurance" acknowledges that limitations exist in all systems of internal control, and that uncertainties
and risks may exist, which no one can confidently predict with precision. Absolute assurance is not possible.
Reasonable assurance does not imply that an entity will always achieve its objectives. Effective internal control
increases the likelihood of an entity achieving its objectives. However, the likelihood of achievement is affected
by limitations inherent in all systems of internal control, such as human error, the uncertainty inherent in
judgment, and the potential impact of external events outside management's control. Additionally, a system of
internal control can be circumvented if people collude. Further, if management is able to override controls, the
entire system may fail. Even though an entity's system of internal control should be designed to prevent and
detect collusion, human error, and management override, an effective system of internal control can experience
a failure.
Adaptable to the Entity Structure
Entities may be structured along various dimensions. The management operating model may follow product or
service lines, and reporting may be done for a consolidated entity, division, or operating unit, with geographic
markets providing for further subdivisions or aggregations of performance. The management operating model
may utilize outsourced service providers to support the achievement of objectives.
The legal entity structure is typically designed to follow regulatory reporting requirements, limit risk, or provide
tax benefits. Often the organization of legal entities is quite different from the management operating model used
to manage operations, allocate resources, measure performance, and report results.
Internal control can be applied, based on management's decisions and in the context of legal or regulatory
requirements, to the management operating model, legal entity structure, or a combination of these.
Footnotes
the board, board of trustees, general partners, owner, or supervisory board.
2 Although referred to as a process, internal control comprises many processes.
2. Objectives, Components, and

Internal Use Only
Principles
Introduction
An organization adopts a mission and vision, sets strategies, establishes objectives it wants to achieve, and
formulates plans for achieving them. Objectives may be set for an entity as a whole or be targeted to specific
activities within the entity. Though many objectives are specific to a particular entity, some are widely shared.
For example, objectives common to most entities are sustaining organizational success, reporting to
stakeholders, recruiting and retaining motivated and competent employees, achieving and maintaining a positive
reputation, and complying with laws and regulations.
Supporting the organization in its efforts to achieve objectives are five components of internal control:
 Control Environment
 Risk Assessment
 Control Activities
 Information and Communication
 Monitoring Activities
These components are relevant to an entire entity and to the entity level, its subsidiaries, divisions, or any of its
individual operating units, functions, or other subsets of the entity.
Relationship of Objectives, Components, and the Entity
Internal Use Only

A direct relationship exists between objectives, which are what an entity strives to achieve, components, which
represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and
other structures). The relationship can be depicted in the form of a cube.
 The three categories of objectives are represented by the columns.

 The five components are represented by the rows.
 The entity structure, which represents the overall entity, divisions, subsidiaries, operating units, or functions,
including business processes such as sales, purchasing, production, and marketing and to which internal control
relates, are depicted by the third dimension of the cube.3
Each component cuts across and applies to all three categories of objectives. For example, attracting,
developing, and retaining competent people who are able to conduct internal control — part of the control
environment component — is relevant to all three objectives categories.
The three categories of objectives are not parts or units of the entity. For instance, operations objectives relate to
the efficiency and effectiveness of operations, not specific operating units or functions such as sales, marketing,
procurement, or human resources.
Accordingly, when considering the category of objectives related to reporting, for example, knowledge of a wide
array of information about the entity's operations is needed. In that case, focus is on the middle column of the
model — reporting objectives — rather than on the operations objectives category.
Internal control is a dynamic, iterative, and integrated process. For example, risk assessment not only influences
the control environment and control activities, but also may highlight a need to reconsider the entity's
requirements for information and communication, or for its monitoring activities. Thus, internal control is not a
linear process where one component affects only the next. It is an integrated process in which components can
and will impact another.
No two entities will, or should, have the same system of internal control. Entities, objectives, and systems of
internal control differ by industry and regulatory environment, as well as by internal considerations such as the
size, nature of the management operating model, tolerance for risk, reliance on technology, and competence
and number of personnel. Thus, while all entities require each of the components to maintain effective internal
control over their activities, one entity's system of internal control will look different from another's.
Objectives
Management, with board oversight, sets entity-level objectives that align with the entity's mission, vision, and
strategies. These high-level objectives reflect choices made by management and board of directors about how
the organization seeks to create, preserve, and realize value for its stakeholders. Such objectives may focus on
the entity's unique operations needs, or align with laws, rules, regulations, and standards imposed by legislators,
Internal Use Only

regulators, and standard setters, or some combination of the two. Setting objectives is a prerequisite to internal
control and a key part of the management process relating to strategic planning.
Individuals who are part of the system of internal control need to understand the overall strategies and objectives
set by the organization. As part of internal control, management specifies suitable objectives so that risks to the
achievement of such objectives can be identified and assessed. Specifying objectives includes the articulation of
specific, measurable or observable, attainable, relevant, and time-bound objectives.
However there may be instances where an entity might not explicitly document an objective. Objectives specified
in appropriate detail can be readily understood by the people who are working toward achieving them.
Categories of Objectives
The Framework groups entity objectives into the three categories of operations, reporting, and compliance.
Operations Objectives
Operations objectives relate to the achievement of an entity's basic mission and vision — the fundamental
reason for its existence. These objectives vary based on management's choices relating to the management
operating model, industry considerations, and performance. Entity-level objectives cascade into related sub-
objectives for operations within divisions, subsidiaries, operating units, and functions, directed at enhancing
effectiveness and efficiency in moving the entity toward its ultimate goal.
As such, operations objectives may relate to improving financial performance, productivity (e.g., avoiding waste
and rework), quality, environmental practices, innovation, and customer and employee satisfaction. These
objectives pertain to all types of entities. For example, a for-profit entity may focus on revenue, profitability,
return on assets, and liquidity. In contrast, a not-for-profit entity, though certainly concerned with revenues or
levels of spending, may focus more on increasing donor participation. A governmental agency may focus on
achieving the mission established by the legislature or governing body, by effectively and efficiently managing
specific government programs and its spending in line with the designated purposes of its appropriators to
ensure objectives are supported. If an entity's operations objectives are not well conceived or clearly specified,
its resources may be misdirected.
Safeguarding of Assets
The operations category of objectives includes safeguarding of assets, in other words, protecting and preserving
entity assets. For instance, an entity may set objectives relating to the prevention of loss of assets and the timely
detection and reporting of any such losses. These objectives form the basis of assessing risk relating to
safeguarding of assets and selecting and developing controls needed to mitigate such risk. The efficient use of
an entity's assets and prevention of loss through waste, inefficiency, or poor business decisions (e.g., selling
product at too low a price, extending credit to bad risks, failing to retain key employees, allowing patent
Internal Use Only

infringement to occur, incurring unforeseen liabilities) relate to broader operations objectives and are not a
specific consideration relating to safeguarding of assets.
Laws, rules, regulations, and external standards have created an expectation that management reporting on
internal control includes controls relating to preventing and detecting unauthorized acquisition, use, or
disposition of entity assets. In addition, some entities consider safeguarding of assets a separate category of
objective, and that view can be accommodated within the application of the Framework.
Reporting Objectives
Reporting objectives pertain to the preparation of reports for use by organizations and stakeholders. Reporting
objectives may relate to financial or non-financial reporting and to internal or external reporting. Internal reporting
objectives are driven by internal requirements in response to a variety of potential needs such as the entity's
strategic directions, operating plans, and performance metrics at various levels. External reporting objectives are
driven primarily by regulations and/or standards established by regulators and standard-setting bodies.
 External Financial Reporting Objectives — Entities need to achieve external financial reporting objectives to
meet obligations to and expectations of stakeholders. Financial statements are necessary for accessing capital
markets and may be critical to being awarded contracts or in dealing with suppliers and vendors. Investors,
analysts, and creditors often rely on an entity's external financial statements to assess its performance against
peers and alternative investments. Management may also be required to publish financial statements using
objectives set forth by rules, regulations, and external standards.
 External Non-Financial Reporting Objectives — Management may report external non-financial information in
accordance with laws, rules, regulations, standards, or other frameworks. Non-financial reporting requirements
as set forth by regulations and standards for management reporting on the effectiveness of internal control over
financial reporting are part of external non-financial reporting objectives. For purposes of the Framework,
external reporting in the absence of a law, rule, regulation, standard, or framework represents external
communication.
 Internal Financial and Non-Financial Reporting Objectives — Internal reporting to management and the board of
directors includes information deemed necessary to manage the organization. It supports decision making and
assessment of the entity's activities and performance. Internal reporting objectives are based on preferences
and judgments of management and the board. Internal reporting objectives vary among entities because
different organizations have different strategic directions, operating plans, and expectations.
Relationship within Reporting Category of Objectives
The overall relationship between the four sub-categories of reporting objectives is shown in the graphic below.
Internal Use Only

Reporting objectives are different from the Information and Communication component of internal control.
Management establishes, with board oversight, reporting objectives when the organization needs reasonable
assurance of achieving a particular reporting objective. In these situations all five components of internal control
are needed. For instance, in preparing internal non-financial reporting to the board on the status of merger
integration efforts, the organization specifies internal reporting objectives (e.g., prepares reliable, relevant, and
useful reports), assigns competent individuals, assesses risks relating to specified objectives, selects and
develops controls within the five components necessary to mitigate such risks, and monitors components of
internal control supporting the specified non-financial reporting objective.
In contrast, the Information and Communication component supports the functioning of all components of
reporting objectives, as well as operations and compliance objectives. For instance, controls within Information
and Communication support the preparation of the above report, helping to provide relevant and quality
information underlying the report, but these controls are only part of the overall system of internal control.
Compliance Objectives
Entities must conduct activities, and often take specific actions, in accordance with applicable laws and
regulations. As part of specifying compliance objectives, the organization needs to understand which laws, rules
and regulations apply across the entity. Many laws and regulations are generally well known, such as those
relating to human resources, taxation, and environmental compliance, but others may be more obscure, such as
those that apply to an entity conducting operations in a remote foreign territory.
Internal Use Only

Laws and regulations establish minimum standards of conduct expected of the entity. The organization is
expected to incorporate these standards into the objectives set for the entity. Some organizations will set
objectives to a higher level of performance than established by laws and regulations. In setting those objectives,
management is able to exercise discretion relative to the performance of the entity. For instance, a particular law
may limit minors working outside school hours to eighteen hours in a school week. However, a retail food service
company may choose to limit its minor-age staff to working fifteen hours per week.
For purposes of the Framework, compliance with an entity's internal policies and procedures, as opposed to
compliance with external laws and regulations as discussed above, relates to operations objectives.
Overlap of Objectives Categories
An objective in one category may overlap or support an objective in another. For example, "closing financial
reporting period within five workdays" may be a goal supporting primarily an operations objective — to support
management in reviewing business performance. But it also supports timely reporting and filings with regulatory
agencies.
The category in which an objective falls may vary depending on the circumstances. For instance, controls to
prevent theft of assets — such as maintaining a fence around inventory, or having a gatekeeper to verify proper
authorization of requests for movement of goods — fall under the operations category. These controls may not
be relevant to reporting where inventory losses are detected after a periodic physical inspection and recorded in
the financial statements. However, if for reporting purposes management relies solely on perpetual inventory
records, as may be the case for interim or internal financial reporting, the physical security controls would then
also fall within the reporting category. These physical security controls, along with controls over the perpetual
inventory records, are needed to achieve reporting objectives. A clear understanding is needed of the entity's
business processes, policies and procedures, and the respective impact on each category of objectives.
Basis of Objectives Categories
Some objectives are derived from the regulatory or industry environments in which the entity operates. For
example:
 Some entities submit information to environmental agencies.

 Publicly traded companies file information with securities regulators.
 Universities report grant expenditures to government agencies.
These objectives are established largely by law or regulation, and fall into the category of compliance, external
reporting, or, in these examples, both.
Conversely, operations and internal reporting objectives are based more on the organization's preferences,
judgments, and choices. These objectives vary widely among entities simply because informed and competent
Internal Use Only

people may select different objectives. For example, one organization might choose to be an early adopter of
emerging technologies in developing new products, whereas another might be a quick follower, and yet another
a late adopter. These choices would reflect the entity's strategies and the competencies, technologies, and
controls within its research and development function. Consequently, no one formulation of objectives can be
optimal for all entities.
Objectives and Sub-Objectives
Management links specified entity-level objectives to more specific sub-objectives that cascade throughout the
organization. Sub-objectives also are established as part of or flowing from the strategy-setting process, and
relate to the entity and its subunits and functional activities such as sales, production, engineering, marketing,
productivity, employee engagement, innovation, and information technology. Management aligns these sub-
objectives with entity-level objectives and coordinates these across the entity.
Where entity-level objectives are consistent with prior practice and performance, the linkage between activities is
usually known. Where objectives depart from an entity's past practices, management addresses the linkages or
accepts increased risks. For example, an entity-level objective relating to customer satisfaction depends on
linked sub-objectives dealing with the introduction of services that use a newer and less proven technology
infrastructure. These sub-objectives might need to be substantially changed if past practice used older, proven
technologies.
Sub-objectives for operating units and functional activities also need to be specific, measurable or observable,
attainable, relevant, and time-bound. In addition, they must be readily understood by the people who are working
toward achieving them. Management and other personnel require a mutual understanding of both what is to be
accomplished and the means of determining to what extent it is accomplished in order to ensure individual and
team accountability.
Entities may specify multiple sub-objectives for each activity, flowing both from the entity-level objectives and
from established standards relating to compliance and reporting objectives, as deemed suitable in the
circumstances. For example, procurement operations objectives may be to:
 Purchase goods that meet engineering specifications

 Purchase goods from companies that meet environmental, health, and safety specifications (e.g., no child labor,
good working conditions)
 Negotiate acceptable prices and other terms
As another example, when specifying suitable external reporting objectives relating to the preparation of external
financial statements, management considers accounting standards, financial statement assertions, and
qualitative characteristics that are applicable to the entity and its subunits. For example, management may set
Internal Use Only

an entitylevel external financial reporting objective as follows: "Our company prepares reliable financial
statements reflecting transactions and events in accordance with generally accepted accounting principles."
Management also specifies suitable sub-objectives for divisions, subsidiaries, operating units, and functions with
sufficient clarity to support entity-level objectives. For instance, management specifies sub-objectives for sales
transactions that apply appropriate accounting standards based on the circumstances and that address relevant
financial statement assertions and qualitative characteristics, such as:
 All sales transactions that occur are recorded on a timely basis.

 Sales transactions are recorded at correct amounts in the right accounts.
 Sales transactions are accurately and completely summarized in the entity's books and records.
 Presentation and disclosures relating to sales are properly described, sorted, and classified.
Components and Principles of Internal Control
The Framework sets out five components of internal control and seventeen principles representing the
fundamental concepts associated with components. These components and principles of internal control are
suitable for all entities. All seventeen principles apply to each category of objective, as well as to objectives and
sub-objectives within a category. For instance, an entity may apply the Framework relative to complying with a
specific law regarding commercial arrangements with foreign entities, a subcategory of the compliance category
of objectives.
Below is a summary of each of the five components of internal control and the principles relating to each
component. Each of the principles is covered in the respective component chapters.4
Control Environment
top regarding the importance of internal control and expected standards of conduct.
There are five principles relating to Control Environment:
1. The organization demonstrates a commitment to integrity and ethical values.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.


Internal Use Only
objectives.
Risk Assessment
Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the
entity's objectives, forming a basis for determining how risks should be managed. Management considers
possible changes in the external environment and within its own business model that may impede its ability to
achieve its objectives.
There are four principles relating to Risk Assessment:
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment
of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes

control.
Control Activities
Control activities are the actions established by policies and procedures to help ensure that management
directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all
levels of the entity and at various stages within business processes, and over the technology environment.
There are three principles relating to Control Activities:

11. The organization selects and develops general control activities over technology to support the
12. The organization deploys control activities through policies that establish what is expected and

Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its
objectives. Communication occurs both internally and externally and provides the organization with the
information needed to carry out day-to-day controls. Communication enables personnel to understand internal
control responsibilities and their importance to the achievement of objectives.
Internal Use Only
There are three principles relating to Information and Communication:
13. The organization obtains or generates and uses relevant, quality information to support the

14. The organization internally communicates information, including objectives and responsibilities for

15. The organization communicates with external parties regarding matters affecting the functioning of
internal control.
present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with
serious matters reported to senior management and to the board.
There are two principles relating to Monitoring Activities:
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to
those parties responsible for taking corrective action, including senior management and the board of
directors, as appropriate.
Internal Control and the Management Process
Because internal control is a part of management's overall responsibility, the five components are discussed in
the context of the management of the entity. Not every decision or action of management, however, is part of
internal control:
 Having a board that comprises directors with sufficient independence from management and that carries out its
oversight role is part of internal control. However, many decisions reached by the board are not part of internal
control; for example approving a particular mission or vision. The board also fulfills a variety of governance
responsibilities in addition to its responsibilities for oversight of internal control.
 Making strategic decisions impacting the entity's objectives is not part of internal control. An organization may
apply enterprise risk management approaches or other approaches in setting objectives.
 Setting the overall level of acceptable risk and associated risk appetite5 is part of strategic planning and
enterprise risk management, not part of internal control. Similarly, setting risk tolerance levels in relation to
specific objectives is also not part of internal control.
Internal Use Only

 Selecting and developing controls designed to mitigate risks based on the organization's risk assessment
process is a part of internal control; however, choosing which risk response is preferred to address specific risks
is not part of internal control.
Internal Control and Objective-Setting
It is not practical to design and implement a system of internal control unless the entity's objectives are
established, set, and specified for the organization. Establishing and setting objectives and related sub-
objectives are parts of or flow from the strategic planning process, with consideration given to laws, rules,
regulations, and standards as well as management's own choices. However, internal control cannot dictate or
establish what an entity's objectives should be.
As part of internal control, an organization specifies objectives by:
 Articulating and codifying specific, measurable or observable, attainable, relevant and time-based objectives
 Assessing suitability of objectives and sub-objectives for internal control based on facts, circumstances, and
established laws, rules, regulations, and standards
 Communicating objectives and sub-objectives throughout the entity
The following diagram illustrates establishing and setting objectives as part of the management process outside
of internal control, and specifying and using objectives as part of internal control in the context of an external
financial reporting and an operations objective.
Internal Use Only

Limitations of Internal Control
Internal Use Only
The Framework recognizes that while an effective system of internal control provides reasonable assurance of
achieving the entity's objectives, inherent limitations do exist. Even an effective system of internal control can
experience a failure. These limitations may result from the:
 Suitability of objectives established as a precondition to internal control

 Reality that human judgment in decision making can be faulty and subject to bias
 Breakdowns that can occur because of human failures such as errors
 Ability of management to override internal control
 Ability of management, other personnel, and/or third parties to circumvent controls through collusion
 External events beyond the organization's control
These limitations preclude the board and management from having absolute assurance of the achievement of
the entity's objectives — that is, internal control provides reasonable but not absolute assurance.
Footnotes
3 Throughout the Framework, the term "the entity and its subunits" refers collectively to the overall entity,
divisions, subsidiaries, operating units, and functions.
4 For purposes of the Framework, when describing principles the term "organization" is used to capture
the meaning of, collectively, the board of directors, management, and other personnel. Typically the
board of directors serves in an oversight capacity within this term.
5 "Risk appetite" is defined as the amount of risk, on a broad level, an entity is willing to accept in pursuit
of its mission/vision.
3. Effective Internal Control
Requirements for Effective Internal Control
An effective system of internal control provides reasonable assurance of achievement of an entity's objectives.
Because internal control is relevant both to the entity and its subunits, an effective system of internal control may
relate to a specific part of the organizational structure. An effective system of internal control reduces, to an
Internal Use Only

acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires
that:
 Each of the five components of internal control and relevant principles is present and functioning6
 The five components are operating together in an integrated manner
In determining whether a system of internal control is effective, management exercises judgment in assessing
whether each of the components and relevant principles is present and functioning and components are
operating together.
When internal control is determined to be effective, senior management and the board of directors have
reasonable assurance of the following categories of objectives:
 Operations - the organization:
 achieves effective and efficient operations when external events are considered unlikely to have a
significant impact on the achievement of objectives or when the organization can reasonably predict the
nature and timing of external events and mitigate the impact to an acceptable level
 understands the extent to which operations are managed effectively and efficiently when external events
may have a significant impact on the achievement of objectives and the impact cannot be mitigated to an
acceptable level
 Reporting - the organization prepares reports in conformity with applicable laws, rules, regulations, and
standards established by legislators, regulators, and standard setters, or with the entity's specified objectives
and related policies
 Compliance - the organization complies with applicable laws, rules, and regulations
The Framework sets forth that components and relevant principles are requisite to an effective system of internal
control. It does not prescribe the process for how management assesses its effectiveness.
Suitability and Relevance of Components and Principles
The Framework views all components of internal control as suitable and relevant to all entities.
Principles are fundamental concepts associated with components. As such, the Framework views the seventeen
principles as suitable to all entities. The Framework presumes that principles are relevant because they have a
significant bearing on the presence and functioning of an associated component. Accordingly, if a relevant
principle is not present and functioning, the associated component cannot be present and functioning.
There may be a rare industry, operating, or regulatory situation in which management has determined that a
principle is not relevant to a component. Considerations in applying this judgment may include the entity
Internal Use Only

structure recognizing any legal, regulatory, industry, or contractual requirements for governance of the entity,
and the level of use and dependence on technology used by the entity. Management must support its
determination that a principle is not relevant with the rationale of how, in the absence of that principle, the
associated component can be present and functioning.
Present and Functioning
The phrase "present and functioning" applies to components and principles.
 "Present" refers to the determination that components and relevant principles exist in the design and
implementation of the system of internal control to achieve specified objectives.
 "Functioning" refers to the determination that components and relevant principles continue to exist in the
conduct of the system of internal control to achieve specified objectives.
In determining whether a component is present and functioning, senior management, with board of director
oversight, needs to determine to what extent relevant principles are present and functioning. However, a
principle being present and functioning does not imply that the organization strives for the highest level of
performance in applying that particular principle. Rather, management exercises judgment in balancing the cost
and benefit of designing, implementing, and conducting internal control.
Operating Together
The Framework requires that all components operate together in an integrated manner. "Operating together"
refers to the determination that all five components collectively reduce, to an acceptable level, the risk of not
achieving an objective.
Components are interdependent with a multitude of interrelationships and linkages among them, particularly the
manner in which principles interact within and across components. Components that are present and functioning
capture the inherent interdependencies and linkages among them. Examples of components operating together
include the following:
 The organization establishes expected standards of conduct and sets performance measures and incentives
within the Control Environment to reduce the potential for fraudulent behavior and may impact the assessed
level of fraud risk evaluated within Risk Assessment.
 The development and deployment of policies and procedures as part of Control Activities contributes to the
mitigation of risks identified and analyzed within Risk Assessment.
 The processing of relevant, quality information within Information and Communication supports deployment of
business process and transaction controls within Control Activities and performance of ongoing and separate
evaluations of such controls within Monitoring Activities.
Internal Use Only

 The communication of internal control deficiencies to those responsible for taking corrective actions as part of
Monitoring Activities requires a full understanding of the entity's structures, reporting lines, authorities and
responsibilities as set forth in the Control Environment and as communicated within Information and
Communication.
Accordingly, management can demonstrate that components operate together when:
 Components are present and functioning

 Internal control deficiencies aggregated across components do not result in the determination that one or more
major deficiencies exist
Deficiencies in Internal Control
There are many potential sources for identifying internal control deficiencies, including the entity's monitoring
activities, other components, and external parties that provide input relative to the presence and functioning of
components and relevant principles.
The term "internal control deficiency" refers to a shortcoming in a component or components and relevant
principle(s) that reduces the likelihood of an entity achieving its objectives. An internal control deficiency or
combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives is
referred to as a "major deficiency." As illustrated below, a major deficiency is a subset of internal control
deficiencies. As such, a major deficiency is by definition also an internal control deficiency.
When a major deficiency exists, the organization cannot conclude that it has met the requirements for an
effective system of internal control. A major deficiency exists in the system of internal control when management
determines that a component and one or more relevant principles are not present or functioning or that
components are not operating together.
A major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning
of another component. Similarly, a major deficiency in a relevant principle cannot be mitigated to an acceptable
level by the presence and functioning of other principles.
Internal Use Only

In determining whether components and relevant principles are present and functioning, management can
consider controls to effect principles.7 For instance, in assessing whether the principle Assesses Fraud Risk
may not be present and functioning, the organization can consider controls to effect other principles, such as
those relating to Establishes Structure, Authority, and Responsibility and Enforces Accountability. By considering
controls initially considered in the context of other principles, management may be able to determine that the
principle Assesses Fraud Risk is present and functioning.
Management exercises judgment to assess the severity of an internal control deficiency, or combination of
deficiencies, in determining whether components and relevant principles are present and functioning, and
components are operating together, and ultimately in determining the effectiveness of the entity's system of
internal control. Further, these judgments may vary depending on the category of objectives.
Regulators, standard-setting bodies, and other relevant third parties may establish criteria for defining the
severity of, evaluating, and reporting internal control deficiencies. The Framework recognizes and
accommodates their authority and responsibility as established through laws, rules, regulations, and external
standards.
In those instances where an entity is applying a law, rule, regulation, or external standard, management should
use only the relevant criteria contained in those documents to classify the severity of internal control
deficiencies, rather than relying on the classifications set forth in the Framework. The Framework recognizes
that any internal control deficiency that results in a system of internal control not being effective pursuant to such
criteria would also preclude management from concluding that the entity has met the requirements for effective
internal control in accordance with the Framework (e.g., a major non-conformity relating to operations or
compliance objectives, or a material weakness relating to compliance or external reporting objectives).
For internal reporting and operations objectives, senior management, with board of director oversight, may
establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported
to those responsible for achieving these objectives.
Other Considerations
Although the organization may rely on an outsourced service provider to conduct business processes, policies,
and procedures on behalf of the entity, management retains ultimate responsibility for meeting the requirements
for an effective system of internal control.
Management's assessment of the effectiveness of internal control occurs within
the entity's system of internal control. Other parties interacting with the entity, such as external auditors and
regulators, are not part of the entity's system of internal control and thus cannot be part of management's
process for assessing effective internal control.
Internal Use Only

Footnotes
6 Chapter 4, Additional Considerations, introduces points of focus as important characteristics of

principles. The Framework does not require that management assess separately whether points of
focus are in place.
7 The role of controls and how they effect principles is further described in Chapter 4, Additional
4. Additional Considerations
Judgment
The Framework requires judgment in designing, implementing, and conducting internal control and assessing its
effectiveness. The use of judgment enhances management's ability to make better decisions about internal
control, but cannot guarantee perfect outcomes.
Within the boundaries established by laws, rules, regulations, and standards, management exercises judgement
in important areas such as:
 Applying internal control components relative to categories of objectives

 Applying internal control components and principles within the entity structure
 Specifying suitable objectives and sub-objectives and assessing risks to achieving these objectives
 Selecting, developing, and deploying controls necessary to effect principles
 Assessing whether components are present, functioning, and operating together
 Assessing whether principles are relevant to the entity and present and functioning
 Assessing the severity of one or more internal control deficiencies in accordance with applicable laws, rules,
regulations, and external standards, or with the Framework
For example, in preparing financial statements, management exercises judgment in complying with external
financial reporting req00uirements. Management considers how identified risks to specified financial reporting
objectives and sub-objectives should be managed. Management's alternatives for responding to risks may be
more limited compared with some other categories of objectives. That is, management is less likely to accept a
risk than to reduce the risk. For external financial reporting objectives relating to financial statements prepared
Internal Use Only

for external purposes, risk acceptance should occur only when identified risks could not, individually or in
aggregate, exceed the risk threshold and result in a material omission or misstatement.
Management also exercises judgment in specifying and using suitable accounting principles, particularly those
relating to subjective measurements and complex transactions. For instance, management exercises judgment
in making assumptions and using data in developing accounting estimates, in applying accounting principles to
complex transactions, and in preparing reliable and transparent presentations and disclosures. Internal control
over external financial reporting addresses the potential for bias in exercising judgment that could lead to a
material omission or misstatement in external financial reporting.
Points of Focus
The Framework describes points of focus that are important characteristics of principles. Management may
determine that some of these points of focus are not suitable or relevant and may identify and consider others
based on specific circumstances of the entity. Points of focus may assist management in designing,
implementing, and conducting internal control and in assessing whether the relevant principles are, in fact,
present and functioning. The Framework does not require that management assess separately whether points of
focus are in place.
Controls to Effect Principles
Embedded within the internal control process are controls, which consist of policies and procedures. Policies
reflect management or board statements of what should be done to effect control. Procedures are actions that
implement policies. Organizations select and develop controls within each component to effect relevant
principles. Controls are interrelated and may support multiple objectives and principles.
The Framework does not prescribe specific controls that must be selected, developed, and deployed for an
effective system of internal control. That determination is a function of management judgment based on factors
unique to each entity, such as:
 Laws, rules, regulations, and standards applicable to the entity

 Nature of the entity's business and markets in which it operates
 Scope and nature of the management operating model
 Competency of the personnel responsible for internal control
 Use of and dependence on technology
 Management's responses to assessed risks
Management is expected to obtain persuasive evidence to support its determination that components and
relevant principles are present and functioning. Management considers controls in conjunction with its
assessment of components and relevant principles. Understanding how controls effect principles through their
Internal Use Only

selection, development, and deployment can provide persuasive evidence to support management's
assessment of whether the entity's system of internal control is effective. The absence of controls necessary to
effect relevant principles would represent an internal control deficiency. The Framework allows judgment in
assessing the potential impact of a control deficiency on the presence and functioning of a relevant principle.
Management may consider other controls (whether or not associated with that particular component or principle)
that compensate for an internal control deficiency.
Organizational Boundaries
Many organizations choose to shift some business processes and activities to outside service providers. This
approach has become prevalent because of the benefits of obtaining access to low-cost human resources,
reducing costs in the day-to-day management of certain functions, obtaining access to better processes and
systems, and allowing management to focus more on the entity's mission.
Outsourced service providers can help organizations to perform business processes such as procurement,
payables management, payroll, pension and benefit management, investment management, and stock-based
compensation programs. Outside service providers may also perform technology activities that support business
processes, providing services to procure, manage, and maintain previously internally managed technology
systems. Advances in technology have created cost-saving opportunities through access to comprehensive
architectures providing on-demand and scalable shared technology that supports more complex and changing
business operations and that may be cost prohibitive for management as an internal investment.
This dependence on outsourced service providers changes the risks of business activities, increases the
importance of the quality of information and communications from outside the organization, and creates greater
challenges in overseeing its activities and related controls. While management can use others to execute
business processes, activities, and controls for or on behalf of the entity, it retains responsibility for the system of
internal control. For instance, management retains responsibility for specifying objectives, managing associated
risks, and selecting, developing, and deploying control to effect components and relevant principles.
The Framework can be applied to the entire entity regardless of what choices management makes about how it
will execute business activities that support its objectives, either directly or through external relationships.
Technology
Technology may be essential to support management's pursuit of the entity's objectives and to better control the
organization's activities. The number of entities that use technology continues to grow as does the extent that
technology is used.
Technology is often referred to by other terms, such as "management information systems" or "information
technology." These terms share the ideas of using a combination of automated and manual processes, and
computer hardware and software, methodologies, and processes. The Framework uses the term "technology" to
Internal Use Only
refer to all computerized systems, including software applications running on a computer and operational control
systems.
Technology environments vary significantly in size, complexity, and extent of integration. They range from large,
centralized, and integrated systems to decentralized systems that operate independently within a specific
operating unit. They may involve real-time processing environments that enable immediate access to
information, including mobile computer applications that can cut across many systems, organizations, and
geographies. Technology enables organizations to process high volumes of transactions, transform data into
information to support sound decision making, share information efficiently across the entity and with business
partners, and secure confidential information from inappropriate use. In addition, technology can allow an entity
to share operational and performance data with the public.
Technology innovation creates both opportunities and risks. It can enable the development of new business
markets and models, generate efficiencies through automation, and enable entities to do things that were
previously hard to imagine. It may increase complexity, which makes identifying and managing risks more
difficult.
The principles presented in the Framework do not change with the application of technology. This is not to say
that technology does not change the internal control landscape. Certainly, it affects how an organization designs,
implements, and conducts internal control, considering the greater availability of information and the use of
automated procedures, but the same principles remain suitable and relevant.8
Larger versus Smaller Entities
The principles underlying components of internal control are just as applicable for smaller entities as for larger
ones. However, implementation approaches may vary for smaller entities, regardless of whether the entity is
publicly traded, privately held, governmental, or not-for-profit. For example, all public companies have boards of
directors, or other similar governing bodies, with oversight responsibilities related to reporting. A smaller entity
may have a less complex management operating model and entity structure, and more frequent communication
with directors, enabling a different approach to board oversight. Similarly, while many public companies are often
required to have a whistle-blower program, there may be a difference in the reporting procedures between other
types of smaller and larger entities. In a large entity, for example, the volume of reported events may require
initial reporting to an identified internal staff function, but a smaller entity may allow direct reporting to the audit
committee chair.
Smaller entities typically have unique advantages, which can contribute to effective internal control. These may
include a wider span of control by senior management and greater direct interaction with personnel. For
instance, smaller companies may find informal staff meetings highly effective for communicating information
relevant to operating performance, whereas larger companies may need more formal mechanisms such as
written reports, intranet portals, periodic formal meetings, or conference calls to communicate similar matters.
Internal Use Only
Conversely, larger entities may enjoy certain economies of scale, which often affect support functions. For
example, establishing an internal audit function within a smaller, domestic entity likely would require a larger
percentage of the entity's economic resources than would be the case for a larger, multinational entity. A smaller
entity may not have an internal audit function or might rely on co-sourcing or outsourcing to provide needed
skills, where the larger entity's function might have a significantly broader range of experienced in-house
personnel. But in all likelihood the relative cost for the smaller entity would be higher than for the larger one.
Benefits and Costs of Internal Control
Benefits
Internal control provides many benefits to an entity. It provides management and boards of directors with added
confidence regarding the achievement of objectives, it provides feedback on how a business is functioning, and
it helps to reduce surprises. Among the most significant benefits of effective internal control for many entities is
the ability to meet certain requirements to access capital markets, providing capital-driven innovation and
economic growth. Such access of course comes with responsibilities to effect timely and reliable reporting for
shareholders, creditors, capital providers, regulators, and other third parties with which an entity has direct
contractual relationships. For instance, effective internal control supports reliable external financial reporting,
which in turn enhances investor confidence in providing the requisite capital.
Other benefits of effective internal control include:
 Reliable reporting that supports management and board decision making on matters such as product pricing,
capital investment, and resource deployment
 Consistent mechanisms for processing transactions, supporting quality of information and communications
across an organization, enhancing speed and reliability at which transactions are initiated and settled, and
providing reliable recordkeeping and ongoing integrity of data
 Increased efficiency within functions and processes
 A basis for decisions where highly subjective and substantial judgment is needed
 Ability and confidence to accurately communicate business performance with business partners and customers,
which supports continuity of relationships
Further, the Framework enables management to enhance efficiency in the design, implementation, and conduct
of a system of internal control. For example:
 Understanding the importance of specifying suitable objectives may focus management's attention on those
risks and controls most important to achieving these objectives.
 Focusing on those areas of risk that exceed acceptance levels and need to be managed across the entity may
reduce efforts spent mitigating risks in areas of lesser significance.
Internal Use Only

 Coordinating efforts for identifying and assessing risks across multiple objectives may reduce the number of
discrete risks assessed and mitigated.
 Selecting, developing, and deploying controls to effect multiple principles may also reduce the number of
discrete, layered-on controls.
 Applying a common language — the Framework — encompassing operations, reporting, and compliance
processes and controls may lessen the number of languages used to describe internal control across the entity.
Entities always have limits on human and capital resources and constraints on how much they can spend, and
therefore they will often consider the costs relative to the benefits of alternative approaches in managing internal
control options.
Costs
Generally, it is easier to deal with the cost aspect in the cost-benefit equation because in most cases financial
costs can be quantified fairly precisely. Usually considered are all direct costs associated with implementing
internal control actions and responses, plus indirect costs, where practically measurable. Some entities also
include opportunity costs associated with use of resources.
Overall, management considers a variety of cost factors in relation to expected benefits when selecting and
developing internal controls. These may include:
 Considering the trade-offs between recruiting and retaining staff with a higher level of competency and the
related higher compensation costs. For instance, a smaller, stable, privately held company may not want to, or
be able to, hire a chief financial officer with the experience of working for a publicly traded company.
 Assessing the efforts required to select, develop, and perform control activities; the potential incremental efforts
that the activity adds to the business process; and the efforts to maintain and update the control activity when
needed.
 Assessing the impacts of added reliance on technology. While the effort to perform the control and the impact of
added technology-based controls on the business process may be small, the cost associated with selecting,
developing, maintaining, and updating the technology could be substantial.
 Understanding how changes in information requirements may call for greater data collection, processing, and
storage that could trigger exponential growth in data volume. With more data available, an organization faces
the challenge of avoiding information overload by ensuring flow of the right information, in the right form, at the
right level of detail, to the right people, at the right time. Establishing an information system that balances costs
and benefits depends on thoughtful consideration of information requirements.
Other Considerations in Determining Benefits and Costs
Internal Use Only

The benefit side of the cost-benefit equation often involves even more subjective evaluation. For example,
benefits of effective training programs usually are apparent but difficult to quantify. Training programs are not
often designed to measure the benefits or to capture the necessary data to evaluate the program. Sales training
programs may not be structured to measure before-and-after employee sales results, making it difficult to
determine whether the training is effective and accomplishing its objectives. Further, evaluating the benefits in
relation to stakeholder expectations may be more difficult to assess. In many cases, however, the benefit of
developing actions within any of the five components of internal control can be evaluated in the context of the
benefit associated with achievement of the related objective.
The complexity of cost-benefit determinations is compounded by the interrelationship of controls with business
operations. Where controls are integrated with management and business processes, it is difficult to isolate
either their costs or benefits.
It is up to management to decide how an entity evaluates the costs versus benefits of alternative approaches to
implementing a system of internal control, and what action it ultimately takes. However, cost alone is not an
acceptable reason to avoid implementing internal control. The cost versus benefits considerations support
management's ability to develop and maintain a system of internal control that balances the allocation of human
resources in relation to the areas of greatest risk, complexity, or other factors relevant to the entity's objectives.
Documentation
Entities develop and maintain documentation for their internal control system for a number of reasons. One is to
provide clarity around roles and responsibilities, which promotes consistency in adhering to the entity's practices,
policies, and procedures in managing the business. Effective documentation assists in capturing the design of
internal control and communicating the who, what, when, where, and why of internal control execution, and
creates standards and expectations of performance and conduct. Another purpose of documentation is to assist
in training new personnel and to offer a refresher or reference for other employees. Documentation also provides
evidence of the conduct of internal control, enables proper monitoring, and supports reporting on internal control
effectiveness, particularly when evaluated by other parties interacting with the entity, such as regulators,
auditors, or customers. Documentation also provides a means to retain organizational knowledge and mitigate
the risk of having the knowledge within the minds of a limited number of employees.
Management must also determine how much documentation is needed to assess the effectiveness of internal
control. Some level of documentation is always necessary to assure management that each of the components
and relevant principles is present and functioning and components are operating together. This may include, for
example, documents showing that all shipments are billed or that periodic reconciliations are performed. Two
specific levels of documentation requirements must be considered in relation to external financial and non-
financial reporting:
Internal Use Only

 In cases where management asserts to regulators, shareholders, or other third parties on the design and
operating effectiveness of its system of internal control, management has a higher degree of responsibility.
Typically, this requires documentation to support the assertion that components and relevant principles are
present and functioning and components are operating together. The nature and extent of the documentation
may be influenced by the entity's regulatory requirements. This does not necessarily mean that all
documentation is or should be more formal, but that persuasive evidence to show that the components and
relevant principles are present and functioning and components are operating together is available and
appropriate to satisfy the entity's objectives.
 In cases where an external auditor attests to the effectiveness of the system of internal control, management will
likely be expected to provide the auditor with support for its assertion on the effectiveness of internal control.
That support includes evidence that the system of internal control is properly designed and operating effectively
to provide reasonable assurance of achieving the entity's objective. In considering the nature and extent of
documentation needed, management should remember that the documentation to support the assertion will
likely be used by the external auditor as part of his or her audit evidence, including the sufficiency of such
documentation for those assertions. Management would also need to document significant judgments, how such
decisions were considered, and how the final decisions were reached.
There may still be instances where controls are informal and implied through management actions and
decisions. This may be appropriate where management is able to obtain evidence captured through the normal
conduct of the business that indicates personnel regularly performed those controls. However, it is important to
keep in mind that controls, such as those embedded within monitoring activities or risk assessments, cannot be
performed entirely in the minds of senior management without some documentation of management's thought
process and analyses.
The level and nature of documentation can also vary by the size of the organization and the complexity of the
control. Larger entities usually have a more extensive system of internal control and greater complexity in
business processes, and therefore typically find it necessary to have more extensive documentation, such as in-
depth policy and procedure manuals, flowcharts of processes, organizational charts, and job descriptions.
Smaller entities often find less need for formal documentation. In smaller companies, typically there are fewer
people and levels of management, closer working relationships, and more frequent interaction, all of which
promote communication of what is expected and what is being done. Consequently, management of a smaller
entity can often determine that controls are in place through direct observation.
Documentation of internal control should meet business needs and be commensurate with circumstances. The
extent of documentation supporting the presence and functioning of each of the components and relevant
principles of internal control and components operating together is a matter of judgment, and should be done
with cost-effectiveness in mind. In addition, the organization may benefit from some form of formal
Internal Use Only

documentation that enables management to reflect on the rationale for the judgment and alignment with entity
objectives.
Footnotes
8 As this is a principles-based framework and because technology is continually evolving, the Framework
does not address specific technologies, such as cloud computing or social media.
5. Control Environment
Chapter Summary
and ethical values of the organization; the parameters enabling the board of directors to carry out its oversight
responsibilities; the organizational structure and assignment of authority and responsibility; the process for
attracting, developing, and retaining competent individuals; and the rigor around performance measures,
Principles relating to the Control Environment component
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives.
objectives
Internal Use Only

Introduction
The control environment is influenced by a variety of internal and external factors, including the entity's history,
values, market, and the competitive and regulatory landscape. It is defined by the standards, processes, and
structures that guide people at all levels in carrying out their responsibilities for internal control and making
decisions. It creates the discipline that supports the assessment of risks to the achievement of the entity's
objectives, performance of control activities, use of information and communication systems, and conduct of
monitoring activities.
An organization that establishes and maintains a strong control environment positions itself to be more resilient
in the face of internal and external pressures. It does this by demonstrating behavior consistent with the
organization's commitment to integrity and ethical values, adequate oversight processes and structures,
organizational design that enables the achievement of the entity's objectives with appropriate assignment of
authority and responsibility, a high degree of competence, and a strong sense of accountability for the
Organizational culture supports the control environment insofar as it sets expectations of behavior that reflects a
commitment to integrity and ethical values, oversight, accountability, and performance evaluation. Establishing a
strong culture considers, for example, how clearly and consistently ethical and behavioral standards are
communicated and reinforced in practice. As such, culture is part of an organization's control environment, but
also encompasses elements of other components of internal control, such as policies and procedures, ease of
access to information, and responsiveness to results of monitoring activities. Therefore culture is influenced by
the control environment and other components of internal control, and vice versa.
Demonstrates Commitment to Integrity and Ethical Values
Internal Use Only

Principle 1: The organization demonstrates a commitment to integrity and ethical values.
Points of Focus
The following points of focus highlight important characteristics relating to this principle:
 Sets the Tone at the Top — The board of directors and management at all levels of the entity demonstrate
through their directives, actions, and behavior the importance of integrity and ethical values to support the
functioning of the system of internal control.
 Establishes Standards of Conduct — The expectations of the board of directors and senior management
concerning integrity and ethical values are defined in the entity's standards of conduct and understood at all
levels of the organization and by outsourced service providers and business partners.
 Evaluates Adherence to Standards of Conduct — Processes are in place to evaluate the performance of
individuals and teams against the entity's expected standards of conduct.
 Addresses Deviations in a Timely Manner — Deviations from the entity's expected standards of conduct are
identified and remedied in a timely and consistent manner.
Tone at the Top and throughout the Organization
Management and the board of directors9 are expected to lead by example in developing values, a philosophy,
and an operating style for the organization. They take into account the expectations of the entity's various
stakeholders, such as employees, suppliers, customers, investors, and the wider community. Further, they are
influenced by the social and ethical norms in the markets where the entity operates. In addition to fostering an
understanding and adherence to legal and regulatory requirements, management and the board take specific
measures to set the tone in terms of moral, social, environmental, or other forms of responsible conduct, such as
greenhouse gas emissions reporting, sustainable production processes, or community outreach after natural
disasters. The resulting expectations are expressed to varying degrees of formality in the form of:
 Mission and values statements

 Standards or codes of conduct
 Policies and practices
 Operating principles
 Directives, guidelines, and other supporting communications
 Actions and decisions of management at various levels and of the board of directors
 Attitudes and responses to deviations from expected standards of conduct
 Informal and routine actions and communication of leaders at all levels of the entity
These elements reflect the expectations of integrity and ethical values and the degree to which they are applied
in decisions made at all levels of the organization, by outsourced service providers, and by business partners
Internal Use Only

(e.g., joint venture partners, strategic alliances). They articulate and reinforce the commitment to doing what is
right, not just what complies with laws and regulations, so that these priorities are understood and embraced
across the organization. The degree to which these expectations are not only communicated but also applied by
senior management and the board as well as all other levels of leadership within the organization characterizes
the tone at the top and throughout the organization.
Tone is impacted by the operating style and personal conduct of management and the board of directors,
attitudes toward risk, and positions, which may be conservative or aggressive (e.g., position on estimates, policy
choices), and degree of formality (e.g., in a smaller family business, controls may be more informal), all of which
sends a message to the organization. Personal indiscretions, lack of receptiveness to bad news, or unfairly
balanced compensation practices could impact the culture and ultimately provide an incentive for inappropriate
conduct. In contrast, a history of ethical and responsible behavior by management and the board of directors
and demonstrated commitment to addressing misconduct send strong messages in support of integrity.
Employees are likely to develop the same attitudes about right and wrong — and about risks and controls — as
those shown by management. Individual behavior is often influenced by the knowledge that the chief executive
officer has behaved ethically when faced with a tough business-based or personal decision, and that all
managers have taken timely action to address misconduct.
A consistent tone from the board and senior management through to operating unit management levels helps
establish a common understanding of the values, business drivers, and expected behavior of employees and
partners of the organization. This includes the various layers and divisions sometimes referred to as "tone in the
middle" in larger organizations. Such consistency helps pull the organization together in the pursuit of the entity's
objectives. Challenges to such consistency can arise in various forms. For instance, different markets may call
for different motivational approaches, different degrees of evaluation of suppliers, and different customer service
levels — how management responds to such pressures can create different tones at different levels of the
organization. The messages from management about what is or is not acceptable may vary to address particular
challenges at those different levels, but the more they remain consistent with the tone at the top, the more
homogenous the performance of internal control responsibilities in the pursuit of the entity's objectives will be.
In some cases, the tone set by the chief executive may result in unintended consequences. Consider, for
example, a management team that readily modifies the entity's standard contractual terms to compete in the
local business environment. While such modification may be seen as positive for purposes of satisfying
customer needs and generating revenue — for instance getting products to customers faster — it may be
detrimental to the achievement of other objectives, such as complying with product safety standards, quotas, fair
sales practices, or other requirements. Clear guidance and direction from the top, as well as congruence across
different levels of management, facilitate the achievement of the entity's objectives.
Internal Use Only

Tone at the top and throughout the organization is fundamental to the functioning of an internal control system.
Without a strong tone at the top to support a strong culture of internal control, awareness of risk can be
undermined, responses to risks may be inappropriate, control activities may be ill defined or not followed,
information and communication may falter, and feedback from monitoring activities may not be heard or acted
upon. Therefore tone can be either a driver or a barrier to internal control.
Standards of Conduct
Standards of conduct guide the organization in behavior, activities, and decisions in the pursuit of objectives by:
 Establishing what is right and wrong

 Providing guidance for navigating what lies in between, considering associated risks
 Reflecting governing laws, rules, regulations, standards, and other expectations that the organization's
stakeholders may have, such as corporate social responsibility
Ethical expectations, norms, and customs can vary across borders. Management and the board of directors or
equivalent oversight body establish the standards and mechanisms for the organization to understand and
adhere to doing what is right, and define the process and resources for interpreting and addressing the potential
for deviations. These expectations are translated into an organizational statement of beliefs, values, and
standards of conduct.
The organization demonstrates its commitment to integrity and ethical values by applying the standards of
conduct and continually asking challenging questions, particularly when faced with difficult decisions. For
example, it might ask: Does it infringe on the organization's standards of conduct? Is it legal? Would we want our
shareholders, customers, regulators, suppliers, or other stakeholders to know about it? Would it reflect
negatively on the individual or the organization?
Integrity and ethical values are core messages in the organization's communications and training. For example,
a company that regularly receives awards for "best places to work" and achieves high employee retention rates
typically provides training on corporate ethical values and organizational culture, with the support of senior
management and the board. The training sessions are conducted quarterly or biannually depending on the
number of new employees hired. During such training, employees learn how the ethical climate has developed in
the organization. In addition, employees are provided with examples of how integrity and ethical values have
assisted in identifying issues and solving problems and the importance of speaking up and raising concerns.
The organization's standards of conduct are regularly communicated and reinforced not only to all levels of the
organization but also to outsourced service providers. For example, enforcing internal control for compliance
with product safety standards extends beyond the entity to include joint venture partners, suppliers, sales
distributors, and other outsourced service providers at all locations.
Internal Use Only

Management retains ultimate accountability for activities it delegates through legal or contractual arrangements
to outsourced service providers. Variables that can affect the extent of communications, oversight, and other
activities needed to ensure that outsourced service providers and business partners adhere to the entity's
standards of conduct include:
 The nature of services outsourced

 Extent of alignment of the service provider's standards of conduct with those of the entity
 Quality and frequency of the service provider's reinforcement and oversight of adherence to standards of
conduct by its personnel
 Magnitude and level of complexity of the entity's supply chain and business model
Inappropriate conduct by outsourced service providers or business partners can reflect negatively on senior
management and impact the entity itself by causing harm to customers, other stakeholders, or the reputation of
the organization, requiring costly corrective action. Therefore management retains responsibility for the
performance of processes that it has delegated to outside service providers or business partners.
Adherence and Deviations
The established standards of conduct provide the basis for evaluating adherence to integrity and ethical values
across the organization and its outsourced service providers. They are communicated through the organization's
policies and practices, and employment or service contracts. Some organizations require formal
acknowledgment of receipt and compliance with such standards. To be sure that the standards are being
followed in practice, the actions, decisions, and attitudes of individuals are evaluated by management or an
independent party.
The lack of adherence to standards of conduct often stems from situations such as:
 Tone at the top that does not effectively convey expectations regarding adherence to standards
 A board of directors that does not provide impartial oversight of senior management's adherence to standards
 High decentralization without adequate oversight, leaving senior management unaware of actions taken at lower
levels
 Coercion by superiors, peers, or external parties to cut corners or engage in fraud or other illicit behavior
 Performance goals that create incentives or pressures to compromise ethical behavior
 Inadequate channels by which employees can safely voice questions and concerns
 Failure to address non-existent or ineffective controls, which allow opportunities to conceal poor performance
 Inadequate process for the investigation and resolution of alleged misconduct
 A weak internal audit function that does not have the ability to detect and report improper conduct
 Penalties for improper conduct that are inconsistently applied, insignificant, or unpublicized and thus lose their
deterrent value
Internal Use Only

For example, standards of conduct may prohibit practices that could be perceived as collusion to fix prices, but
the organization must establish mechanisms to enforce standards, such as awareness communications and
training, scanning market pricing activity to identify potential issues, and other measures to prevent or detect a
deviation from the organization's standards of conduct. The organization communicates established tolerance
levels for deviations. Depending on the significance of the impact to the organization, the level of remedial action
may vary but is applied consistently across the organization. Evaluations of individual and team adherence to
standards of conduct are part of a systematic process for escalation and resolution of exceptions. The process
requires that management:
 Define a set of indicators (e.g., training completion rates, results of monitoring activities, breaches of
confidentiality, collusion with other market participants, harassment cases) to identify issues and trends related
to the standards of conduct for the organization, including its outsourced service providers. Such indicators are
revisited periodically and refined as necessary to help raise potential issues early or before they repeat
themselves.
 Establish continual and periodic compliance procedures to confirm that expectations and requirements are being
met both internally and by outsourced service providers.
 Identify, analyze, and report business conduct issues and trends to senior management and the board of
directors. Mechanisms for identifying issues include direct reporting lines, human resource functions, and
hotlines. Analysis often requires cross-functional teams to determine the root cause and what corrective actions
are needed.
 Consider the strength of leadership in the demonstration of integrity and ethical values as an evaluated behavior
in performance reviews, compensation, and promotion decisions.
 Compile allegations centrally and have these evaluated by individuals independent of the allegation.
 Conduct and document investigations based on defined investigation protocols.
 Follow through on implementing corrective actions so that issues are remedied in a timely and consistent
manner.
 Periodically analyze issues to identify trends and root causes, sometimes calling for modification of policy,
communications, training, or controls.
Evaluations may be conducted by an ongoing management process and/or by an independent party. Individuals
can also assess and report irregularities through formal and informal communication channels, such as a
whistle-blowing program, an ethics hotline, upward feedback processes, and regular staff meetings.
Deviations from expected standards of conduct are addressed in a timely and consistent manner. Depending on
the severity of the deviation determined through the evaluation process, management may take different actions
and may also need to consider local laws, but the standards to which it holds employees remain consistent.
Internal Use Only

Depending on the severity of the deviation, the employee may be issued a warning and provided coaching, put
on probation, or terminated.
Exercises Oversight Responsibility
Principle 2: The board of directors demonstrates independence from management and exercises oversight of
the development and performance of internal control.
Points of Focus
 Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight
responsibilities in relation to established requirements and expectations.
 Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills
and expertise needed among its members to enable them to ask probing questions of senior management and
take commensurate actions.
 Operates Independently — The board of directors has sufficient members who are independent from
management and objective in evaluations and decision making.
 Provides Oversight for the System of Internal Control — The board of directors retains oversight
responsibility for management's design, implementation, and conduct of internal control:
 Control Environment — Establishing integrity and ethical values, oversight structures, authority and
responsibility, expectations of competence, and accountability to the board.
 Risk Assessment — Overseeing management's assessment of risks to the achievement of objectives,
including the potential impact of significant changes, fraud, and management override of internal control.
 Control Activities — Providing oversight to senior management in the development and performance of
control activities.
 Information and Communication — Analyzing and discussing information relating to the entity's
 Monitoring Activities — Assessing and overseeing the nature and scope of monitoring activities and
management's evaluation and remediation of deficiencies.
Authorities and Responsibilities
The board of directors or equivalent oversight body (the "board") understands the business and expectations of
stakeholders, including customers, employees, investors, and the general public, as well as legal and regulatory
requirements and related risks. These expectations and requirements help shape the objectives of the
organization, oversight responsibilities of the board, and resource requirements.
Internal Use Only

The board has the authority to hire as well as terminate, as necessary, and establish succession planning for the
chief executive officer or equivalent, who is then charged with overall execution of the entity's strategy,
achievement of its objectives, and effectiveness of the system of internal control. The board is responsible for
providing oversight and constructive challenge to management.
Depending on the jurisdiction, oversight structures are developed voluntarily or as mandated by law, regulation,
or standards, such as stock exchange listing standards. While requirements for privately owned, not-for-profit, or
other entities may vary, publicly listed companies in many jurisdictions require committees at the board level to
focus on specialized topics, such as:
 Nomination/governance committees to lead the selection of directors and oversee the evaluation of senior
management and the board of directors
 Compensation committees to oversee policies and practices for senior management compensation, motivating
expected behaviors, balancing incentives for shortand long-term performance, linking performance to strategic
objectives, and relating compensation to risk
 Audit committees to oversee internal control over financial reporting and the integrity and transparency of
external reporting, including financial reports
 Other committees of the board dedicated to addressing specific matters that are critical to the entity's objectives
(e.g., risk committees for financial services institutions or compliance committees for pharmaceutical companies)
Board oversight is supported by structures and processes that management establishes at a business-execution
level. For instance, management committees may focus on topics such as information technology,
products/services, process, or other aspects of the business requiring dedicated focus. Management continually
assesses risks posed by the changes in the operating environment (e.g., emergence of new technology,
heightened regulatory requirements, and business model evolution) and addresses the implications for the
internal control system.
While the board retains oversight responsibility, the chief executive officer and senior management bear direct
responsibility for developing and implementing the internal control system. Depending on the type of
organization and its strategy, structure, and objectives, operating units may have more or less autonomy
designing the processes and structures to enable internal control. For example, while one organization may
implement an enterprise resource planning system that standardizes all major processes and controls, another
organization may leave it to each division to determine and implement those most suitable to its business
activities.
Independence and Relevant Expertise
The board of directors is independent from management and demonstrates relevant skills and expertise in
carrying out its oversight responsibilities. Independence is demonstrated in the board member's objectivity of
Internal Use Only

mind, action, appearance, and fact. A publicly listed company is typically required to have a majority of its
directors be independent and with no current or recent personal or professional relationship with the entity. (In
some jurisdictions, this is also a requirement for all members of some committees of the board, such as audit
committees.) The factor of independence and relevant expertise also considers the various board seats held by
each of the board members to limit any bias or conflict of interest that could result from board members sitting on
other company boards.
Because a board must be actively engaged at all times and be prepared to question and scrutinize
management's activities, present alternative views, and have the courage to act in the face of obvious or
suspected wrongdoing, it is necessary that the board include independent directors. Certainly, officers and
employees bring deep knowledge of the entity to the table, but independent directors with relevant expertise
provide value through their impartiality, healthy skepticism, and unbiased evaluation.
Privately owned, not-for-profit, or other entities may find it costly or otherwise difficult to attract competent
independent directors. Depending on applicable requirements (some may not be required to have a board of
directors), it may be incumbent on these organizations to identify professional and personal qualities of the
candidate important to the entity (e.g., understanding of stakeholder perspectives, internal control mindset) and
establish a board with members who demonstrate these qualities. In such rare cases where entities are unable
to have an independent board, they recognize this factor and evidence different processes and controls that
result in adequate oversight.
Board composition is determined considering the mission, values, and various objectives of the entity as well as
the skills and expertise needed to oversee, probe, and evaluate the senior management team most
appropriately. The size of the board is determined by considering the appropriate number of members to
adequately facilitate constructive criticisms, discussions, and decision making. Capabilities expected of all board
members include integrity and ethical standards, leadership, critical thinking, and problem-solving. Further, the
board is expected to include more specialized skills and expertise, with sufficient overlap to enable discussion
and deliberation, such as:
 Internal control mindset (e.g., professional skepticism, perspectives on approaches for identifying and
responding to risks, assessing the effectiveness of the system of internal control)
 Market and entity knowledge (e.g., knowledge of products/services, value chain, customer base, competitors)
 Financial expertise, including financial reporting (e.g., accounting standards, financial reporting requirements)
 Legal and regulatory expertise (e.g., understanding of governing laws, rules, regulations, and standards)
 Social and environmental expertise (e.g., understanding of expectations of social and environmental
expectations and activities)
 Incentives and compensation (e.g., knowledge of market compensation rates and practices)
Internal Use Only

 Relevant systems and technology (e.g., understanding critical systems and technology challenges and
opportunities)
The expertise and independence of the board of directors are evaluated regularly in relation to the evolving
needs of the entity. Board members participate in training as appropriate to keep their skills and expertise
current and relevant.
Oversight by the Board of Directors
The board of directors is involved in exercising oversight for the development and performance of internal control
through each of the five components of the Framework, as illustrated in the table below:
Internal Control Component Oversight Activities of the Board
Control Environment  Oversee the definition of and apply the standards of

conduct of the organization
 Establish the expectations and evaluate the
performance, integrity, and ethical values of the chief
executive officer or equivalent role
 Establish oversight structures and processes aligned
with the objectives of the entity (e.g., board and
committees as appropriate with requisite skills and
expertise)
 Commission board oversight effectiveness reviews
and address opportunities for improvement
 Exercise fiduciary responsibilities to shareholders or
other owners (as applicable) and due care in
oversight (e.g., prepare for and attend meetings,
review the entity's financial statements and other
disclosures)
 Challenge senior management by asking probing
questions about the entity's plans and performance,
and require follow-up and corrective actions, as
necessary (e.g., questioning transactions that occur
repeatedly at the end of interim or annual reporting
Internal Use Only

periods)
Risk Assessment  Consider internal and external factors that pose

significant risks to the achievement of objectives;
identify issues and trends (e.g., sustainability
implications of the entity's business operations)
 Challenge management's assessment of risks to the
achievement of objectives, including the potential
impact of significant changes (e.g., risks associated
with entering a new market), and fraud or corruption
 Evaluate how proactively the organization assesses
risks relating to innovations and changes such as
those triggered by new technology or economic and
geopolitical shifts
Control Activities • Make specific inquiries of management regarding

the selection, development, and deployment of control
activities in significant risk areas and remediation as
necessary (e.g., in response to significant risks
emerging from internal or external factors)
• Oversee senior management in its performance of

control activities
Information and Communication  Communicate direction and tone at the top

 Obtain, review, and discuss information relating to
the entity's achievement of objectives
 Scrutinize information provided and present
alternative views
 Review disclosures to external stakeholders for
completeness, relevance, and accuracy
 Allow for and address upward communication of
issues
Monitoring Activities  Assess and oversee the nature and scope of

monitoring activities, any management overrides of
Internal Use Only
controls, and management's evaluation and
remediation of deficiencies
 Engage with management, internal and external
auditors, and others, as appropriate, to evaluate the
level of awareness of the entity's strategies, specified
objectives, risks, and control implications associated
with evolving business, infrastructure, regulations,
and other factors
Transparency obligations reinforce accountability of both senior management and the board of directors. While
disclosure requirements and expectations may differ by jurisdiction, industry, or otherwise, the board of directors
oversees that such needs are understood and met over time. Reporting to the board of directors occurs both on
a regular and ad hoc basis, as needed, to help the board oversee the issues relating to the system of internal
control.
Establishes Structure, Authority, and Responsibility
Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives.
Points of Focus
 Considers All Structures of the Entity — Management and the board of directors consider the multiple
structures used (including operating units, legal entities, geographic distribution, and outsourced service
providers) to support the achievement of objectives.
 Establishes Reporting Lines — Management designs and evaluates lines of reporting for each entity structure
to enable execution of authorities and responsibilities and flow of information to manage the activities of the
entity.
 Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of
directors delegate authority, define responsibilities, and use appropriate processes and technology to
assign responsibility and segregate duties as necessary at the various levels of the organization:
 Board of Directors — Retains authority over significant decisions and reviews management's assignments
and limitations of authorities and responsibilities
 Senior Management — Establishes directives, guidance, and control to enable management and other
personnel to understand and carry out their internal control responsibilities
Internal Use Only

 Management — Guides and facilitates the execution of senior management directives within the entity and
its subunits
 Personnel — Understands the entity's standard of conduct, assessed risks to objectives, and the related
control activities at their respective levels of the entity, the expected information and communication flow,
and monitoring activities relevant to their achievement of objectives
 Outsourced Service Providers — Adheres to management's definition of the scope of authority and
responsibility for all non-employees engaged
Organizational Structures and Reporting Lines
Senior management and the board of directors establish the organizational structure and reporting lines
necessary to plan, execute, control, and periodically assess the activities of the entity, in other words carry out
their oversight responsibilities. They are supported by requisite processes and technology to provide for clear
accountability and information flows within and across the overall entity and its subunits.
Entities are often structured along various dimensions. In particular:
 The management operating model may follow product or service lines to facilitate development of new products
and services, optimize marketing activities, rationalize production, and improve customer service or other
operational aspects.
 Legal entity structures are often designed to manage business risks, create favorable tax structures, and
empower managers at foreign operations.
 Geographic markets may provide for further subdivisions or aggregations of performance.
 Entities also enter into a variety of relationships with outsourced service providers to support the achievement of
objectives, which creates additional structures and reporting lines.
Each of these lenses may provide a different evaluation of the system of internal control. While the aggregation
of risks along one dimension may indicate no issues, the view along a different dimension may show
concentration risk around certain customer types, overreliance on a sole vendor, or other vulnerabilities.
Ownership and accountability at each level of aggregation enables such multidimensional review and analysis.
Organizational structures evolve as the nature of the business evolves. Management therefore reviews and
evaluates the structures for continued relevance and effectiveness and efficiency in support of the internal
control system. Consider, for example, a bank that reports performance results and internal control effectiveness
by legal entity, business unit, or geography. If it does not regularly revisit its reporting to verify that it adequately
reflects its current business model, it may fail to recognize the emergence of certain risks, the absence of
appropriate controls, and inadequacy of reporting.
Internal Use Only

For each type of structure it operates (e.g., geographic market structure, business segment structure, legal entity
structure), management designs and evaluates the lines of reporting so that responsibilities are carried out and
information flows as needed. It also verifies there is no conflict of interest inherent in the execution of
responsibilities across the organization and its outsourced service providers. Variables to consider when
establishing and evaluating organizational structures include the following:
 Nature, size, and geographic distribution of the entity's business

 Risks related to the entity's objectives and business processes, which may be retained internally or outsourced,
and interconnections with outsourced service providers and business partners
 Nature of the assignment of authority and responsibility to top, operating unit, functional, and geographic
management
 Definition of reporting lines (e.g., direct reporting / "solid line" versus secondary report / "dotted line") and
communication channels
 Financial, tax, regulatory, and other reporting requirements of relevant jurisdictions
Regardless of the organizational structure, definitions, and assignments of authority and responsibility, reporting
lines and communication channels must be clear to enable accountability over operating units and functional
areas. For example, the board determines which senior management roles have at least a "dotted line" to the
board of directors to allow for open communication to the board of all issues of importance. Similarly, direct
reporting and informational reporting lines are defined at all levels of the organization.
Responsibilities can generally be viewed as falling within three lines of defense against the failure to achieve the
entity's objectives, with oversight by the board of directors:
 Management and other personnel on the front line provide the first line of defense in day-to-day activities. They
are responsible for maintaining effective internal control day to day; they are compensated based on
performance in relation to all applicable objectives.
 Business-enabling functions (also referred to as support functions) provide guidance on internal control
requirements and evaluate adherence to defined standards; while they are functionally aligned to the business,
their compensation is not directly tied to performance of the area to which they render expert advice.
 Internal auditors provide the third line of defense in assessing and reporting on internal control and
recommending corrective actions or enhancements for management consideration and implementation; their
position and compensation are separate and distinct from the business areas they review.
Periodic evaluation of existing structures in relation to the achievement of the entity's objectives enables
realignment with emerging priorities (e.g., new regulations) and rationalization (e.g., cutting across silos of
different functions or operating units) to provide a comprehensive and integrated view of internal control.
Authorities and Responsibilities

Internal Use Only
The board of directors delegates authority and defines and assigns responsibility to senior management. In turn,
senior management delegates authority and defines and assigns responsibility for the overall entity and its
subunits. Authority and responsibility are delegated based on demonstrated competence, and roles are defined
based on who is responsible for or kept informed of decisions. The board and/or senior management define the
degree to which individuals and teams are authorized and encouraged, or limited, to pursue achievement of
objectives or address issues as they arise.
Key roles and responsibilities assigned across the organization typically include the following:
 The board of directors stays informed and challenges senior management as necessary to provide guidance on
significant decisions.
 Senior management, which includes the chief executive officer or equivalent organizational leader, is ultimately
responsible to the board of directors and other stakeholders for establishing directives, guidance, and control to
enable management and other personnel to understand and carry out their responsibilities.
 Management, which includes supervisors and decision-makers, executes senior management directives at the
entity and its subunits.
 Personnel, which includes all employees of the entity, are expected to understand the entity's standards of
conduct, objectives as defined in relation to their area of responsibility, assessed risks to those objectives,
related control activities at their respective levels of the entity, information, and communication flow, and any
monitoring activities relevant to achieving objectives.
 Management and personnel with direct responsibility over outsourced processes conducted by external service
providers. Outsourced service providers are provided with clear and concise contractual terms related to the
entity's objectives and expectations of conduct and performance, competence levels, expected information, and
communication flow. They may execute business processes on behalf of or together with management, who
remains responsible for internal control.
Organizations delegate authority and responsibility to enable management and other personnel to make
decisions according to management's directives toward the achievement of the entity's objectives. An
organization may define or revisit its structures by reducing layers of management, delegating more authority
and responsibility to lower levels, or partnering with other organizations. For example, a sales organization may
empower its managers to sell at a greater discount to gain market share. However, the authority is delegated
and responsibility is assigned only to those who demonstrate the competence to make adequate decisions;
consistently adhere to the entity's standards of conduct, policies, and procedures; and understand the
consequences of the risks they take.
Delegation of authority provides greater agility, but it also increases the complexity of risks to be managed.
Senior management, with guidance from the board of directors, provides the basis for determining what is or is
not acceptable, such as non-compliance with the organization's regulatory or contractual obligations.
Internal Use Only
Limitation of Authority
Authority empowers people to act as needed in a given role, but it is also necessary to define the limitations of
authority, so that:
 Delegation occurs only to the extent required to achieve the entity's objectives (e.g., review and approval of new
products involves the requisite business and support functions, separate from the sales execution team).
 Inappropriate risks are not accepted (e.g., a new vendor is not taken on without the requisite due diligence
review).
 Duties are segregated to reduce the risk of inappropriate conduct in the pursuit of objectives, and requisite
checks and balances occur from the highest to the lowest levels of the organization (e.g., defining roles,
responsibilities, and performance measures in a manner to reduce any potential for conflicts of interest).
 Technology is leveraged as appropriate to facilitate the definition and limitation of roles and responsibilities
within the workflow of business processes (e.g., different access levels to enterprise resource planning systems
at corporate and subsidiary levels; access privileges granted to on-line customers, business partners, and
others).
 Third-party service providers who are tasked with carrying out activities on behalf of an entity understand the
extent of their decision-making rights.
Demonstrates Commitment to Competence
Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals
in alignment with objectives.
Points of Focus
 Establishes Policies and Practices — Policies and practices reflect expectations of competence necessary to
support the achievement of objectives.
 Evaluates Competence and Addresses Shortcomings — The board of directors and management evaluate
competence across the organization and in outsourced service providers in relation to established policies and
practices, and act as necessary to address shortcomings.
 Attracts, Develops, and Retains Individuals — The organization provides the mentoring and training needed
to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support
the achievement of objectives.
 Plans and Prepares for Succession — Senior management and the board of directors develop contingency
plans for assignments of responsibility important for internal control.
Policies and Practices

Internal Use Only
Policies and practices are the entity-level guidance and behavior that reflect the expectations and requirements
of investors, regulators, and other stakeholders. They provide the foundation for defining the competence
needed within the organization and provide the basis for more detailed procedures for executing and evaluating
performance as well as determining remedial actions, as necessary. Such policies and practices provide:
 Requirements and rationale (e.g., implications of product safety laws, rules, regulations, and standards for the
entity)
 Skills and conduct necessary to support internal control in the achievement of the entity's objectives (e.g.,
knowledge of the operation of technology platforms underpinning business processes)
 Defined accountability for performance of key business functions (e.g., defined owners of product safety and
areas of applicability within the organization)
 Basis for evaluating shortcomings and defining remedial actions, as necessary (e.g., correcting a process or
strengthening the skills of management and other personnel)
 Means to react dynamically to change (e.g., linkage to applicable operating procedures to reflect new regulatory
requirements, new risks identified, or internal decision to modify business processes)
Policies and practices enable the focus on competence to permeate the organization, starting with the board of
directors relative to the chief executive officer, the chief executive officer relative to senior management, and
cascading down to various levels of management. The resulting commitment to competence facilitates
measuring the achievement of objectives at all levels of the organization and by outsourced service providers by
establishing how processes should be carried out and what skills and behavior should be applied.
Evaluate Competence
Competence is the qualification to carry out assigned responsibilities. It requires relevant skills and expertise,
which are gained largely from professional experience, training, and certifications. It is expressed in the attitude,
knowledge and behavior of individuals as they carry out their responsibilities.
The human resources function of an organization can often help define competence and staffing levels by job
role, facilitating training and maintaining completion records, and evaluating the relevance and adequacy of
individual professional development in relation to the entity's needs.
The organization defines competence requirements as needed to support the achievement of objectives,
considering, for instance:
 Knowledge, skills, and experience needed

 Nature and degree of judgment and limitations of authority to be applied to a specific position
 Cost-benefit analysis of different levels of skills and experience
Internal Use Only

The board of directors evaluates the competence of the chief executive officer and, in turn, management
evaluates competence across the organization and outsourced service providers in relation to established
policies and practices, and then acts as necessary to address any shortcomings or excesses. In particular, a
changing risk profile may cause the organization to shift resources toward areas of the business that require
greater attention. For example, as a company brings a new product to market, it may elect to increase staffing in
its sales and marketing teams, or as a new applicable regulation is issued, it may focus on those individuals
responsible for implementation. Shortcomings may arise relating to staffing levels, expertise, or a combination of
factors. Management is responsible for acting on such shortcomings in a timely manner.
Attracting, Developing, and Retaining Individuals
The commitment to competence is supported by and embedded in the human resource management processes
for attracting developing, evaluating, and retaining the right fit of management, other personnel, and outsourced
service providers. The adequate number of resources is determined and periodically readjusted considering the
relative importance of risks to be mitigated to support the achievement of the entity's objectives. Management at
different levels establishes the structures and processes to:
 Attract — Seek out candidates who demonstrate a fit with the entity's culture, operating style, and organizational
needs, and who have the competence for the proposed roles.
 Train — Enable individuals to develop competencies appropriate for assigned roles and responsibilities,
reinforce standards of conduct and expected levels of competence for particular assignments, tailor training
based on roles and needs, and consider a mix of delivery techniques, including classroom instruction, self-study,
and on-the-job training.
 Mentor — Provide guidance on the individual's performance toward expected standards of conduct and
competence, align the individual's skills and expertise with the entity's objectives, and help personnel adapt to
an evolving environment.
 Evaluate — Measure the performance of individuals in relation to the achievement of objectives and
demonstration of expected conduct, and against service-level agreements or other agreed-upon standards for
recruiting and compensating outsourced service providers.
 Retain — Provide incentives to motivate and reinforce expected levels of performance and desired conduct,
including training and credentialing as appropriate.
Through this process, any behavior not consistent with standards of conduct, policies and practices, and internal
control responsibilities is identified, assessed, and corrected in a timely manner or otherwise addressed at all
levels of the organization. This enables the organization to actively address competence to support the
achievement of the entity's objectives balancing costs and benefits.
Plans and Prepares for Succession
Internal Use Only

Management continually identifies and assesses those performing functions that are deemed essential to
achieving the entity's objectives. The importance of each role is determined by assessing what the impact would
be if that role was temporarily or permanently unfilled. For instance, the chief executive officer and other
members of senior management, strategic suppliers, and key channel partners are functions that typically
require plans to be put in place to make sure those objectives can still be achieved, even in the absence of the
individual filling the role.
Senior management and the board of directors develop contingency plans for assigning responsibilities
important to internal control. In particular, succession plans for key executives are defined, and succession
candidates are trained and coached for assuming the target role.
Succession planning is also undertaken when significant functions are delegated through contractual
arrangements to outsourced service providers. Where an organization places considerable reliance on an
external party and the organization has assessed the risk of that provider's processes or systems breaking down
as having a direct impact on the entity's ability to achieve its objectives, some form of succession plan may be
needed. Measures to provide for ongoing knowledge sharing and documentation ease the succession to a new
provider when necessary.
Enforces Accountability
Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit
of objectives.
Points of Focus
 Enforces Accountability through Structures, Authorities, and Responsibilities — Management and the
board of directors establish the mechanisms to communicate and hold individuals accountable for performance
of internal control responsibilities across the organization and implement corrective action as necessary.
 Establishes Performance Measures, Incentives, and Rewards — management and the board of directors
establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of
the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and
considering the achievement of both short-term and longer-term objectives.
 Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance — Management and
the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the
 Considers Excessive Pressures — Management and the board of directors evaluate and adjust pressures
associated with the achievement of objectives as they assign responsibilities, develop performance measures,
and evaluate performance.
Internal Use Only

 Evaluates Performance and Rewards or Disciplines Individuals — management and the board of directors
evaluate performance of internal control responsibilities, including adherence to standards of conduct and
expected levels of competence and provide rewards or exercise disciplinary action as appropriate.
Accountability for Internal Control
The board of directors ultimately holds the chief executive officer accountable for understanding the risks faced
by the entity and establishing the requisite system of internal control to support the achievement of the entity's
objectives. The chief executive officer and senior management, in turn, are responsible for designing,
implementing, conducting, and periodically assessing the structures, authorities, and responsibilities needed to
establish accountability for internal control at all levels of the organization.
Accountability refers to the delegated ownership for the performance of internal control in the pursuit of
objectives considering the risks faced by the entity. Outsourced service providers may be used to carry out
responsibilities together with or on behalf of management, in which case management establishes the requisite
levels of performance and oversight mechanisms and retains ultimate accountability for internal control.
Management provides guidance to enable the understanding of risks faced by the entity, to communicate
expectations of conduct of internal control responsibilities in support of the achievement of the entity's objectives,
and to hold personnel accountable.
Accountability for internal control is demonstrated in each form of organizational structure used by the entity. For
example, a manager whose responsibilities include upholding fair trade practices is accountable to the legal
entity, operating unit, geography, or other existing structural entity to demonstrate an appropriate and effective
control environment, risk assessment, control activities, information and communication, and monitoring to
adhere to entity policy and support compliance with laws and regulations.
Accountability is interconnected with leadership, insofar as a strong tone at the top contributes to internal control
responsibilities being understood, carried out, and continually strengthened across the entity. Tone helps to
establish and enforce accountability, morale, and a common purpose through:
 Clarity of expectations from senior management and the board of directors, addressing issues such as integrity
and ethics, conflict of interest, illegal or otherwise improper activities, and anticompetitive arrangements (e.g., a
code of conduct is developed and communicated to all employees and outsourced service providers, and
enforced)
 Guidance provided by management through its philosophy and operating style, as expressed in the form of state
of mind, formality, persistence and other attitudes of management toward internal control (e.g., an entity that has
been successful taking significant risks may have a different outlook on internal control than one that has faced
harsh economic or regulatory consequences as a result of venturing into higher-risk areas)
Internal Use Only

 Control and information flow (e.g., communicating how decisions are made, and soliciting and acting on 360-
degree feedback on performance)
 Upward and other communication channels for employees and outsourced service providers to feel comfortable
reporting violations of ethical standards (e.g., anonymous or confidential communication channels are made
available)
 Employee commitment toward collective objectives (e.g., alignment of individual goals and performance with the
entity's objectives)
 Management's response to deviations from expected standards and behaviors (e.g., notices, terminations,
and/or other corrective actions that ensue from failing to adhere to organizational standards, performance
evaluation, and reward structures are commensurate with the achievement of the organization's objectives)
Accountability is driven by tone at the top and supported by the commitment to integrity and ethical values,
competence, structure, processes, and technology, which collectively influence the control culture of the
organization. Corrective action is taken as necessary to re-establish the necessary accountability for internal
control.
Performance Measures, Incentives, and Rewards
Performance is greatly influenced by the extent to which individuals are held accountable and how they are
rewarded.
Management and the board of directors establish performance measures, incentives, and other rewards
appropriate for responsibilities at all levels of the entity, considering the achievement of both short-term and
longer-term objectives. Recognizing that rewarding future results in the present can yield unintended
consequences, the organization establishes a combination of quantitative and qualitative performance measures
balanced to reward successes and discipline behaviors as necessary in line with the range of objectives.
Consider for example a company seeking to win customer loyalty with quality products. It engages its workforce
in an effort to reduce production defect rates and aligns its performance measures, incentives, and rewards with
both the operating unit's production goals and the expectations to comply with product safety and quality
standards, workplace safety laws, customer loyalty programs, and accurate product recall reporting.
Performance measures, incentives, and rewards support an effective system of internal control insofar as they
are adapted to the entity's objectives and evolve dynamically with its needs. The following table illustrates key
success measures and considerations for motivating, measuring and rewarding high performance.
Success Measures Considerations
Internal Use Only

Clear Objectives  Consider all levels of personnel to support the
achievement of the entity's objectives.
 Consider the multiple dimensions of expected
conduct and performance of the organization,
outsourced service providers and business partners
(e.g., per service-level agreements), and define
objectives and related incentives and pressures.
Defined Implications  Communicate/reinforce the entity's objectives and

how each area and level of the organization is
expected to support the achievement of objectives.
 Identify and discuss events that the market has
rewarded in the past and those that the market has
punished.
 Communicate consequences (positive and negative)
of not achieving or fully/partially achieving specific
entity objectives.
Meaningful Metrics  Define metrics to transform disparate data into

meaningful information on performance.
 Measure expected versus actual conduct and the
impact of the deviations, both positive and negative.
 Assess the expected impact on the entity's
objectives.
Adjustment to Changes • Adjust performance measures regularly based on a

systematic and continual evaluation of the potential
impacts of risks as they evolve over time, as well as the
quantification of the associated rewards.
Incentives provide the motivation for management and other personnel to perform. Salary increases and
bonuses are commonly used, but greater responsibility, visibility, recognition, and other forms of non-monetary
reward are other effective incentives. Management consistently applies and regularly reviews the organization's
Internal Use Only

measurement and reward structures to ensure that it does not encourage inappropriate conduct (e.g., lack of
balance between revenue goals and other objectives key to the viability of the business can create conduct that
is not in line with expected standards). Similarly, compensation and reward structures, including hiring and
promotion structures, incorporate the review of historical conduct against expectations of ethical behavior.
Individuals who do not adhere to the entity's standards of conduct are sanctioned and not promoted or otherwise
rewarded.
Regardless of the form they take, incentives drive behavior. An entity that limits its focus to only increasing the
bottom line may be more likely to experience unwanted behavior such as manipulation of the financial
statements or accounting records, high-pressure sales tactics, negotiations directed at increasing quarterly sales
or profit at any cost, or implicit offers of kickbacks.
Management and the board regularly evaluate the performance of individuals and teams in relation to defined
performance measures, which include business performance factors as well as adherence and support for
standards of conduct and demonstrated competence.
Performance measures are reviewed periodically for ongoing relevance and adequacy in relation to incentives
and rewards. If necessary, internal or external factors are realigned to objectives and other expectations of
management, personnel, and outside providers.
Pressures
Management and the board of directors establish goals and targets toward the achievement of objectives that by
their nature create pressures within the organization. Pressures can also result from cyclical variations of certain
activities, which organizations have the ability to influence by rebalancing workloads or increasing resource
levels, as appropriate, to reduce the risk of employees "cutting corners" where doing so could be detrimental to
the achievement of objectives.
These pressures which are further impacted by the internal or external environment can positively motivate
individuals to meet expectations of conduct and performance, both in the short and long term. However, undue
pressures can cause employees to fear the consequences of not achieving objectives and circumvent processes
or engage in fraudulent activity or corruption.
Excessive pressures are most commonly associated with:
 Unrealistic performance targets, particularly for short-term results

 Conflicting objectives of different stakeholders
 Imbalance between rewards for short-term financial performance and those for long-term focused stakeholders,
such as corporate sustainability goals
Internal Use Only

For example, pressure to generate sales levels that are not commensurate with market opportunities can lead
sales managers to falsify numbers or engage in bribery or other illicit acts. Pressures to demonstrate the
profitability of investments can cause traders to take off-strategy risks to cover incurred losses. Similarly,
pressures to rush a product to market and generate revenues quickly may cause personnel to take shortcuts on
product development or safety testing, which can be harmful to consumers or lead to poor acceptance or
impaired reputation.
To align individual and business unit objectives to those of the entity, the organization considers how risks are
taken and managed as a basis for compensation and other rewards. For example, as traders take risks on
behalf of their clients and the organization, they are aware that their remuneration, advancement, and position
can be boosted, reduced, or lost depending on their performance. Incentive structures that fail to adequately
consider the risks associated with the business model can cause inappropriate behavior.
Other business changes, such as changes in strategy, organizational design, and acquisition/divestiture activity,
also create pressures. Management and the board need to understand those pressures and balance them with
appropriate messaging and incentives and rewards. Management and the board set and adjust as appropriate
the pressures on incentives and rewards when assigning responsibilities, designing performance measures, and
evaluating performance. It is management's responsibility to guide those to whom they have delegated authority
to make appropriate decisions in the course of doing business. For example, organizations often view financial
performance, development of competencies, and timely and accurate reporting to stakeholders as their most
critical objectives for the viability of the business. They also expect management, other personnel, and
outsourced service providers and business partners to preserve at all times the quality of products or services
delivered, safety of personnel performing its functions, and other factors that could create a moral hazard or
damage the entity's reputation.
Performance Evaluation and Reward
Just as performance objectives are cascaded down from the board of directors to the chief executive officer,
senior management, and other personnel, performance evaluation is conducted at each of these levels. The
board of directors evaluates the performance of the chief executive officer, who in turn evaluates that of the
senior management team, and so on. At each level, adherence to standards of conduct and expected levels of
competence are evaluated, and rewards are allocated or disciplinary action is exercised as appropriate.
Rewards may be in the form of money, equity, recognition, or career progression. The results of these
evaluations are communicated and acted upon with rewards or sanctions as applicable to influence desired
behavior.
Compensation policies and practices are based on the compensation philosophy of the organization, which
considers the competitive positioning it seeks to achieve (methods and levels of incentive and compensation to
attract the highest caliber talent needed to be superior to offers from industry peers). Compensation and other
Internal Use Only
rewards are awarded on the basis of performance evaluation, competencies, and skill acquisition, as well as
available market pricing information, with the goal of retaining high performers and encouraging attrition of lower-
end performers. Human resources manages the process of obtaining, processing, and communicating the
relevant information to appropriate levels of management and other personnel.
Performance is measured in relation to the achievement of objectives and the ability to manage within risk
tolerance levels considering both the short and long term. As such, it considers both historical (retrospective)
and forward-looking (prospective) risks.
Footnotes
board, board of trustees, general partners, owner, or supervisory board.
6. Risk Assessment
Chapter Summary
Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an
event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and
assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the
establishment of objectives, linked at different levels of the entity. Management specifies objectives within
categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and
analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk
assessment also requires management to consider the impact of possible changes in the external environment
and within its own business model that may render internal control ineffective.
Principles relating to the Risk Assessment component
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks
relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a
basis for determining how the risks should be managed.
Internal Use Only

control.
Introduction
All entities, regardless of size, structure, nature, or industry, encounter risks at all levels. Risk is defined in the
Framework as the possibility that an event will occur and adversely affect the achievement of objectives.
The use of the term "adversely" in this definition does not ignore positive variances relating to an event or series
of events. Large positive variances may still create adverse impacts to objectives. For instance, consider a
company that forecasts sales of 1,000 units and sets production schedules to achieve this expected demand.
Management considers the possibility that actual orders will exceed this forecast. Actual orders of 1,500 units
would likely not impact the sales objectives but might adversely impact production costs (through incremental
overtime needed to meet increased volumes) or customer satisfaction targets (through increased back orders
and wait times). Consequently, selling more units than planned may adversely impact objectives other than the
sales objective.
As part of the process of identifying and assessing risks, an organization may also identify opportunities, which
are the possibility that an event will occur and positively affect the achievement of objectives. These
opportunities are important to capture and to communicate to the objective-setting processes. For instance, in
the above example, management would channel new sales opportunities to the objective-setting processes.
However, identifying and assessing potential opportunities such as new sales opportunities is not a part of
internal control.
Internal Use Only
Risk affects an entity's ability to succeed, compete within its industry, maintain its financial strength and positive
reputation, and maintain the overall quality of its products, services, and people. There is no practical way to
reduce risk to zero. Indeed, the decision to be in business incurs risk. Management must determine how much
risk is to be prudently accepted, strive to maintain risk within these levels, and understand how much tolerance it
has for exceeding its target risk levels.
Risk often increases when objectives differ from past performance and when management implements change.
An entity often does not set explicit objectives when it considers its performance to be acceptable. For example,
an entity might view its historical service to customers as acceptable and therefore not set specific goals on
maintaining current levels of service. However, as part of the risk assessment process, the organization does
need to have a common understanding of entity-level objectives relevant to operations, reporting, and
compliance and how those cascade into the organization.
Risk Tolerance
Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives.
Operating within risk tolerance provides management with greater confidence that the entity will achieve its
objectives. Risk tolerance may be expressed in different ways to suit each category of objectives. For instance,
when considering financial reporting, risk tolerance is typically expressed in terms of materiality,10 whereas for
compliance and operations, risk tolerance is often expressed in terms of the acceptable level of variation in
performance.
Risk tolerance is normally determined as part of the objective-setting process, and as with setting objectives,
setting tolerance levels is a precondition for determining risk responses and related control activities.
Management may exercise significant discretion in setting risk tolerance and managing risks when there are no
external requirements. However, when there are external requirements, such as those relating to external
reporting and compliance objectives, management considers risk tolerance within the context of established
laws, rules, regulations, and external standards.
As well, senior management considers the relative importance of the competing objectives and differing priorities
for pursuing these objectives. For instance, a chief operating officer may view operations objectives as requiring
a higher level of precision than materiality considerations in reporting objectives, and vice versa for the chief
financial officer. However, it would be problematic for public companies to overemphasize operational objectives
to an extent that adversely impacts the reliability of financial reporting. These views are considered as part of the
strategic-planning and objective-setting process with tolerances set accordingly. This kind of decision may also
impact the level of resources allocated to pursuing the achievement of those respective objectives.
Performance measures are used to help an entity operate within established risk tolerance. Risk tolerance is
often best measured in the same unit as the related objectives. For example, an entity:
Internal Use Only

 Targets on-time delivery at 98%, with acceptable variation in the range of 97% to 100%
 Targets training with 90% of those taking the training attaining a pass rate, but accepts that only 75% may pass
 Expects staff to respond to all customer complaints within twenty-four hours, but accepts that up to 10% of
complaints may receive a response within thirty-six hours
Specifies Suitable Objectives
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and
assessment of risks relating to objectives.
Points of Focus
The following points of focus highlight important characteristics relating to operations, reporting, and compliance
objectives:
 Reflects Management's Choices — Operations objectives reflect management's choices about structure,
industry considerations, and performance of the entity.
 Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the
achievement of operations objectives.
 Includes Operations and Financial Performance Goals — The organization reflects the desired level of
operations and financial performance for the entity within operations objectives.
 Forms a Basis for Committing of Resources — Management uses operations objectives as a basis for
allocating resources needed to attain desired operations and financial performance.
External Financial Reporting Objectives
 Complies with Applicable Accounting Standards — Financial reporting objectives are consistent with
accounting principles suitable and available for that entity. The accounting principles selected are appropriate in
the circumstances.
 Considers Materiality — Management considers materiality in financial statement presentation.
 Reflects Entity Activities — External reporting reflects the underlying transactions and events to show
qualitative characteristics and assertions.
External Non-Financial Reporting Objectives
 Complies with Externally Established Standards and Frameworks — Management establishes objectives
consistent with laws and regulations, or standards and frameworks of recognized external organizations.
 Considers the Required Level of Precision — Management reflects the required level of precision and
accuracy suitable for user needs and as based on criteria established by third parties in non-financial reporting.
Internal Use Only
 Reflects Entity Activities — External reporting reflects the underlying transactions and events within a range of
acceptable limits.
Internal Reporting Objectives
 Reflects Management's Choices — Internal reporting provides management with accurate and complete
information regarding management's choices and information needed in managing the entity.
 Considers the Required Level of Precision — Management reflects the required level of precision and
accuracy suitable for user needs in nonfinancial reporting objectives, and materiality within financial reporting
objectives.
 Reflects Entity Activities — Internal reporting reflects the underlying transactions and events within a range of
acceptable limits.
 Reflects External Laws and Regulations — Laws and regulations establish minimum standards of conduct
which the entity integrates into compliance objectives.
 Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the
achievement of compliance objectives.
Specifying Objectives
A precondition to risk assessment is the establishment of objectives, linked at various levels of the entity. These
objectives align with and support the entity in the pursuit of its strategic direction. While setting strategies and
objectives is not part of the internal control process, objectives form the basis on which risk assessment
approaches are implemented and performed and subsequent control activities are established. As part of
internal control, management specifies objectives and groups them within broad categories at all levels of the
entity, relating to operations, reporting, and compliance. The grouping of objectives within these categories
allows for the risks to the achievement of those objectives to be identified and assessed.
In affirming the suitability of objectives, management may consider such matters as:
 Alignment of established objectives with strategic priorities

 Articulation of risk tolerances for objectives
 Alignment between established objectives and established laws, rules, regulations, and standards applicable to
the entity
 Articulation of objectives using terms that are specific, measurable or observable, attainable, relevant, and time-
bound
 Cascading of objectives across the entity and its subunits
Internal Use Only

 Alignment of objectives to other circumstances that require specific focus by the entity
 Affirmation of suitable objectives within the objective-setting process before those objectives are used as the
basis for risk assessments
Where objectives within these categories are unclear, where it is unclear how these objectives support the
strategic direction, where there are concerns that the objectives are not suitable based on the facts,
circumstances, and established laws, rules, regulations, and standards applicable to the entity, or where the
organization would be basing its risk assessment on understood but unapproved objectives, management
communicates this concern for input to the strategy-setting and objective-setting process.
Operations objectives reflect management choices within the particular business, industry, and economic
environments in which the entity functions. For instance, a municipal government sets out several operations
objectives, each supported by initiatives and criteria. Among its objectives are to, for example:
 Implement five public engagement activities for greenhouse gas reductions within the next twelve months
 Increase seatbelt use by 30%, reduce speeding by 10% in general and 20% in school zones, and reduce
intersection encroachment by 25%
 Implement water rates relative to industrial and residential consumption patterns within five years
A for-profit entity may set operations objectives that focus on the efficient uses of resources. For instance, a
larger retailer has among its objectives to:
 Provide customers with a broad range of merchandise at prices consistently lower than its competitors
 Increase inventory turnover ratio to twelve times per year within the next two quarters
 Lower its CO2 emissions by 5% and reduce and recycle packaging material by 10% over the next year
As part of operations objectives, management also specifies risk tolerance set during the objective-setting
process. For operations objectives, risk tolerance may be expressed in relation to the acceptable level of
variation relative to the objective.
Goals and Resources
A clear set of operations objectives provides a clear focus on which the entity will commit substantial resources
needed to attain desired performance goals. These include goals relating to financial performance, which pertain
to all types of entities. A for-profit entity may focus on revenue, profitability, liquidity, or some other measure,
while a not-for-profit or governmental agency may have less financial emphasis overall, but still pursue goals
relating to revenue, liquidity, and spending. If an entity's operations objectives are not clear or well conceived, its
resources may be misdirected.
Internal Use Only

Reporting objectives pertain to the preparation of reports that encompass reliability, timeliness, transparency, or
other terms as set forth by regulators, standard-setting bodies, or by the entity's policies. This category includes
external financial reporting, external non-financial reporting, internal financial reporting, and internal non-financial
reporting. External reporting objectives are driven primarily by laws, rules, regulations, and standards
established by governments, regulators, standard-setting bodies, and accounting bodies. Internal reporting
objectives are driven by the entity's strategic directions, and by reporting requirements and expectations
established by management and the board of directors.
External Financial Reporting Objectives
Complies with Accounting Standards
Entities need to achieve financial reporting objectives to meet external obligations. Published financial
statements and financial information are necessary for accessing capital markets and may be critical to the
awarding of contracts or to dealing with suppliers. Investors, analysts, and creditors may use financial
statements and other financial information to assess the entity's performance and to compare it with peers and
alternative investments.
Financial reporting objectives are consistent with accounting principles suitable and available for that entity and
appropriate in the circumstances. External financial reporting objectives address the preparation of financial
statements for external purposes, including published financial statements, other financial statements and
reports, and other forms of external financial reporting derived from an entity's financial or management
accounting books and records.
 Financial statements for external purposes are prepared in accordance with applicable accounting standards,
rules, and regulations. These financial statements may include annual and interim financial statements,
condensed financial statements, and selected financial information derived from such statements. These
statements may, for instance, be publicly filed with a regulator, distributed through annual meetings, posted to
an entity's website, or distributed through other electronic media.
 Other financial statements and reports may be prepared in accordance with other basis of accounting and are
typically driven by taxing authorities, governmental agencies, or by requirements established through contracts
and agreements. Financial statements and reports may be distributed to specified external users (e.g., reporting
to a bank on financial covenants established in a loan agreement, to a taxing authority in connection with filing
tax returns, to a funding agency by a not-for-profit entity where such statements are not made public).
 Other external financial reporting derived from an entity's financial and management accounting books and
records rather than from financial statements for external purposes may include earnings releases, selected
financial information posted to an entity's website, and selected amounts reported in regulatory filings. External
Internal Use Only

financial reporting objectives relating to such other financial information may not be driven directly by standard
setters and regulators, but are typically expected by stakeholders to align with such standards and regulations.
Qualitative Characteristics
External financial reporting reflects transactions and events to show the qualitative characteristics and assertions
that underlie financial statements established by the respective accounting standard setters. There are many
sources of such characteristics and assertions relating to financial reporting.
External financial statements may be considered in terms of fundamental characteristics and enhancing
characteristics.11 ,12
Fundamental characteristics refer to relevance and faithful representation, as follows:
 Relevance — information that is capable of making a difference in user decisions

 Faithful Representation — information that is complete, neutral, and free from error
Enhancing characteristics refer to comparability, verifiability, timeliness, and understandability, as follows:
 Comparability — information that can be compared with similar information about other entities and with similar
information about the same entity for another period or another date
 Verifiability — different knowledgeable and independent observers reaching consensus, although not
necessarily complete agreement, that a particular depiction is a faithful representation
 Timeliness — having information available to decision-makers in time to be of use
 Understandability — information that is classified, characterized, and presented clearly and concisely
Inherent in relevance is the concept of "financial statement materiality." Materiality sets the threshold for
determining whether a financial amount is relevant. Information is material if its omission or misstatement could
influence the decisions of users taken on the basis of the financial reporting. Materiality depends on the size of
the item or error judged in the particular circumstances of its omission or misstatement. With external financial
reporting, materiality reflects the required level of precision and accuracy suitable for external users' needs and
presents the underlying entity activities, transactions, and events within the range of acceptable limits.13
Reliability is another frequently used qualitative characteristic associated with external financial reporting
objectives. Reliability involves preparing external financial statements that are free of material error and bias.
Reliability is also necessary for the information to faithfully represent the transactions or other events it purports
to represent. External reporting also reflects the required level of precision and accuracy suitable for internal
needs and the underlying entity activities, presenting transactions, and events within a range of acceptable
limits.
Internal Use Only

The qualitative characteristics noted above are applied along with suitable accounting standards and financial
statement assertions. These assertions typically fall into the categories relating to:
 Classes of transactions and events for the period

 Account balances at the period end
 Presentation and disclosure
External Non-Financial Reporting Objectives
Complies with Laws, Rules, Regulations Standards, and Frameworks
Management may report information externally consistent with laws, rules, regulations, non-financial standards
or frameworks. For example, where management seeks to manage its impact on sustainable development, it
may prepare and publish a sustainability report that provides information about economic, environmental, and
social performance. Another entity may apply chain-of-custody standards through which its products are
distributed from their origin in the forest to their end use. The entity attains an annual certification that
demonstrates its responsible production and consumption of forest products and publicly reports this
information.
Considers Precision and Reflects Activities
Non-financial reporting, as with financial reporting:
 Classifies and summarizes information in a reasonable manner and at the appropriate level of detail so that it is
neither too detailed nor too condensed
 Reflects the underlying entity activities
 Presents transactions and events within the required level of precision and accuracy suitable for user needs
 Uses criteria established by the third parties and as set out in external standards or frameworks, as appropriate
Internal Reporting Objectives
Reliable internal reporting, including balanced scorecards and performance dashboards, provides management
with accurate and complete information needed to manage the organization. It supports management's decision
making and monitoring of the entity's activities and performance. Examples of internal reports include results of
marketing programs, daily sales flash reports, production quality, and employee and customer satisfaction
results. Internal reporting objectives are based on preferences, judgment, and management style.
Internal reporting objectives vary among entities because different organizations have different goals, strategic
directions, and levels of risk tolerance. As with external reporting, internal reporting reflects the required level of
precision and accuracy suitable for internal needs and the underlying entity activities, presenting transactions
and events within a range of acceptable limits.
Internal Use Only

Many organizations will apply external standards to assist in managing their operations. Such standards may
relate to the control over technology, human resource management, or records management. However, as
standards that apply to external reporting may not apply to internal reporting, management may choose to set
different levels of acceptable variation for external and internal reporting.
As with other types of reporting, internal reporting:
 Uses criteria established by the third parties and as set out in external standards or frameworks, as appropriate
 Classifies and summarizes information in a reasonable manner and at the appropriate level of detail so that it is
neither too detailed nor too condensed
 Reflects the underlying entity activities
 Presents transactions and events within the required level of precision and accuracy suitable for user needs
Laws and regulations establish minimum standards of conduct that the entity integrates into its compliance
objectives. For example, occupational safety and health regulations might cause an entity to define its objective
as "package and label all chemicals in accordance with regulations." Policies and procedures would then deal
with communications programs, site inspections, and training relating to the entity's compliance objectives. And,
similar to external reporting objectives, management considers the acceptable levels of variation in performance
within the context of complying with laws and regulations. Such laws and regulations may cause management to
set lower levels of acceptable variation to remain in compliance with those laws and regulations.
Entities must conduct their activities, and often take specific actions, in accordance with applicable laws and
regulations. As part of specifying compliance objectives, the organization needs to understand which laws and
regulations apply across the entity. Many laws and regulations are generally well known, such as those relating
to reporting on anti-bribery, fair labor practices, and environmental compliance, but others may not be as well
known to the organization, such as those that apply to operations in a foreign territory.
Many laws and regulations depend on external factors and tend to be similar across all entities in some cases
and across an industry in others. These requirements may relate, for example, to markets, pricing, taxes, the
environment, employee welfare, or international trade. Many entities will establish objectives such as:
 Preventing and detecting criminal conduct and other wrongdoing

 Preparing and filing tax returns prior to the filing deadlines and in accordance with regulatory requirements
 Labeling nutritional information on food packaging in accordance with applicable guidelines
 Operating a vehicle fleet within maximum emission control requirements
Identifies and Analyzes Risk
Internal Use Only

Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes
Points of Focus
 Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The organization identifies
and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the
 Analyzes Internal and External Factors — Risk identification considers both internal and external factors and
their impact on the achievement of objectives.
 Involves Appropriate Levels of Management — The organization puts into place effective risk assessment
mechanisms that involve appropriate levels of management.
 Estimates Significance of Risks Identified — Identified risks are analyzed through a process that includes
estimating the potential significance of the risk.
 Determines How to Respond to Risks — Risk assessment includes considering how the risk should be
managed and whether to accept, avoid, reduce, or share the risk.
Risk Identification
Identifying and analyzing risk is an ongoing iterative process conducted to enhance the entity's ability to achieve
its objectives. Although an entity might not explicitly state all objectives, this does not mean that an implied
objective is without either internal or external risk. Regardless of whether an objective is stated or implied, an
entity's risk assessment process should consider risks that may occur. This process is supported by a variety of
activities, techniques, and mechanisms, each relevant to overall risk assessment. Management develops and
implements controls relating to the conduct of such activities.
Management considers risks at all levels of the entity and takes the necessary actions to respond. An entity's
assessment considers factors that influence the severity, velocity, and persistence of the risk, likelihood of the
loss of assets, and the related impact on operations, reporting, and compliance activities. The entity also needs
to understand its tolerance for accepting risks and its ability to operate within those risk levels.
Risk identification must be comprehensive. It should consider all significant interactions — of goods, services,
and information — internal to an entity and between the entity and its relevant business partners and outsourced
service providers. These entities can include potential and existing suppliers, investors, creditors, shareholders,
employees, customers, buyers, intermediaries, and competitors, as well as public bodies and news media. In
addition, the organization should consider risks emanating from external factors such as new or amended laws
and regulations, environmental issues, or potential natural events.
Internal Use Only

Further, risks related primarily to one category of objectives may impact objectives in other categories. For
instance, a risk relating primarily to an operations objective for the timely production and delivery of a company's
product may also impact financial reporting if the company's sales contract contains penalties for late shipments.
In those instances where an organization is considering risks relating primarily to one category of objectives, for
instance financial reporting, the risk assessment process may need to consider objectives in other categories
that can also impact financial reporting objectives.
Risk identification is an iterative process and is often integrated with the planning process. However, it may be
useful to take a fresh look at the identified risks, and not merely default to making an inventory of risks as noted
in the previous review. The focus is on identifying all risks that potentially impact the achievement of objectives
as well as on emerging risks — those risks that are increasingly relevant and important to the entity and that
may be addressed by scanning and analyzing relevant risk factors, as remote as they may seem.
Considers Entity and Subunits
Risk identification considers risks at various levels of the organizational structure, including the overall entity and
its subunits, and processes such as sales, human resources, marketing, production, and purchasing. Entity-level
risk identification is typically conducted at a relatively high level and, generally, does not include assessing
transaction-level risks. Conversely, the identification of risks at a process level is inherently more detailed and
would include transaction-level risks.
In addition, risk assessment considers risks originating in outsourced service providers, key suppliers, and
channel partners that directly or indirectly impact the entity's achievement of objectives.
Internal and External Factors
Management considers risks in relation to internal and external factors. Risk is dynamic; therefore, to determine
the frequency of its risk assessment process, management generally considers the rate of change in risks to the
achievement of objectives, other operational priorities, and cost. Typically, the process is a combination of
ongoing and periodic risk assessments. If the rate of change relating to an objective or internal and external
factors increases, it is useful to accelerate the frequency of assessing the related risks or assess the risk on a
real-time basis.
Entity-Level Risks
Risks at the entity level can arise from external or internal factors. External factors may include:
 Economic — Changes that can impact financing, capital availability, and barriers to competitive entry
 Natural Environment — Natural or human-caused catastrophes or ongoing climate change that can lead to
changes in operations, reduced availability of raw materials, or loss of information systems, highlighting the
need for contingency planning
Internal Use Only

 Regulatory — A new financial reporting standard that can require different or additional reporting by a legal
entity, management operating model, or line of business; a new anti-trust law or regulation that can force
changes in operating or reporting policies and strategies
 Foreign Operations — A change in the government of a foreign country of operation that can result in new laws
and regulations or altered tax regimes
 Social — Changing customer needs or expectations that can affect product development, production process,
customer service, pricing, or warranties
 Technological — Developments that can affect the availability and use of data, infrastructure costs, and the
demand for technology-based services
Internal factors include:
 Infrastructure — Decisions on the use of capital resources that can affect operations and the ongoing availability
of infrastructure
 Management Structure — A change in management responsibilities that can affect the way certain controls are
effected
 Personnel — The quality of personnel hired and methods of training and motivation that can influence the level
of control consciousness within the entity; expiration of labor agreements that can affect the availability of staff
 Access to Assets — The nature of the entity's activities and employee accessibility to assets that can contribute
to misappropriation of resources
 Technology — A disruption in information systems processing that can adversely affect the entity's operations
Identifying external and internal factors that contribute to risk at an entity level is critical to comprehensive risk
assessment. Once the major factors have been identified, management can then consider their relevance and
significance and, where possible, link these factors to specific risks and activities.
For example, an importer of apparel and footwear established an entity-level objective of becoming an industry
leader in high-quality fashion merchandise. The entity considered general risks such as the impact of
deterioration in economic conditions, market acceptance of products, new competitors in the entity's market, and
changes in environmental or regulatory laws and regulations. In addition, the entity considered risks at the entity
level such as:
 Supply sources, including the quality, quantity, and stability of foreign manufacturers
 Exposures to fluctuations in the value of foreign currencies
 Timeliness of receiving shipments and delays in customs inspections
 Availability and reliability of shipping companies and costs
 Likelihood of international hostilities and trade embargoes
Internal Use Only

 Pressures from customers and investors to boycott doing business in a foreign country whose government
adopts unacceptable policies
 Expectations from consumers or local stakeholders toward use of natural resources
Transaction-Level Risks
Risks are identified at the transaction level within subsidiaries, divisions, operating units, or functions, including
business processes such as sales, purchasing, production, and marketing. Dealing with risks at this level helps
focus on the achievement of objectives and/or sub-objectives that have cascaded down from the entity-level
objectives. Successfully assessing risk at the transaction level also contributes to maintaining acceptable levels
at the entity level.
In most instances, many different risks can be identified. In a procurement process, for example, an entity may
have an objective related to maintaining adequate raw materials inventory. The risks to not achieving this
objective might include suppliers providing materials that do not meet specifications or are not delivered in
needed quantities, on time, or at acceptable prices. These risks might affect entity-level objectives pertaining to
the way specifications for purchased goods are communicated to vendors, the use and appropriateness of
production forecasts, identification of alternative supply sources, and negotiation practices.
Potential causes of failing to achieve an objective range from the obvious to the obscure. Certainly, readily
apparent risks that significantly affect the entity should be identified. To avoid overlooking relevant risks, this
identification is best made apart from assessing the likelihood of the risk occurring. There are, however, practical
limitations to the identification process, and often it is difficult to determine where to draw the line. For example, it
may not make sense to conduct a detailed assessment of the risk of a meteor falling from space onto an entity's
production facility, while it may be reasonable for a facility located near an airport to consider in some detail the
risk of an airplane crash.
Risk Analysis
After risks have been identified at both the entity level and the transaction level, a risk analysis needs to be
performed. The methodology for analyzing risks can vary, largely because many risks are difficult to quantify.
Nonetheless, the process — which may be more or less formal — usually includes assessing the likelihood of
the risk occurring and estimating its impact. In addition, the process could consider other criteria to the extent
management deems necessary.
Levels of Management
As with other processes within internal control, responsibility and accountability for risk identification and
analysis processes reside with management at the overall entity and its subunits. The organization puts into
place effective risk assessment mechanisms that involve appropriate levels of management with expertise.
Internal Use Only

Significance of Risk
As part of risk analysis, the organization assesses the significance of risks to the achievement of objectives and
sub-objectives. Organizations may assess significance using criteria such as:
 Likelihood of risk occurring and impact

 Velocity or speed to impact upon occurrence of the risk
 Persistence or duration of time of impact after occurrence of the risk
"Likelihood" and "impact" are commonly used terms, although some entities use instead "probability," "severity,"
"seriousness," or "consequence." "Likelihood" represents the possibility that a given event will occur, while
"impact" represents its effect. Sometimes the words take on more specific meaning, with "likelihood" indicating
the possibility that a given risk will occur in qualitative terms such as "high," "medium," and "low," and
"probability" indicating a quantitative measure such as a percentage, frequency of occurrence, or other
numerical metric.
Risk velocity refers to the pace with which the entity is expected to experience the impact of the risk. For
instance, a manufacturer of consumer electronics may be concerned about changing customer preferences and
compliance with radio frequency energy limits. Failing to manage either of these risks may result in significant
erosion in the entity's value, even to the point of being put out of business. In this instance, changes in regulatory
requirements develop much more slowly than do changes in customer preferences.
Management often uses performance measures to determine the extent to which objectives are being achieved,
and normally uses the same or a congruent unit of measure when considering the potential impact of a risk on
the achievement of a specified objective. An entity, for example, with an objective of maintaining a specified level
of customer service will have devised a rating or other measure for that objective — such as a customer
satisfaction index, number of complaints, or measure of repeat business. When assessing the impact of a risk
that might affect customer service — such as the possibility that the entity's website might be unavailable for a
time period — impact is best determined using the same measures.
A risk that does not have a significant impact on the entity and that is unlikely to occur generally does not require
a detailed risk response. A risk with a higher likelihood of occurrence and/or the potential of a significant impact,
on the other hand, typically results in considerable attention. But even those risks with a potentially high impact
that have a low likelihood will be considered, avoiding the notion that such risks "couldn't happen here," as even
low likelihood risks can occur. The importance of understanding risks assessed as having a low likelihood is
greater when the potential impact of the risk might persist over a longer period of time. For instance, the long-
term impact on the entity from environmental damage caused by the entity's actions may be viewed much
differently than the long-term impact of losing technology processing in a manufacturing plant for several days.
Internal Use Only

Estimates of significance of the risk often are determined by using data from past events, which provides a more
objective basis than entirely subjective estimates. Internally generated data based on an entity's own experience
may be more relevant and provide better results than data from external sources. Even in these circumstances,
however, external data can be useful as a checkpoint or to enhance the analysis.
For example, a company's management assessing the risk of production stoppages because of equipment
failure looks first at frequency and impact of previous failures of its own manufacturing equipment. It then
supplements that data with industry benchmarks. This allows a more precise estimate of likelihood and impact of
failure, enabling more effective preventive maintenance scheduling. Note, too, that using data from past events
can provide incomplete conclusions where events occur infrequently.
In addition, management may wish to assess risks using a time horizon consistent with the time horizon of the
related objectives. Because the objectives of many entities focus on the shortto mid-term, management analyzes
risks associated with those time frames. However, some objectives extend to the longer term, and management
must not ignore those risks that might be further into the future.
Inherent and Residual Risk
Management considers both inherent and residual risk. Inherent risk is the risk to the achievement of entity
objectives in the absence of any actions management might take to alter either the risk's likelihood or impact.
Residual risk is the risk to the achievement of objectives that remains after management's responses have been
developed and implemented. Risk analysis is applied first to inherent risk. Once risk responses have been
developed, as discussed below, management then considers residual risk. Assessing inherent risk in addition to
residual risk can assist the organization in understanding the extent of risk responses needed.
Risk Response
Once the potential significance of risks has been assessed, management considers how the risk should be
managed. This involves applying judgment based on assumptions about the risk and reasonable analysis of
costs associated with reducing the level of risk. The response need not necessarily result in the least amount of
residual risk. But where a risk response would result in residual risk exceeding levels acceptable to management
and the board, management revisits and revises the response. Accordingly, the balancing of risk and risk
tolerance may be iterative. Risk responses fall within the following categories:
 Acceptance — No action is taken to affect risk likelihood or impact.

 Avoidance — Exiting the activities giving rise to risk; may involve exiting a product line, declining expansion to a
new geographical market, or selling a division.
 Reduction — Action is taken to reduce risk likelihood or impact, or both; typically involves any of myriad
everyday business decisions.
Internal Use Only

 Sharing — Reducing risk likelihood or impact by transferring or otherwise sharing a portion of the risk; common
techniques include purchasing insurance products, forming joint ventures, engaging in hedging transactions, or
outsourcing an activity.
In relation to risk response, management should consider:
 The potential effect on risk significance and which response options align with the entity's risk tolerance
 Requisite segregation of duties to enable the response to achieve the intended reduction in significance
 Costs versus benefits of potential responses
Evaluating Risk Response Options
In evaluating response options, management considers significance, including the effect on both likelihood and
impact of the risk, recognizing that a response might affect them differently. For example, consider a company
with a data center located in a region with heavy storm activity. It establishes a business continuity plan, which,
while having no effect on the likelihood of a storm occurring, mitigates the impact of building damage or
personnel being unable to get to work should a storm occur. On the other hand, the choice to move the
computer center to another region will not reduce the impact of a comparable storm, but could reduce the
likelihood of a similar storm occurring near that new location.
Resources always have constraints, and entities must consider the relative costs and benefits of alternative risk
response options. Before installing additional procedures, management should consider carefully whether
existing ones may be suitable for addressing identified risks. Because procedures may satisfy multiple
objectives, management may discover that additional actions are not warranted or that existing procedures may
be sufficient or simply need to be performed to a higher standard.
Selected Responses
There is a distinction between risk assessment, which is part of internal control, and the choice of specific risk
responses and the related plans, programs, or other actions, which are part of the management process and not
internal controls. Internal control does not encompass ensuring that the optimal risk response is chosen. For
instance, the management of one entity may choose to share technology risk by outsourcing certain aspects of
its technology processing with an entity experienced in that field (recognizing that this may also introduce new
risks to the organization), while another entity may choose to retain its technology processing and develop
general controls over activities for managing related technology risks. Neither of these choices should be viewed
as right or wrong, as both can be effective at managing technology risks. But where a risk response would result
in the residual risk exceeding risk tolerances for any category of objectives, management revisits and revises the
response accordingly.
Internal Use Only

Once management has chosen to reduce or share a risk, then it can determine actions to respond to the risk
and select and develop associated control activities. The nature and extent of the risk response and any
associated control activities will depend, at least in part, on the desired level of risk mitigation (which is the focus
of Chapter 7). In some instances, management may select a response that requires action within another
component of internal control — for instance enhancing a part of the control environment.
Typically, control activities are not needed when an entity chooses to either accept or avoid a specific risk. For
instance, a mining company with significant commodity price risk may decide to accept the risk as it believes that
investors are aware of and accept price risk exposure. In this case, management would not implement control
activities relating to commodity price exposures, but would likely implement control activities relating to other
external financial reporting assertions, including completeness and valuation. There may, however, be instances
where the organization decides to avoid a risk, and chooses to develop control activities in order to avoid that
risk. For instance, to avoid concerns over possible fair trade practices, an organization may implement control
activities barring purchasing from certain entities. Management may also need to review the level of risk in light
of changes that make it no longer desirable to accept that risk, for instance if the risk exceeds the organization's
risk tolerance. When management chooses not to assess a risk or does not identify a risk, it is tantamount to
accepting the risk without considering potential changes in the related level of risk and whether that risk remains
within its risk tolerance.
Assesses Fraud Risk
Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of
objectives.
Points of Focus
 Considers Various Types of Fraud — The assessment of fraud considers fraudulent reporting, possible loss
of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
 Assesses Incentive and Pressures — The assessment of fraud risk considers incentives and pressures.
 Assesses Opportunities — The assessment of fraud risk considers opportunities for unauthorized acquisition,
use, or disposal of assets, altering of the entity's reporting records, or committing other inappropriate acts.
 Assesses Attitudes and Rationalizations — The assessment of fraud risk considers how management and
other personnel might engage in or justify inappropriate actions.
Types of Fraud
Internal Use Only

Risk assessment includes management's assessment of the risks relating to the fraudulent reporting and
safeguarding of the entity's assets. In addition, management considers possible acts of corruption, both by entity
personnel and by outsourced service providers directly impacting the entity's ability to achieve its objectives.
The actions being conducted as part of applying this principle link closely to the preceding principle (Identifies
and Analyzes Risks), which assesses risks based on the presumption that the entity's expected standards of
ethical conduct are adhered to by management, other personnel, and outsourced service providers. This
principle, Assesses Fraud Risk, assesses risk in a different context, when an individual's actions may not align
with the expected standards of conduct. Management may also consider the point of focus relating to the
principle Identifies and Analyzes Risk when developing, implementing, and conducting internal control. For
instance, responses to risks identified as part of this principle fall within the same categories noted above
(accept, avoid, reduce, and share). And, as above, the selection and development of controls to effect specific
risk responses chosen by management is essential to mitigating fraud risks
Fraudulent Reporting
Fraudulent reporting can occur when an entity's reports are wilfully prepared with omissions or misstatements.
These events may occur through unauthorized receipts or expenditures, financial misconduct, or other
disclosure irregularities. A system of internal control over financial reporting is designed and implemented to
prevent or detect, in a timely manner, a material omission from or misstatement of the financial statements due
to error or fraud.
When assessing risks to the achievement of financial reporting objectives, organizations typically consider the
potential for fraud in the following areas:
 Fraudulent Financial Reporting — An intentional act designed to deceive users of external financial reports and
that may result in a material omission from or misstatement of such financial reports
 Fraudulent Non-Financial Reporting — An intentional act designed to deceive users of non-financial reporting,
including sustainability reporting, health and safety, or employment activity, and that may result in reporting with
less than the intended level of precision
 Misappropriation of Assets — Theft of the entity's assets where the effect may cause a material omission or
misstatement in the external financial reports
 Illegal Acts — Violations of laws or governmental regulations that could have a material direct or indirect impact
on the external financial reports
As part of the risk assessment process, the organization should identify the various ways that fraudulent
reporting can occur, considering:
 Management bias, for instance in selecting accounting principles

 Degree of estimates and judgments in external reporting
Internal Use Only
 Fraud schemes and scenarios common to the industry sectors and markets in which the entity operates
 Geographic regions where the entity does business
 Incentives that may motivate fraudulent behavior
 Nature of technology and management's ability to manipulate information
 Unusual or complex transactions subject to significant management influence
 Vulnerability to management override and potential schemes to circumvent existing control activities
There may be instances where the organization is not able to directly manage the information captured for
financial reporting, yet is expected to have controls within the entity that identify, analyze, and respond to that
particular risk. For instance, management of a software vendor may not be able to prevent personnel within an
on-line retailer from underreporting sales numbers to reduce payments to the software vendor. However, the
software company can implement control activities to detect such reporting by comparing new software
registration levels to sales volumes.
Further, risks pertaining to the complete and accurate recording of asset losses in the entity's financial
statements represent a reporting objective. More specifically related to financial reporting, omission or
misstatements may arise from failing to record the loss of assets, manipulating the financial statements to
conceal such a loss, or recording transactions outside the appropriate reporting period. For instance, an entity
may hold its books open for an extended time after a period end to include additional sales, improperly account
for intercompany transfers of inventory, or manipulate the amortization of its capital assets.
Safeguarding of assets refers to protecting against the unauthorized and wilful acquisition, use, or disposal of
assets. The inappropriate use of an entity's assets occurs to benefit an individual or group. The unauthorized
acquisition, use, and disposal of assets may relate to activities such as illegal marketing, theft of assets, theft of
intellectual property, late trading, and money laundering.
Safeguarding of assets typically relates to operations objectives, although certain aspects may relate to other
categories of objectives. In terms of operations, management may consider the inappropriate use of an entity's
assets and other resources including intellectual property and preventing loss through theft, waste, or neglect.
An entity may also lose value of its assets through inefficiency or what turns out to be simply bad business
decisions — such as selling a product at too low a price, or extending credit to bad risks. These situations relate
to the operations objectives but are not directly linked to safeguarding of assets.
Where legal or regulatory requirements apply, management considers risks relating to safeguarding of assets in
relation to compliance objectives. For example, an entity may intentionally prepare inaccurate regulatory
reporting statements to avoid inspection and penalties.
Internal Use Only

Regardless of what objective may be affected, the responsibility and accountability for loss prevention and anti-
fraud policies and procedures reside with management of the entity and its subunits in which the risk resides.
Corruption
In addition to assessing risks relating to the safeguarding of assets and fraudulent reporting, management
considers possible corruption occurring within the entity. Corruption is generally relevant to the compliance
category of objectives but could very well influence the control environment that also affects the entity's external
financial reporting objectives. This includes considering incentives and pressures to achieve objectives while
demonstrating adherence to expected standards of conduct and the effect of the control environment,
specifically actions linked to Principle 4 (Demonstrates Commitment to Competence) and Principle 5 (Enforces
Accountability). Aspects of corruption that are considered in an external financial reporting context typically
relate to illegal acts that are considered in government statutes relevant to the activity.
In assessing possible corruption, the entity is not expected to directly manage the actions of personnel within
third-party organizations, including those relating to outsourced operations, customers, suppliers, or advisors.
However, depending on the level of risk assessed within this component, management may stipulate the
expected level of performance and standards of conduct through contractual relations, and develop control
activities that maintain oversight of third-party actions. Where necessary, management responds to unusual
actions detected in others.
Management Override
Management override describes action taken to override an entity's controls for an illegitimate purpose including
personal gain or an enhanced presentation of an entity's financial condition or compliance status. For example,
to allow a large shipment of goods to a customer with unacceptable credit in order to increase revenue, a
manager improperly overrides internal control by approving the sale transaction placed on credit hold by a
supervisor who conducted the control properly. Actions to override are typically not documented or disclosed,
because the intent is to cover up the actions.
Management override should not be confused with management intervention, which represents action that
departs from controls designed for legitimate purposes. At times, management intervention is necessary to deal
with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately.
Providing for management intervention is necessary because controls cannot be designed to anticipate and
mitigate every risk. Management's actions to intervene are generally overt and documented or otherwise
disclosed to appropriate personnel.
As part of assessing fraud risk, management assesses the risk of management override of internal control. The
board of directors or subset of the board (e.g., audit committee) oversees this assessment and challenges
management depending on the circumstances. The entity's control environment can significantly influence the
Internal Use Only

risk of management override. This is especially important for smaller entities where senior management may be
very involved in conducting many controls.
Factors Impacting Fraud Risk
Incentives and Pressures
Assessing the risk of fraud includes considering opportunities to commit fraud, as well as attitudes and
rationalizations. Where there is a loss of assets, fraudulent reporting, or corruption, there are typically incentives
and pressures, opportunities to access those assets, and attitudes and rationalizations that claim to justify the
action. Incentives and pressures often result from and relate to the control environment, as discussed in
Principle 5 (Enforces Accountability). As part of assessing fraud risk, the organization considers possible
incentives and pressures and the potential impact on fraud risk.
Opportunity
Opportunity refers to the ability to actually acquire, use, or dispose of assets, which may be accompanied by
altering the entity's records. Those involved in the inappropriate actions usually also believe that their activities
will not be detected. Opportunity is created by weak control activities and monitoring activities, poor
management oversight, and management override of control. For instance, the likelihood of a loss of assets or
fraudulent external reporting increases when there is:
 A complex or unstable organizational structure

 High turnover rates of employees within accounting, operations, risk management, internal audit, or technology
staff
 Ineffective design or poorly executed control activities
 Ineffective technology systems
Attitudes and Rationalizations
Attitudes and rationalizations by individuals engaging in or justifying inappropriate actions may include:
 A person labeling the use of resources as "borrowing", and fully intending to pay the stolen money back
 A person believing that something is owed to him or her because of job dissatisfaction (salary, job environment,
treatment by managers, etc.)
 A person not understanding or not caring about the consequences of his or her actions or of accepted notions of
decency and trust
Other Considerations in Fraud Risk Assessment
It is possible to mitigate the likelihood of a fraud-related risk by taking action within the other components of
internal control or by making changes to the entity's operating units, business processes, and activities. An entity
Internal Use Only
may choose to sell certain operations that are prone to having higher risks relating to individual conduct, cease
doing business in certain geographic locations, reallocate roles among personnel to enhance the segregation of
duties, or reorganize its business processes to avoid unacceptable risks. For example, the risk of
misappropriation of funds may be reduced by implementing a central payment processing function with greater
segregation of duties instead of having only a few staff process payments at each of the entity's locations. The
risk of corruption may be reduced by closely monitoring the entity's procurement process. The risk of financial
statement fraud may be reduced by establishing shared services centers to provide accounting services to
multiple segments, affiliates, or geographic locations of an entity's operations. A shared services center may be
less vulnerable to influence by local operations managers and may be able to cost effectively implement more
extensive anti-fraud programs.
When management detects fraudulent reporting, inadequate safeguarding of assets, or corruption, some form of
remediation will be necessary. In addition to dealing directly with the improper actions, it may be necessary to
take remediation steps within the risk assessment process or amend actions undertaken as part of other
components of internal control.
Identifies and Analyzes Significant Change
Principle 9: The organization identifies and assesses changes that could significantly impact the system of
internal control.
Points of Focus
 Assesses Changes in the External Environment — The risk identification process considers changes to the
regulatory, economic, and physical environment in which the entity operates.
 Assesses Changes in the Business Model — The organization considers the potential impacts of new
business lines, dramatically altered compositions of existing business lines, acquired or divested business
operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new
technologies.
 Assesses Changes in Leadership — The organization considers changes in management and respective
attitudes and philosophies on the system of internal control.
Assessing Change
As economic, industry, and regulatory environments change, the scope and nature of an entity's leadership,
priorities, business model, organization, business processes, and activities need to adapt and evolve. Internal
control effective within one set of conditions may not necessarily be effective when those conditions change
significantly. As part of risk assessment, management identifies changes that could significantly impact the
Internal Use Only

entity's system of internal control and takes action as necessary. Thus, every entity will require a process to
identify and assess those internal and external factors that can significantly affect its ability to achieve its
objectives.
This process will parallel, or be a part of, the entity's regular risk assessment process. It involves identifying the
changes to any significant assumption or condition. It requires having controls in place to identify and
communicate changes that can affect the entity's objectives — and assess the associated risks. Such analysis
includes identifying potential causes of achieving or failing to achieve an objective, assessing the likelihood that
such causes will occur, evaluating the probable effect on achievement of the objectives, and considering the
degree to which the risk can be managed.
Although the process by which an entity manages change is similar to, if not a part of, its regular risk
assessment process, it is discussed separately. This is because it is important to effective internal control and
because it can too easily be overlooked or given insufficient attention in the course of dealing with everyday
issues.
Management develops approaches to identify significant changes in any material assumption or condition that
have taken place or will shortly occur. To the extent practicable, these mechanisms are forward looking, so an
entity can anticipate and plan for significant changes. Early warning systems should be in place to identify
information signaling new risks that can have a significant impact on the entity. Management also develops and
implements controls relating to the conduct of such approaches.
This focus on change is founded on the premise that, because of their potential impact, certain conditions should
be the subject of special consideration. The extent to which such conditions require management's attention, of
course, depends on the effect they may have in particular circumstances.
External Environment
 Changing External Environment — A changing regulatory or economic environment can result in increased
competitive pressures, changes in operating requirements, and significantly different risks. Large-scale
operations, reporting, and compliance failures by one entity may result in the rapid introduction of broad new
regulations. For instance, the release of harmful materials near populated or environmentally sensitive areas
may result in new industry-wide transportation restrictions that impact an entity's shipping logistics; the external
information that is viewed as having poor transparency may result in enhanced regulatory reporting
requirements for all publicly traded companies; and the poor treatment of elderly patients in a care facility may
prompt additional care requirements for all care facilities. Each of these changes may require an organization to
closely examine the design of its internal control system.
 Changing Physical Environment — Natural disasters directly impacting the entity, supply chain, and other
business partners may result in elevated risks that an entity needs to consider to sustain its business. An
organization, for example, may need to find alternative sources of raw material or move production.
Internal Use Only
Business Model
 Changing Business Model — When an entity enters new business lines, alters the delivery of its services
through new outsourced relationships, or dramatically alters the composition of existing business lines,
previously effective internal controls may no longer be relevant. The composition of the risks initially assessed
as the basis for establishing internal controls may have changed, or the potential impact of those risks may have
increased so that prior internal controls are no longer sufficient. Some financial services organizations, for
example, may have expanded into new products and concentrations without focusing on how to respond to
changes in the associated risks of their products.
 Significant Acquisitions and Divestitures — When an entity decides to acquire business operations, it may need
to review and standardize internal controls across the expanded entity. Controls in place in the pre-acquisition
operations may not be well developed, suitable for the newly combined entity, or scalable to operation in the
new business. Similarly, when an operation is disposed of, the level of acceptable variation may change in
operations, and materiality may decrease. In addition, certain entity-level controls at the disposed business
operation may no longer be present. Both the acquisition and divesture of a business may require the
organization to review and possibly revise its internal controls to support the achievement of objectives as
appropriate to the restructured entity.
 Foreign Operations — The expansion or acquisition of foreign operations carries new and often unique risks.
Developing business in new geographies or outsourcing operations to foreign locations may help the business
to grow and/or reduce costs, but it may also present new challenges and alter the type and extent of the risks.
Operating in unfamiliar markets poses risk because there are different customs and practices. For instance, the
control environment in a new environment is likely to be influenced by the local culture and customs. Business
risks may result from factors unique to the local economy and regulatory environment and channels of
communication.
 Rapid Growth — When operations expand significantly and quickly, existing structures, business processes,
information systems, or resources may be strained to the point where internal controls break down. For
instance, adding manufacturing shifts to meet demand or increasing back-office personnel may result in those
responsible for supervision being unable to adapt to the higher activity levels and maintain adequate control.
 New Technology — When new technology is incorporated into production, service delivery processes, or
supporting information systems, internal controls will likely need to be modified. For instance, introducing sales
capabilities through mobile devices may require access controls specific to that technology as well as changes
in controls over shipping processes.
Leadership Changes
 Significant Personnel Changes — A member of senior management new to an entity may not understand the
entity's culture and reflect a different philosophy or may focus solely on performance to the exclusion of control-
Internal Use Only

related activities. For instance, a newly hired chief executive officer focusing on revenue growth may send a
message that a prior focus on effective internal control is now less important. Further, high turnover of
personnel, in the absence of effective training and supervision, can result in breakdowns. For instance, a
company that reduces its staffing levels by 25% in an attempt to reduce costs may erode the overall internal
control structure.
Footnotes
10 Regulators and standard-setting bodies define the term "materiality." Management develops an
understanding of materiality as defined by laws, rules, and standards when applying the Framework in
the context of such laws, rules, and standards.
11 Derived from International Financial Reporting Standards.
12 Some jurisdictions may describe financial statement assertions using terms such as "existence or
occurrence," "completeness, valuation or allocation," "rights and obligations," and "presentation and
disclosure."
13 Derived from International Financial Reporting Standards. Some jurisdictions may use different
descriptions of financial statement materiality.
7. Control Activities
Chapter Summary
Internal Use Only

activities.
Principles relating to the Control Activities component
11. The organization selects and develops general control activities over technology to support the achievement
of objectives.
12. The organization deploys control activities through policies that establish what is expected and in procedures
that put policies into action.
Introduction
Control activities serve as mechanisms for managing the achievement of an entity's objectives and are very
much a part of the processes by which an entity strives to achieve those objectives. They do not exist simply for
their own sake or because having them is the right or proper thing to do.
Control activities can support one or more of the entity's operations, reporting, and compliance objectives. For
example, an on-line retailer's controls over the security of its information technology affect the processing of
accurate and valid transactions with consumers, the protection of consumers' confidential credit card
information, and the availability and security of its website. In this case, control activities are necessary to
support the reporting, compliance, and operations objectives.
Internal Use Only

Selects and Develops Control Activities
Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to
the achievement of objectives to acceptable levels.
Points of Focus
 Integrates with Risk Assessment — Control activities help ensure that risk responses that address and
mitigate risks are carried out.
 Considers Entity-Specific Factors — Management considers how the environment, complexity, nature, and
scope of its operations, as well as the specific characteristics of its organization, affect the selection and
development of control activities.
 Determines Relevant Business Processes — Management determines which relevant business processes
require control activities.
 Evaluates a Mix of Control Activity Types — Control activities include a range and variety of controls and
may include a balance of approaches to mitigate risks, considering both manual and automated controls, and
preventive and detective controls.
 Considers at What Level Activities Are Applied — Management considers control activities at various levels
in the entity.
 Addresses Segregation of Duties — Management segregates incompatible duties, and where such
segregation is not practical management selects and develops alternative control activities.
Integration with Risk Assessment
Control activities support all the components of internal control, but are particularly aligned with the Risk
Assessment component. Along with assessing risks, management identifies and puts into effect actions needed
to carry out specific risk responses. Typically, control activities are not needed when an entity chooses to either
accept or avoid a specific risk. There may, however, be instances where the organization decides to avoid a risk
and chooses to develop control activities to avoid that risk. The action to reduce or share a risk serves as a focal
point for selecting and developing control activities. The nature and extent of the risk response and any
associated control activities will depend, at least in part, on the desired level of risk mitigation acceptable to
management.
Control activities are those actions that help ensure that responses to assessed risks, as well as other
management directives such as establishing standards of conduct in the control environment, are carried out
properly and in a timely manner. For example, suppose a company sets an operations objective "to meet or
exceed sales targets for the ensuing reporting period," and management identifies a risk that the organization's
personnel have insufficient knowledge about current and potential customers' needs. Management's response to
Internal Use Only
address this identified risk includes developing buying histories for existing customers and undertaking market
research initiatives to increase the organization's understanding of how to attract potential customers. Control
activities might include tracking the progress of the development of the customer buying histories against
established timetables, and taking steps to help ensure the quality of the reported marketing data.
Relevant Business Processes
When determining what actions to put in place to mitigate risk, management considers all aspects of the entity's
internal control components and the relevant business processes, information technology, and locations where
control activities are needed. This may require considering control activities outside the operating unit, including
shared service or data centers, and processes or functions performed in outsourced service providers. For
example, entities may need to establish control activities to address the integrity of the information sent to and
received from the outsourced service provider.
Entity-Specific Factors
Because each entity has its own set of objectives and implementation approaches, there will be differences in
objectives, risk, risk responses, and related control activities. Even if two entities have identical objectives and
structures, their control activities could be different. Each entity is managed by different people with different
skills who use individual judgment in effecting internal control. Moreover, controls reflect the environment and
industry in which an entity operates, as well as the complexity of its organization, its history and its culture,
nature, and scope of operations.
Entity-specific factors can impact the control activities needed to support the system of internal control. For
instance:
 The environment and complexity of an entity, and the nature and scope of its operations, both physically and
logically, affect its control activities.
 Highly regulated entities generally have more complex risk responses and control activities than less-regulated
entities.
 The scope and nature of risk responses and control activities for multinational entities with diverse operations
generally address a more complex internal control structure than those of a domestic entity with less-varied
activities.
 An entity with a sophisticated enterprise resource planning (ERP) system will have different control activities
than an entity that uses an off-the-shelf computer accounting system.
 An entity with decentralized operations and an emphasis on local autonomy and innovation presents different
control circumstances than another whose operations are constant and highly centralized.
Business Process Control Activities
Internal Use Only

Business processes are established across the entity to enable organizations to achieve their objectives. These
business processes may be common to all businesses (such as purchasing, payables, or sales processing) or
unique to a particular industry (such as claims processing, trust services, or drilling operations). Each of these
processes transforms inputs into outputs through a series of transactions or activities.14 Control activities that
directly support the actions to mitigate transaction processing risks in an entity's business processes are often
called "application controls" or "transaction controls."15
Transaction controls are the most fundamental control activities in an entity since they directly address risk
responses in the business processes in place to meet management's objectives. Transaction controls are
selected and developed wherever the business process may reside, ranging from the organization's financial
consolidations process at the entity level to the customer support process at a particular operating unit.
A business process will likely cover many objectives and sub-objectives, each with its own set of risks and risk
responses. A common way to consolidate these business process risks into a more manageable form is to group
them according to informationprocessing objectives16 of completeness, accuracy, and validity.
The following information-processing objective definitions are used in the Framework.17
 Completeness — Transactions that occur are recorded. For instance, an organization can mitigate the risk of not
processing all transactions with vendors by selecting actions and transaction controls that support all invoice
transactions being processed within the accounts payable business process.
 Accuracy — Transactions are recorded at the correct amount in the right account (and on a timely basis) at each
stage of processing. For instance, transaction controls over data elements and master data, such as the item
price in the vendor master file, can address the accuracy of processing a purchasing transaction. Accuracy in
the context of an operational process can be defined to cover the broader concept of quality (e.g., the accuracy
and precision of a manufactured part).
 Validity — Recorded transactions represent economic events that actually occurred and were executed
according to prescribed procedures. Validity is generally achieved through control activities that include the
authorization of transactions as specified by an organization's established policies and procedures (i.e.,
approval by a person having the authority to do so). In an operational context, the parts used in making an
automobile are obtained from an authorized supplier.
The risk of untimely transaction processing may be considered a separate risk or included as part of the
completeness or accuracy information-processing objective. Restricted access is an important consideration for
most business processes and is often included as an information-processing objective because without
appropriately restricting access over transactions in a business process, the control activities in that business
process can be overridden and segregation of duties may not be achieved.
Internal Use Only

Restricted access is especially important where technology is integral to an organization's processes or
business. For example, many organizations use ERP applications. Configuring the security in these applications
to address restricted access can become very complex and requires technical knowledge and a structured
approach. Considerations for restricted access are discussed in more detail under the Security management
Processes section of Principle 11.
While the information-processing objectives are most often associated with financial processes and transactions,
the concept can be applied to any activity in an organization. For instance, a candy maker will strive to have
control activities in place to help ensure that all the ingredients are included in its cooking process
(completeness), in the right amounts (accuracy), and from approved vendors whose products passed quality
testing (validity).
As another example, the information-processing objectives and related control activities also apply to
management's decision-making processes over critical judgments and estimates. In this situation, management
should consider the completeness of the identification of significant factors affecting estimates for which it must
develop and support assumptions. Similarly, management should consider the validity and reasonableness of
those assumptions and the accuracy of its estimation models.
This does not mean that if management considers the information-processing objectives the organization will
never make a faulty judgment or estimate; judgments and estimates are always subject to human error.
However, when appropriate control activities are in place, and the information management uses is, in its
judgment, accurate, complete, and valid, then the likelihood of better decision making is improved.
Types of Transaction Control Activities
A variety of transaction control activities can be selected and developed, including the following:
 Authorizations and Approvals — An authorization affirms that a transaction is valid (i.e., it represents an actual
economic event or is within an entity's policy). An authorization typically takes the form of an approval by a
higher level of management or of verification and a determination if the transaction is valid. For example, a
supervisor approves an expense report after reviewing whether the expenses seem reasonable and within
policy. An example of an automated approval is where an invoice unit cost is automatically compared with the
related purchase order unit cost within a pre-established tolerance level. Invoices within the tolerance level are
automatically approved for payment. Those invoices outside the tolerance level are flagged for additional
investigation.
 Verifications — Verifications compare two or more items with each other or compare an item with a policy, and
perform a follow-up action when the two items do not match or the item is not consistent with policy. Examples
include computer matching or a reasonableness check. Verifications generally address the completeness,
accuracy, or validity of processing transactions.
Internal Use Only

 Physical Controls — Equipment, inventories, securities, cash, and other assets are secured physically (e.g., in
locked or guarded storage areas with physical access restricted to authorized personnel) and are periodically
counted and compared with amounts shown on control records.
 Controls over Standing Data — Standing data, such as the price master file, is often used to support the
processing of transactions within a business process. Control activities over the processes to populate, update,
and maintain the accuracy, completeness, and validity of this data are put in place by the organization.
 Reconciliations — Reconciliations compare two or more data elements and, if differences are identified, action is
taken to bring the data into agreement. For example, a reconciliation is performed over daily cash flows with net
positions reported centrally for overnight transfer and investment. Reconciliations generally address the
completeness and/or accuracy of processing transactions.
 Supervisory Controls — Supervisory controls assess whether other transaction control activities (i.e., particular
verifications, reconciliations, authorizations and approvals, controls over standing data, and physical control
activities) are being performed completely, accurately, and according to policy and procedures. Management
normally uses judgment to select and develop supervisory controls over higher risk transactions. For instance, a
supervisor may review18 whether an accounting clerk performs a reconciliation according to policy. This can be
a high-level review (e.g., checking if the reconciliation spreadsheet has been completed) or a more detailed
review, (e.g., checking to see if any reconciling items have been followed up and corrected or an appropriate
explanation is provided).
Control activities can be preventive or detective, and organizations usually select a mix. The major difference is
the timing of when the control activity occurs. A preventive control is designed to avoid an unintended event or
result at the time of initial occurrence (e.g., upon initially recording a financial transaction or upon initiating a
manufacturing process). A detective control is designed to discover an unintended event or result after the initial
processing has occurred but before the ultimate objective has concluded (e.g., issuing financial reports or
completing a manufacturing process). In both cases the critical part of the control activity is the action taken to
correct or avoid an unintended event or result.
When selecting and developing control activities, the organization considers the precision of the control activity
— that is, how exact it will be in preventing or detecting an unintended event or result. For example, suppose the
purchasing manager of a company reviews all purchases over $1 million. This control activity may mitigate the
risk of errors over $1 million, helping to cap the entity's exposure, but it does not cover all transactions. In
contrast, an automated edit check that compares prices on all purchase orders to the price master file and
produces a report of variances that is reviewed by a purchasing supervisor addresses accuracy for all
transactions. Control activity precision is closely linked to the organization's risk tolerance for a particular
objective (i.e., the tighter the risk tolerance, the more precise the actions to mitigate the risk and the related
control activities need to be).
Internal Use Only

When selecting and developing control activities it is important to understand what a particular control is
designed to accomplish (i.e., the specific risk response the control addresses) and whether it has been
developed and implemented as designed to mitigate the risk. For example, in one entity sales orders undergo an
automated or manual edit check that matches a customer's billing address and zip code to information in a
standing data file of valid customer relationships. If the match fails, corrective action is taken. This control activity
helps achieve the accuracy information-processing objective.
However, it does not help achieve the completeness information-processing objective (i.e., whether all approved
sales orders are being processed). Another control activity, such as sequentially numbering approved sales
orders and then checking if all have been processed, would be needed to address completeness.
Technology and Control Activities
Control activities and technology19 relate to each other in two ways:
 Technology Supports Business Processes — When technology is embedded into the entity's business
processes, such as robotic automation in a manufacturing plant, control activities are needed to mitigate the risk
that the technology itself will not continue to operate properly to support the achievement of the organization's
objectives.
 Technology Used to Automate Control Activities — Many control activities in an entity are partially or wholly
automated using technology. These procedures are known as automated control activities or automated controls
in the Framework. Automated controls include financial process - related automated transaction controls, such
as a three-way match performed within an ERP system supporting the procurement and payables sub-
processes, and computerized controls in operational or compliance processes, such as checking the proper
functioning of a power plant. Sometimes the control activity is purely automated, such as when a system detects
an error in the transmission of data, rejects the transmission, and automatically requests a new transmission.
Other times there is a combination of automated and manual procedures. For example, the system
automatically detects the error in transmission, but someone has to manually initiate the re-transmission. In
other cases, a manual control depends on information from a system, such as computer-generated reports
supporting a budget-to-actual analysis.
Most business processes have a mix of manual and automated controls, depending on the availability of
technology in the entity. Automated controls tend to be more reliable, subject to whether technology general
controls, discussed later in this chapter, are implemented and operating, since they are less susceptible to
human judgment and error, and are typically more efficient.
Control Activities at Different Levels
In addition to controls that operate at the transaction-processing level, the organization selects and develops a
mix of control activities that operate more broadly and that typically take place at higher levels in the
Internal Use Only
organization. These broader control activities usually are business performance or analytical reviews20 involving
comparisons of different sets of operating or financial data. The relationships are analyzed and investigated and
corrective actions are taken when not in line with policy or expectations. Transaction controls and business
performance reviews at different levels work together to provide a layered approach to addressing the
organization's risks and are integral to the mix of controls within the organization.
For example, an operating unit may have business performance reviews over the procurement process that
include purchase price variances, the percentage of orders that are rush purchase orders, and the percentage of
returns to total purchase orders. By investigating any unexpected results or unusual trends, management may
detect circumstances where the underlying procurement objectives may not have been achieved.
Another form of business performance review occurs when senior management conducts reviews of actual
performance versus budgets, forecasts, prior periods, and competitor results. Major initiatives are tracked —
such as marketing programs, improvements to production processes, and cost containment or reduction
programs — to measure the extent to which targets are being reached. Management reviews the status of new
product development, joint venture opportunities, or financing needs. Management actions taken to analyze and
follow up on such reporting are control activities.
The scope of a business performance review (i.e., how many detailed risks it covers) will tend to be greater than
for a transaction control. Also, the span of the review across the organization will tend to be greater as a
business performance review is usually performed at higher levels in the organization than a transaction control.
However, to effectively respond to a set of risks, the review must be precise enough to detect all errors that
exceed the risk tolerance. A transaction control may address a single specific risk, whereas an operating unit
business performance review typically addresses a number of risks. For example, the business performance
review over rush purchase orders covers several risks in the procurement process but may not address risks
concerning the accuracy and completeness of processing specific transactions.
Most business performance reviews are detective in nature because they typically occur after transactions have
already taken place and been processed. So while higher-level controls are important in the mix of control
activities, it is difficult to fully and efficiently address business process risks without transaction controls.
Segregating Duties
When selecting and developing control activities management should consider whether duties are divided or
segregated among different people to reduce the risk of error or inappropriate or fraudulent actions. Such
consideration should include the legal environment, regulatory requirements, and stakeholder expectations. This
segregation of duties generally entails dividing the responsibility for recording, authorizing, and approving
transactions, and handling the related asset. For instance, a manager authorizing credit sales is not responsible
for maintaining accounts receivable records or handling cash receipts. If one person is able to perform all these
activities he or she could, for example, create a fictitious sale that could go undetected. Similarly, salespersons
Internal Use Only
should not have the ability to modify product price files or commission rates. A control activity in this area could
include reviewing access requests to the system to determine whether segregation of duties is being maintained.
For example, a request for a salesperson to have system access to modify product price files or commission
rates should be rejected.
The segregation of duties can address important risks relating to management override. Management override
circumvents existing controls and is an often-used means of committing fraud. The segregation of duties is
fundamental to mitigating fraud risks because it reduces, but can't absolutely prevent, the possibility of one
person acting alone. However, there is always the risk that management can override control activities. Collusion
is needed to perform fraudulent activities when key process responsibilities are divided between at least two
employees. Also, the segregation of duties reduces errors by having more than one person performing or
reviewing transactions in a process, increasing the likelihood of an error being found.
However, sometimes segregation is not practical, cost effective, or feasible. For instance, small companies may
lack sufficient resources to achieve ideal segregation, and the cost of hiring additional staff may be prohibitive. In
these situations, management institutes alternative21 control activities. In the example above, if the salesperson
can modify product price files, a detective control activity can be put in place to have personnel unrelated to the
sales function periodically review whether and under what circumstances the salesperson changed prices.
Selects and Develops General Controls over Technology
Principle 11: The organization selects and develops general control activities over technology to support the
Points of Focus
 Determines Dependency between the Use of Technology in Business Processes and Technology
General Controls — Management understands and determines the dependency and linkage between business
processes, automated control activities, and technology general controls.
 Establishes Relevant Technology Infrastructure Control Activities — Management selects and develops
control activities over the technology infrastructure, which are designed and implemented to help ensure the
completeness, accuracy, and availability of technology processing.
 Establishes Relevant Security Management Process Control Activities — Management selects and
develops control activities that are designed and implemented to restrict technology access rights to authorized
users commensurate with their job responsibilities and to protect the entity's assets from external threats.
 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control
Activities — Management selects and develops control activities over the acquisition, development, and
maintenance of technology and its infrastructure to achieve management's objectives.
Internal Use Only

Dependency between the Use of Technology in Business Processes and Technology General Controls
The reliability of technology within business processes, including automated controls, depends on the selection,
development, and deployment of general control activities over technology, referred to from here on as
technology general controls.22 Technology general controls over the acquisition and development of technology
are deployed to help ensure that automated controls work properly when first developed and implemented.
Technology general controls also help information systems continue to function properly after they are
implemented.
For instance, suppose an organization wants to deploy an automated matching and edit check control that
examines data entered on-line. If something does not match, or is in the wrong format, immediate feedback is
provided so that corrections can be made. Error messages indicate what is wrong with the data, and exception
reports allow for subsequent follow-up. Technology general controls over system development help ensure that
this automated control works properly when first designed and implemented (e.g., the edit checks follow the
business logic defined by management, the checks match data with the right transaction or standing data file,
any error message completely and accurately reflects what is wrong, and all exceptions are reported according
to the organization's policies).
Once this automated control is properly implemented, technology general controls help ensure its continued
operation (e.g., the right files are being used in the matching process and the files are complete and accurate).
Also, proper security control activities limit access to the system to only those who need it, reducing the
possibility of unauthorized edits to the files. Control activities over any changes to the technology help ensure
that it continues to function as designed.
As with other entity functions, processes are put in place to select, develop, operate, and maintain an entity's
technology. These processes may be limited to a few activities over the use of standard technology purchased
from an external party (e.g., a spreadsheet application) or expanded to support both in-house and externally
developed technology. Selected and developed control activities contribute to the mitigation of specific risks
surrounding the use of technology processes.
Technology General Controls
Technology general controls include control activities over the technology infrastructure, security management,
and technology acquisition, development, and maintenance.
They apply to all technology — from information technology applications on a mainframe computer; to
client/server, desktop, end-user computing, portable computer, and mobile device environments; to operational
technology, such as plant control systems or manufacturing robotics. The extent and rigor of control activities will
vary for each of
Internal Use Only

these technologies depending on various factors, such as the complexity of the technology and risk of the
underlying business process being supported. Similar to business transaction controls, technology general
controls may include both manual and automated control activities.
Technology Infrastructure
Technology requires an infrastructure in which to operate, ranging from communication networks for linking
technologies to each other and the rest of the entity, to the computing resources for applications to operate, to
the electricity to power the technology. The technology infrastructure can be complex. It may be shared by
different business units within the entity (e.g., a shared service center) or outsourced either to third-party service
organizations or to location-independent technology services (e.g., cloud computing). These complexities
present risks that need to be understood and addressed. Given the broad range of possible changes in the use
of technology likely to continue into the future, the organization needs to track these changes and assess and
respond to the new risks.
Control activities support the completeness, accuracy, and availability of technology processing. Whether the
infrastructure is batch scheduling for a mainframe computer, real-time processing in a client/server environment,
mobile wireless devices, or a sophisticated communications network, the technology is actively checked for
problems and corrective action taken when needed. Maintaining technology often includes backup and recovery
procedures, as well as disaster recovery plans, depending on the risks and consequences of a full or partial
outage.
Security Management Processes
Security management includes sub-processes and control activities over who and what has access to an entity's
technology, including who has the ability to execute transactions. They generally cover access rights at the data,
operating system (system software), network, application, and physical layers. Security controls over access
protects an entity from inappropriate access and unauthorized use of the system and supports segregation of
duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected
from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or a
simple error (e.g., a well-intentioned employee using a vacationing colleague's account to get work done, and
executing a transaction erroneously or deleting a file because he or she is not properly trained in the work).
Security threats can come from both internal and external sources. The external threat is particularly important
for entities that depend on telecommunications networks and the Internet. Technology users, customers, and
malicious parties may be halfway around the world or down the hall. The many potential uses of technology and
points of entry underscore the importance of security management. External threats have become prevalent in
today's highly interconnected business environments, and continual effort is required to address these risks.
Internal Use Only

Internal threats may come from former or disgruntled employees who pose unique risks because they may be
both motivated to work against the entity and better equipped to succeed in carrying out a malicious act because
they have greater access and knowledge of the entity's security management systems and processes. User
access to technology is generally controlled through authentication control activities where a unique user
identification or token is authenticated against an approved list. Technology general controls are designed to
allow only authorized users on an approved list. These control activities generally employ a policy of restricting
authorized users to the applications or functions commensurate with their job responsibilities and supporting an
appropriate segregation of duties. Control activities are used to check requests for access against the approved
list. Other control activities are in place to update access when employees change job functions or leave the
entity. A periodic review of access rights against the policy is often used to check if access remains appropriate.
Access also needs to be controlled when different technology elements are connected to each other.
Technology Acquisition, Development, and Maintenance Processes
Technology general controls support the acquisition, development, and maintenance of technology. For
example, a technology development methodology23 provides a structure for system design and implementation,
outlining specific phases, documentation requirements, approvals, and checkpoints with controls over the
acquisition, development, and maintenance of technology. The methodology provides appropriate controls over
changes to technology, which may involve requiring authorization of change requests, verifying the entity's legal
right to use the technology in the manner in which it is being employed, reviewing the changes, approvals, and
testing results, and implementing protocols to determine whether changes are made properly.
In some companies the development methodology covers the continuum from large development projects to the
smallest changes. In other companies there is one distinct process for developing new technology and a
separate process for change management. In either case, a change management process will be in place to
track changes from initiation to final disposition. Changes may arise as a result of a problem in the technology
that needs to be fixed or a request from the user community.
The technology general controls included in a development methodology will vary depending on the risks of the
technology initiative. A large or complex development initiative will generally have greater risks than a small or
simple initiative. The extent and rigor of the controls over the initiative should be sized accordingly.
One alternative to in-house development is the use of packaged software. Technology vendors provide flexible,
integrated systems allowing customization through the use of built-in options. Many technology development
methodologies address the acquisition of vendor packages as a development alternative and include the
necessary steps to provide control over their selection and implementation. Once selected and implemented,
technology general controls outlined above would also apply to the ongoing development and maintenance of
technology,
Internal Use Only

Another alternative is outsourcing. While in principle the same considerations apply whether controls are
performed internally or by an outsourced service provider, outsourcing presents unique risks and often requires
selecting and developing additional controls over the completeness, accuracy, and validity of information
submitted to and received from the outsourced service provider.
Deploys through Policies and Procedures
Principle 12: The organization deploys control activities through policies that establish what is expected and
Points of Focus
 Establishes Policies and Procedures to Support Deployment of Management's Directives — Management

establishes control activities that are built into business processes and employees' day-to-day activities through
policies establishing what is expected and relevant procedures specifying actions.
 Establishes Responsibility and Accountability for Executing Policies and Procedures — Management
establishes responsibility and accountability for control activities with management (or other designated
personnel) of the business unit or function in which the relevant risks reside.
 Performs in a Timely Manner — Responsible personnel perform control activities in a timely manner as
defined by the policies and procedures.
 Takes Corrective Action — Responsible personnel investigate and act on matters identified as a result of
executing control activities.
 Performs Using Competent Personnel — Competent personnel with sufficient authority perform control
activities with diligence and continuing focus.
 Reassesses Policies and Procedures — Management periodically reviews control activities to determine their
continued relevance, and refreshes them when necessary.
Policies and Procedures
Policies reflect management's statement of what should be done to effect control. Such statements may be
documented, explicitly stated in communications, or implied through management's actions and decisions.
Procedures consist of actions that implement a policy.
Control activities specifically relate to those policies and procedures that contribute to the mitigation of risks to
the achievement of objectives to acceptable levels. A policy, for instance, might call for review of customer
trading activities by a securities dealer retail branch manager. The procedure is the review itself, performed in a
timely manner and with attention given to factors set forth in the policy, such as the nature and volume of
securities traded, and their relation to customer net worth and age.
Internal Use Only

Policies and procedures are often communicated orally. Unwritten policies can be effective where the policy is a
long-standing and well-understood practice, and in smaller organizations where communications channels
involve limited management layers and close interaction with and supervision of personnel. Though a cost-
effective alternative for some entities, unwritten policies and procedures can be easier to circumvent, be costly to
the organization if there is turnover in personnel, and can reduce accountability. When subject to external party
review, policies and procedures would be expected to be formally documented.24
But whether or not a policy is in writing, it must establish clear responsibility and accountability, which ultimately
resides with the management of the entity and subunit where the risk resides. Procedures should be clear on the
responsibilities of personnel performing the control activity. Also, policies need to be deployed thoughtfully and
conscientiously, and the related procedures must be timely and be performed diligently and consistently by
competent personnel.
Timeliness
The procedures should include the timing of when a control activity and any follow-up corrective actions are
performed. Untimely procedures can reduce the usefulness of the control activity. For example, a regular review
of user accounts for inappropriate access rights is conducted by the business process owner on a timely basis to
reduce the risk of unauthorized access to an acceptable level. Longer intervals between reviews increase the
potential for untimely detection of unauthorized access.
Corrective Action
In conducting a control activity, matters identified for follow-up should be investigated and, if appropriate,
corrective action taken. For example, consider a case where a reconciliation of cash accounts detects a
discrepancy in one of the accounts. The accounting clerk follows up with the person in charge of recording cash
and determines that a cash receipt was not posted properly. The receipt is reapplied and the correction is
reflected in the reconciliation.
Competence
A well-designed control activity generally cannot be conducted without competent personnel with sufficient
authority to perform the control activity. The level of competency required to perform a control activity will
depend on factors such as the complexity of the control activity and the complexity and volume of the underlying
transactions. Furthermore, a procedure will not be useful if performed by rote, without a sharp, continuing focus
on the risks to which the policy is directed. Sufficient authority may be needed to fully perform all aspects of the
control such as taking corrective action.
Periodic Reassessment
Management should periodically reassess policies and procedures and related control activities for continued
relevance and effectiveness, unrelated to being responsive to significant changes in the entity's risks or
Internal Use Only
objectives. Significant changes would be evaluated through the risk assessment process. Changes in people,
process, and technology may reduce the effectiveness of control activities or make some control activities
redundant. Whenever one of these changes occurs, management should reassess the relevance of the existing
controls and refresh them when necessary. For example, management may upgrade the purchasing module of
an ERP system and introduce automated transaction control activities that cause the old manual control
activities to be redundant and, hence, no longer necessary.
Footnotes
14 The term "transactions" tends to be associated with financial processes (e.g., payables transactions),
while "activities" is more generally applied to operational or compliance processes. For the purposes of
the Framework, the term "transactions" applies to both.
15 The term "transaction controls" is used in the Framework to refer to both manual and automated
controls.
16 While related in concept and terminology, information-processing objectives and financial statement
assertions are different. Financial statement assertions are specific to the reliability of financial
reporting, while information-processing objectives apply to transaction processing.
17 Information-processing objectives refers to an entity's goals for control activities and thus are sub-
objectives in the context of a system of internal control.
18 Supervisory reviews can be either control activities or monitoring activities. The difference is discussed
further in Chapter 9, Monitoring Activities.
19 "Technology" is a broad term. In the Framework its use applies to technology that is computerized,
including software applications running on a computer, manufacturing controls systems, etc.
20 Business performance reviews can be either control activities or monitoring activities. The difference is
discussed further in Chapter 9, Monitoring Activities.
Internal Use Only

21 The Framework prefers the term "alternative controls" over "compensating controls." The latter term has
been used to describe additional control activities put in place when segregation of duties could not be
achieved. However, this term has evolved to refer to control activities that mitigate the impact of an
identified control deficiency when evaluating the operating effectiveness of controls and is used in this
context in the Framework.
22 Terminology typically used to describe these controls includes "general computer controls," "general
controls," or "information technology controls." The term "technology general controls" is used here to
refer to "general control activities over technology."
23 There are many names for this process. One common name is "systems development life cycle"
(SDLC).
24 See the discussion on documentation in Chapter 4, Additional Considerations.
8. Information and Communication
Chapter Summary
and external sources to support the functioning of internal control. Communication is the continual, iterative
process of providing, sharing, and obtaining necessary information. Internal communication is the means by
which information is disseminated throughout the organization, flowing up, down, and across the entity. It
enables personnel to receive a clear message from senior management that control responsibilities must be
taken seriously. External communication is twofold: it enables inbound communication of relevant external
information and provides information to external parties in response to requirements and expectations.
Principles relating to the Information and Communication component
13. The organization obtains or generates and uses relevant, quality information to support the functioning of
internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal
control, necessary to support the functioning of internal control.
Internal Use Only
15. The organization communicates with external parties regarding matters affecting the functioning of internal
control.
Introduction
The Information and Communication component of the Framework supports the functioning of all components of
internal control. In combination with the other components, Information and Communication supports the
achievement of the entity's objectives, including objectives relevant to internal and external reporting. Controls
within Information and Communication support the organization's ability to use the right information within the
system of internal control and to carry out internal control responsibilities.
Information is the data that is combined and summarized based on relevance to information requirements.
Information requirements are determined by the ongoing functioning of the other internal control components,
taking into consideration the expectations of all users, both internal and external. Information systems support
informed decision making and the functioning of the internal control by processing relevant, timely, and quality
information from internal and external sources.
Communication enables the organization to share relevant and quality information internally and externally.
Communication provides information necessary in designing, implementing, and conducting internal control, and
in assessing its effectiveness. Management communicates information internally to enable personnel to
understand the entity's objectives and the importance of their control responsibilities. Internal communication
facilitates the functioning of internal control by sharing information up, down, and across the entity. External
communication enables management to obtain and share information between the entity and external parties
Internal Use Only

about risks, regulatory matters, changes in circumstances, customer satisfaction, and other information relevant
to the functioning of the internal control.
An information system is the set of activities, involving people, processes, data and/or technology, which enable
the organization to obtain, generate, use, and communicate transactions and information to maintain
accountability and measure and review the entity's performance or progress toward achievement of objectives.
The Framework distinguishes this component from the internal reporting category of objectives. Information and
Communication is only one component of the Framework. This component serves to provide relevant, quality
information to support all components of internal control. On the other hand, an organization seeking reasonable
assurance in preparing external reports requires all five components of internal control. Communication can
appear broad at times (e.g., information communicated about external trends or events), but in the context of the
Framework, its use may be narrower (e.g., communication enabling a user to carry out controls within Risk
Assessment).
Uses Relevant Information
Principle 13: The organization obtains or generates and uses relevant, quality information to support the
Points of Focus
 Identifies Information Requirements — A process is in place to identify the information required and expected
to support the functioning of the other components of internal control and the achievement of the entity's
objectives.
 Captures Internal and External Sources of Data — Information systems capture internal and external sources
of data.
 Processes Relevant Data into Information — Information systems process and transform relevant data into
information.
 Maintains Quality throughout Processing — Information systems produce information that is timely, current,
accurate, complete, accessible, protected, and verifiable and retained. Information is reviewed to assess its
relevance in supporting the internal control components.
 Considers Costs and Benefits — The nature, quantity, and precision of information communicated are
commensurate with and support the achievement of objectives.
Information Requirements
Information is necessary for the organization to carry out its internal control responsibilities to support the
achievement of objectives. Information about the entity's objectives is gathered from board and senior
Internal Use Only

management activities and summarized in a way that management and others can understand objectives and
their role in their achievement.
For example, a wholesale distributor found that its managers did not have a solid understanding of the key
objectives for the organization. The business plan was detailed and difficult to concisely communicate. The
board of directors worked with senior management to summarize the entity's key objectives into a clear narrative
document that accompanied internally distributed financial statements. In addition, the board provided a
balanced scorecard that mapped these goals to metrics and actual results, both non-financial and financial, on a
monthly basis. Feedback from a subsequent employee survey indicated that management and other personnel
better understood the organization's objectives.
Obtaining relevant information requires management to identify and define information requirements at the
relevant level and requisite specificity. Identifying information requirements is an iterative and ongoing process
that occurs throughout the performance of an effective internal control system.
Management develops and implements controls relating to the identification of relevant information that supports
the functioning of components. The following examples illustrate how information in support of the functioning of
other internal control components is identified and defined.
Internal Control Component Example of Information Used
Control Environment Management performs an annual entity-wide survey of

its employees to gather information about their personal
conduct in relation to the entity's code of conduct. The
survey is part of a process that produces information to
support the Control Environment component and may
also provide input into the selection, development,
implementation, or maintenance of control activities.
Risk Assessment As a result of changes in customer demands, an entity

changes its product mix and delivery mechanisms.
Expanded on-line sales have caused credit card
transactions to increase significantly. To assess the risk
of non-compliance with security and privacy regulations
associated with credit card information, management
gathers information about the number of transactions,
Internal Use Only
overall value, and nature of data retained for the last
fiscal year and evaluates its significance in conducting
its risk analysis.
Control Activities Certain equipment used in a high-volume production

environment deteriorates if it operates longer than a
specified time period. To maximize equipment lifespan,
management obtains and reviews the daily up-time logs
and compares them to ranges set by senior
management. The information supports control activities
that address mitigation procedures required when
maximum up-time levels are exceeded.
Monitoring Activities A large utility company gathers, processes, and reports

accident and injury records related to the power
generation operating unit. Comparing this information
with trends in workers' compensation health insurance
claims identifies variations from established
expectations. This may indicate that control activities
over the identification, processing, reporting,
investigation, and resolution of accident and injury
events may not be functioning as intended.
Controls embedded within the five components establish information requirements. These requirements facilitate
and direct management and other personnel to identify relevant and reliable sources of information and
underlying data. The amount of information and underlying data available to management may be more than is
needed because of increased sources of information and advances in data collection, processing, and storage.
In other cases, data may be difficult to obtain at the relevant level or requisite specificity. Therefore, a clear
understanding of the information requirements directs management and other personnel to identify relevant and
reliable sources of information and data.
Internal Use Only

Achieving the right balance between the benefits and the costs to obtain and manage information, and the
information systems, is a key consideration in establishing an information system that meets the entity's needs.
Information from Relevant Sources
Information is received from a variety of sources and in a variety of forms. The following table summarizes
examples of internal and external data and sources from which management can generate useful information
relevant to internal controls.
EXAMPLE
Management considers a comprehensive scope of potential events, activities, and data sources, available
internally and from reliable external sources, and selects the most relevant and useful to the current
organizational structure, business model, or objectives. As change in the entity occurs, the information
requirements also change. For example, entities operating in a highly dynamic business and economic
environment experience continual changes such as highly innovative and quick-moving competitors, shifting
customer expectations, evolving regulatory requirements, globalization, and technology innovation. Therefore,
management re-evaluates information requirements and adjusts to meet its ongoing needs.
Processing Data through Information Systems
Organizations develop information systems to source, capture, and process large volumes of data from internal
and external sources into meaningful, actionable information to meet defined information requirements.
Information systems encompass a combination of people, processes, data, and technology that support
business processes managed internally as well as those that are supported through relationships with
outsourced service providers and other parties interacting with the entity.
Information may be obtained through a variety of forms including manual input or compilation, or through the use
of information technology such as electronic data interchange (EDI) or application programming interfaces (API).
Conversations with customers, suppliers, regulators, and employees are also sources of critical data and
information needed to identify and assess both risks and opportunities. In some instances, information and
underlying data captured requires a series of manual and automated processes to ensure it is at the relevant
level and requisite specificity. In other cases, information may be obtained directly from an internal or external
source. Management develops and implements control activities over the integrity of data input into information
systems and over the completeness and accuracy of processing such data into information used by other
controls.
The volume of information accessible to the organization presents both opportunities and risks. Greater access
to information can enhance internal control. On the other hand, increased volume of information and underlying
data may create additional risks such as operational risks caused by inefficiency due to data overload,
Internal Use Only
compliance risks associated with laws and regulations around data protection and retention, and privacy and
security risks arising from the nature of data stored by or on behalf of the entity.
The nature and extent of information requirements, the complexity and volume of information, and the
dependence on external parties impacts the range of sophistication of information systems, including the extent
of technology deployed. Regardless of the level of sophistication adopted, information systems represent the
end-to-end information processing of transactions and data that enable the entity to collect, store, and
summarize quality and consistent information across the relevant processes, whether manual, automated, or a
combination of both.
Information systems developed with integrated, technology-enabled processes provide opportunities to enhance
the efficiency, speed, and accessibility of information to users. Additionally, such information systems may
enhance internal control over security and privacy risks associated with information obtained and generated by
the organization. Information systems designed and implemented to restrict access to information only to those
who need it and to reduce the number of access points enhance the effectiveness of mitigating risks associated
with the security and privacy of information.
Enterprise resource planning (ERP) systems, association management systems (AMS), corporate intranets,
collaboration tools, interactive social media, data warehouses, business intelligence systems, operational
systems (e.g., factory automation and energyusage systems), web-based applications, and other technology
solutions present opportunities for management to leverage technology in developing and implementing effective
and efficient information systems.
Information Quality
Maintaining quality of information is necessary to an effective internal control system, particularly with today's
volume of data and dependence on sophisticated, automated information systems. The ability to generate
quality information begins with the data sourced. Inaccurate or incomplete data, and the information derived from
such data, could result in potentially erroneous judgments, estimates, or other management decisions.
The quality of information depends on whether it is:
 Accessible — The information is easy to obtain by those who need it. Users know what information is available
and where in the information system the information is accessible.
 Correct — The underlying data is accurate and complete. Information systems include validation checks that
address accuracy and completeness, including necessary exception resolution procedures.
 Current — The data gathered is from current sources and is gathered at the frequency needed.
 Protected — Access to sensitive information is restricted to authorized personnel. Data categorization (e.g.,
confidential and top secret) supports information protection.
Internal Use Only

 Retained — Information is available over an extended period of time to support inquiries and inspections by
external parties.
 Sufficient — There is enough information at the right level of detail relevant to information requirements.
Extraneous data is eliminated to avoid inefficiency, misuse, or misinterpretation.
 Timely — The information is available from the information system when needed. Timely information helps with
the early identification of events, trends, and issues.
 Valid — Information is obtained from authorized sources, gathered according to prescribed procedures, and
represents events that actually occurred.
 Verifiable — Information is supported by evidence from the source. Management establishes information
management policies with clear responsibility and accountability for the quality of the information.
Management establishes information management policies with clear responsibility and accountability for the
quality of the information. These policies address data governance expectations that guide processes to define
categories or classes of data and assign requirements for physical handling, storage, security, and privacy.
These policies support management and other personnel's responsibilities for protecting data and information
from unauthorized access or change and for adhering to retention requirements.
For example, in one case senior management of a decentralized, geographically dispersed government agency
identified a risk, specific to achieving an operational objective associated with the quality of operational data
collected from its 2,000 field units. Management developed a set of specified data requirements and a reporting
format to be used by all field units. Senior management consistently performed monthly reviews of key metrics
derived from the data across all units. Those units with the best and poorest performance were required to
explain the source of their data to an internal audit team. In addition, agency management used the reports of
unit operational data and metrics on field visits and began asking questions to assess the unit's understanding of
data on the reports. After six months of implementing this system of reporting, monthly reviews, field visits, and
related feedback that was shared throughout the process, the quality of information improved to the level
acceptable to management. To maintain this level, management implemented amended policies and processes
for reporting the operational data and business intelligence technology to enable consistent, timely reporting of
the information.
Information that is obtained from outsourced service providers that manage business processes on behalf of the
entity, and other external parties on whom the entity depends, is subject to the same internal control
expectations. Information requirements are developed by the organization and communicated to outside service
providers and other similar external parties. Controls support the organization's ability to rely on such
information, including internal control over outsourced service providers such as vendor due diligence, exercise
of right-to-audit clauses, and obtaining an independent assessment over the service provider's controls.
Internal Use Only

Management considers its requirements to retain communications, particularly those to and from external parties
or those that relate to the entity's compliance with laws and regulations. Given the potential volume and ability to
store and retrieve such information, this requirement may be challenging when management relies on real-time,
technology-enabled communication. Controls over retention of internal control information consider the
challenges of advances in technology, including communication and collaboration technologies used to support
other components of internal control and achievement of the entity's objectives.
Communicates Internally
Principle 14: The organization internally communicates information, including objectives and responsibilities for
Points of Focus
 Communicates Internal Control Information — A process is in place to communicate required information to

enable all personnel to understand and carry out their internal control responsibilities.
 Communicates with the Board of Directors — Communication exists between management and the board of
directors so that both have information needed to fulfill their roles with respect to the entity's objectives.
 Provides Separate Communication Lines — Separate communication channels, such as whistle-blower
hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication
when normal channels are inoperative or ineffective.
 Selects Relevant Method of Communication — The method of communication considers the timing,
audience, and nature of the information.
Internal Control Communication
Communication of information conveyed across the entity include:
 Policies and procedures that support personnel in performing their internal control responsibilities
 Specified objectives
 Importance, relevance, and benefits of effective internal control
 Roles and responsibilities of management and other personnel in performing controls
 Expectations of the organization to communicate up, down, and across the entity any matters of significance
relating to internal control including instances of weakness, deterioration, or non-adherence
The organization establishes and implements policies and procedures that facilitate effective internal
communication. This includes specific and directed communication that addresses individual authorities,
responsibilities, and standards of conduct across the entity. Senior management communicates the entity's
objectives clearly through the organization so that other management and personnel, including non-employees
Internal Use Only
such as contractors, understand their individual roles in the organization. Such communication occurs regardless
of where personnel are located, their level of authority, or their functional responsibility. Internal communication
begins with the communication of specified objectives. As management cascades the communication of the
entityspecific objectives throughout the organization, it is important that the related subobjectives or specific
requirements are communicated to personnel in a manner that allows them to understand how their roles and
responsibilities impact the achievement of the entity's objectives.
All personnel also receive a clear message from senior management that their internal control responsibilities
must be taken seriously. Through communication of objectives and sub-objectives, personnel understand how
their roles, responsibilities, and actions relate to the work of others in the organization; what responsibilities for
internal control they have; and what is deemed acceptable and unacceptable behavior. As discussed under
Control Environment, by establishing appropriate structures, authorities, and responsibilities, communication to
personnel of the expectations for internal control is effected. However, communication about internal control
responsibilities may not on
its own be sufficient to ensure that management and other personnel embrace their accountability and respond
as intended. Often, management must take timely action that is consistent with such communication to reinforce
the messages conveyed.
Management selects, develops, and deploys controls that help ensure that information is shared through internal
communication and that help management and other personnel carry out control responsibilities across multiple
functions, operating units, or divisions. For example:
 Field service personnel in the sales department of an entity gather information about defect rates on certain
parts. This information is also useful to the directors of manufacturing and engineering as it may indicate a
production quality or product design issue. In addition, the results of monitoring activities are communicated to
other personnel to help identify the root cause of an issue and take corrective action.
 The internal audit department conducts an audit over the commissions paid to distributors in one international
location. The audit reveals instances of fraudulent reporting of sales through certain distributors. Further
investigation exposes payments by the distributor to the sales representative responsible for the related
distributors. This information is shared with those responsible for responding to potential fraud and with sales
management in other international locations, enabling them to analyze information more critically to determine if
the issue is more pervasive and take any necessary actions.
Internal Control Communication with Board
Communication between management and the board of directors provides the board with information needed to
exercise its oversight responsibility for internal control. Information relating to internal control communicated to
the board generally includes significant matters about the adherence to, changes in, or issues arising from the
Internal Use Only

system of internal control. The frequency and level of detail of communication between management and the
board must be sufficient to enable the board of directors to understand the results of management's separate
and ongoing assessments and the impact of those results on the achievement of objectives. Additionally, the
frequency and level of detail must be sufficient to enable the board of directors to respond to indications of
ineffective internal control in a timely manner.
Direct communication to the board of directors by other personnel is also important. Members of the board of
directors should have direct access to employees without interference from management. For example, some
organizations encourage board members to meet with management and personnel without senior management
present. This allows board members to independently ask questions and assess important matters that
employees may not otherwise feel comfortable sharing, such as adherence to the code of conduct, competence
of personnel, or potential management override of controls. Additionally, the overall system of internal control is
enhanced by the internal audit department that is independent of management. Internal audit communication to
the board of directors is generally direct, free from management bias and, where necessary, confidential.
Communication beyond Normal Channels
For information to flow up, down, and across the organization, there must be open channels of communication
and a clear-cut willingness to report and listen. Management and other personnel must believe their supervisors
truly want to know about problems and will deal with them, as necessary. In most cases, normal established
reporting lines in an entity are the appropriate channels of communication. However, personnel are quick to pick
up on signals if management does not have the time, interest, or resources to deal with problems they have
uncovered. Compounding the problem is that an unreceptive or unavailable manager is usually the last to know
that the normal communications channel is inoperative or ineffective.
In some circumstances, separate lines of communication are needed to establish a failsafe mechanism for
anonymous or confidential communication when normal channels are inoperative or ineffective. Many entities
provide, and make employees aware of, a channel for such communications to be received by the board of
directors or a board delegate such as a member of the audit committee. In some cases, laws and regulations
require companies to establish such alternative communications channels (e.g., whistle-blower and ethics
hotlines). Information systems should include mechanisms for anonymous or confidential reporting. Employees
must fully understand how these channels operate, how they should be used, and how they will be protected to
have the confidence to use them. Policies and procedures exist requiring all communication through these
channels to be assessed, prioritized, and investigated. Escalation procedures ensure that necessary
communication will be made to a specific board member who is responsible for ensuring that timely and proper
assessments, investigations, and actions are carried out.
Internal Use Only

These separate mechanisms, which encourage employees to report suspected violations of an entity's code of
conduct without fear of reprisal, send a clear message that senior management is committed to open
communication channels and will act on information that is reported to them.
Method of Communication
Both the clarity of the information and effectiveness with which it is communicated are important to ensuring
messages are received as intended. Active forms of communication such as face-to-face meetings are often
more effective than passive forms such as broadcast emails and intranet postings. Periodic evaluation of the
effectiveness of comcommunication helps to ensure methods are working. This can be done through a variety of
existing processes such as employee performance evaluations, annual management reviews, and other
feedback programs.
Management selects the method of communication, taking into account the audience, nature of the
communication, timeliness, cost, and any legal or regulatory requirements. Communication can take such forms
as:
 Dashboards
 Email messages
 Live or on-line training
 Memoranda
 One-on-one discussions
 Performance evaluations
 Policies and procedures
 Presentations
 Social media postings
 Text messages
 Webcast and other video forms
 Website or collaboration site postings
When choosing a method of communication, management considers the following:
 Where messages are transmitted orally — in large groups, smaller meetings, or one-on-one sessions — the
person's tone of voice and non-verbal cues emphasize what is being said and enhance understanding and
opportunity for recipients to respond to the communication.
 Cultural, ethnic, and generational differences can affect how messages
Internal Use Only

are received and should be considered in the method of communication to support a variety of audiences (e.g.,
by translating messages into multiple languages, holding one-to-one meetings that respect a preference for
privacy in certain matters, and using technology-based media).
 Communications directly relevant to internal control effectiveness may require a method that allows for long-
term retention. In some instances, employee acknowledgment of review and understanding of certain policies
should
be retained (e.g., code of conduct, anti-money laundering, and corporate security).
 Time-sensitive communications delivered through informal methods such as email, text messaging, and social
media postings may be sufficient and more cost-effective, particularly when confidentiality or retention is not
necessary.
 Management and personnel who communicate solely through formal means (e.g., official office memos) may not
reach their intended audience and may not receive return communications from those who are more
accustomed to using informal means of communication (e.g., email, text messages, or social media postings).
Communication of information related to internal control responsibilities alone may not be sufficient to ensure
that management and other personnel receive and respond as intended. Consistent and timely actions taken by
management with such communication reinforce the messages conveyed.
Communicates Externally
Principle 15: The organization communicates with external parties regarding matters affecting the
Points of Focus
 Communicates to External Parties — Processes are in place to communicate relevant and timely information
to external parties including shareholders, partners, owners, regulators, customers, and financial analysts and
other external parties.
 Enables Inbound Communications — Open communication channels allow input from customers, consumers,
suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of
directors with relevant information.
 Communicates with the Board of Directors — Relevant information resulting from assessments conducted by
external parties is communicated to the board of directors.
 Provides Separate Communication Lines — Separate communication channels, such as whistle-blower
Internal Use Only
 Selects Relevant Method of Communication — The method of communication considers the timing,
audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations.
External Communication
Communication occurs not only within the entity, but with those outside as well. With open external
communication channels, important information concerning the entity's objectives may be provided to
shareholders or other owners, business partners, customers, regulators, financial analysts, government entities,
and other external parties. Outbound communication should be viewed distinctly from external reporting as
discussed in Chapter 2 Objectives, Components, and Principles.
The organization develops and implements controls that facilitate external communication. These may include
policies and procedures to obtain or receive information from external parties and to share that information
internally, allowing management and other personnel to identify trends, events, or circumstances that may
impact the achievement of objectives. For example, customer or supplier complaints or inquiries about
shipments, receipts, billings, or other unusual activities may indicate operating problems, fraudulent activities, or
errors.
Outbound Communication
Communication to external parties allows them to readily understand events, activities, or other circumstances
that may affect how they interact with the entity. Management's communication to external parties sends a
message about the importance of internal control in the organization by demonstrating open lines of
communication. Communication to external suppliers and customers supports the entity's ability to maintain an
appropriate control environment. Suppliers and customers need to fully understand the entity's values and
cultures. They are informed of the entity's code of conduct and recognize their responsibilities in helping to
ensure compliance with the code of conduct. For example, management communicates its controls relating to
business dealings with vendors upon approval of a new vendor and requires the vendor to acknowledge its
adherence prior to the approval of an initial purchase order with the vendor.
Technology and communication tools enable external parties to have access to public forums to post and
discuss an entity's business, activities, and controls. When an organization uses, or authorizes its employees to
use public forums, such as social media and similar unrestricted communication tools, management develops
and implements controls that guide expectations for proper use to avoid jeopardizing the entity's objectives.
Inbound Communication to Management and the Board
Communications from external parties may also provide important information on the functioning of the entity's
internal control system. These can include:
Internal Use Only

 An independent assessment of internal controls at an outsourced service provider related to the organization's
objectives
 An independent auditor's assessment of internal control over financial or nonfinancial reporting of the entity
 Customer feedback related to product quality, improper charges, and missing or erroneous receipts
 New or changed laws, rules, regulations, standards, and other requirements of standardand rule-setting bodies
 Results from regulatory compliance reviews or examinations such as banking, securities, or taxing authorities
 Vendor questions related to timely or missing payments for goods sold
 Postings on organization-sponsored or supported social media websites or communication tools
Information resulting from external assessments about the organization's activities that relate to matters of
internal control are evaluated by management and, where appropriate, communicated to the board of directors.
For example, management has entered into an arrangement that allows the organization to periodically use
externally managed technology services to perform transaction processing in lieu of hiring personnel and
purchasing and implementing additional hardware and software internally. The organization uses sensitive
customer data in certain processes. To maintain compliance with the entity's policies and external laws,
regulations, and standards, an assessment of internal control over the security and privacy of externally
transmitted data (including data transmitted over the Internet) is performed by a third party. The results of the
assessment reveal weaknesses in internal control that could impact the security and privacy of data.
Management assesses the significance of the weaknesses and reports information necessary to enable the
board of directors to carry out its oversight responsibilities.
The interdependence of business processes between the entity and outsourced service providers can blur the
lines of responsibility between the entity's internal control system and that of outsourced service providers. This
creates a need for more rigorous controls over communication between the parties. For example, supply chain
management in a global retail company occurs through a dynamic, interactive exchange of activities between
the company, vendors, logistics providers, and contract manufacturers. Internal control over the end-to-end
processes becomes a shared responsibility, but there may be uncertainty about which entity is responsible at a
particular stage of the process. Communicating with outsourced service providers responsible for activities
supporting the entity's objectives may facilitate the risk assessment process, the oversight of business activities,
decision making, and the identification of responsibility for internal control throughout the process regardless of
where activities occur.
Communication beyond Normal Channels
Complexity of business relationships between the entity and external parties may arise through service provider
and other outsourcing arrangements, joint ventures and alliances, and other transactions that create mutual
dependencies between the parties. Such complexity may create concerns over how business is being conducted
by or between the parties. In this case, the organization makes separate communication channels available to
Internal Use Only
customers, suppliers, and outsourced service providers to allow them to communicate directly with management
and other personnel. For example, a customer of products developed through a joint venture may learn that one
of the joint venture partners sold products in a country that was not agreed to under the joint venture
arrangement. Such a breach may affect the customer's ability to use or resell the products, impacting the
customer's business. The customer needs a channel in which it can communicate concerns to others in the
organization without disrupting its ongoing operations.
Method of Communication
The means by which management communicates externally affects the ability to obtain information needed as
well as to ensure that key messages about the organization are received and understood. Management
considers the method of communication used, which can take many forms, taking into account the audience, the
nature of the communication, timeliness, and any legal or regulatory requirements. For example, customers who
regularly access entity information through a customer portal may receive messages through postings on the
corporate website.
Press and news releases issued through investor or public relations channels are often effective for reaching a
broad audience of external parties, ensuring wide distribution and increasing the likelihood that information is
received. Blogs, social media, electronic billboards, and email are also common forms of external
communication because they can be tailored and directed to the specific party, help to control the information
obtained by external parties, and support expectations that information can be sent and received quickly with
greater use of mobile communication devices.
9. Monitoring Activities
Chapter Summary
Findings are evaluated against criteria established by regulators, standard-setting bodies, or management and
the board of directors, and deficiencies are communicated to management and the board of directors as
appropriate.
Principles relating to the Monitoring Activities component
Internal Use Only

16. The organization selects, develops, and performs ongoing and/ or separate evaluations to ascertain whether
the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those
parties responsible for taking corrective action, including senior management and the board of directors, as
appropriate.
Introduction
Monitoring activities assess whether each of the five components of internal control and relevant principles is
present and functioning. The organization uses ongoing, separate evaluations, or some combination of the two,
to ascertain whether the components of internal control (including controls to effect principles across the entity
and its subunits) are present and functioning. Monitoring is a key input of the organization's assessment of the
effectiveness of internal control. It also provides valuable support for assertions of the effectiveness of the
system of internal control.
An entity's system of internal control will often change. The entity's objectives and the components of internal
control may also change over time. Also, controls may become less effective or obsolete, may no longer be
deployed in the manner in which they were selected or developed, or may be deemed insufficient to support the
achievement of the new or updated objectives. Monitoring activities are selected, developed, and performed to
ascertain whether each component continues to be present and functioning or if change is needed. Monitoring
activities provide valuable input for management to use when determining whether the system of internal control
continues to be relevant and is able to address new risks.
Internal Use Only
Where appropriate, monitoring activities identify and examine expectation gaps relating to anomalies and
abnormalities, which may indicate one or more deficiencies in an entity's system of internal control. When
reviewing and investigating expectation gaps, management often identifies root causes of such gaps. In
ascertaining whether the
five components of internal control are present and functioning, monitoring activities consider controls within
each of the five components. Management evaluates these controls and how they effect principles; for example,
assessing controls selected and deployed by the organization for:
 Maintaining compliance with the entity's code of conduct

 Articulating acceptable levels of risk
 Obtaining relevant information after information requirements have changed
When distinguishing between a monitoring activity and a control activity, organizations need to consider
underlying details of the activity, especially where the activity involves some level of supervisory review.
Supervisory reviews are not automatically classified as monitoring activities and it may be a matter of judgment
whether a review is classified as a control activity or a monitoring activity. For example, the intent of a monthly
completeness control activity would be to detect and correct errors, where a monitoring activity would ask why
there were errors in the first place and assign management the responsibility of fixing the process to prevent
future errors. In simple terms, a control activity responds to a specific risk, whereas a monitoring activity
assesses whether controls within each of the five components of internal control are operating as intended.
The examples below illustrate the relationship between control activities and monitoring activities of a payable
reconciliation.
Control Activities Monitoring Activities
 The accounts payable (AP) clerk at Division A  Management independent of those involved in the
reconciles the Division A payables sub-ledger to performance of the control activity:
the general ledger on a periodic basis. Reconciling
 Inspects documentation that the reconciliations
items are investigated and resolved on a timely
were performed across all divisions or
basis.
subsidiaries.
 Examines for identifiable trends in the volume
and/or nature of the reconciling items noted.
 Management evaluates whether the sources and the

quality of information used for the payable
reconciliation are appropriate.
Internal Use Only

 Management evaluates whether new risks relating to
changes in internal and external factors were
identified, assessed, and responded to in the
payables reconciliation.
 The AP supervisor periodically reviews and  Semiannually, management evaluates whether

approves the payables sub-ledger to general supervisors performing the review and approval
ledger account reconciliation. are properly trained and knowledgeable and if
supervisors perform in accordance with the AP
process design.
Conducts Ongoing and/or Separate Evaluations
Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.
Points of Focus
 Considers a Mix of Ongoing and Separate Evaluations — Management includes a balance of ongoing and
separate evaluations.
 Considers Rate of Change — Management considers the rate of change in business and business processes
when selecting and developing ongoing and separate evaluations.
 Establishes Baseline Understanding — The design and current state of an internal control system are used to
establish a baseline for ongoing and separate evaluations.
 Uses Knowledgeable Personnel — Evaluators performing ongoing and separate evaluations have sufficient
knowledge to understand what is being evaluated.
 Integrates with Business Processes — Ongoing evaluations are built into the business processes and adjust
to changing conditions.
 Adjusts Scope and Frequency — Management varies the scope and frequency of separate evaluations
depending on risk.
 Objectively Evaluates — Separate evaluations are performed periodically to provide objective feedback.
Ongoing and Separate Evaluations
Monitoring can be done in two ways: through ongoing evaluations or separate evaluations, or some combination
of the two. Ongoing evaluations are generally defined, routine operations, built in to business processes and
Internal Use Only
performed on a real-time basis, reacting to changing conditions. Separate evaluations are conducted periodically
by objective management personnel, internal audit, and/or external parties, among others. The scope and
frequency of separate evaluations is a matter of management judgment.
Separate evaluations can employ the same techniques as ongoing monitoring, but they are designed to evaluate
controls periodically and are not ingrained in the routine operations of the entity. Since separate evaluations take
place periodically, problems will often be identified more quickly by ongoing evaluations. Many entities with
sound ongoing evaluations will nonetheless conduct separate evaluations of the components of internal control
to reconfirm ongoing evaluation conclusions. An entity that perceives a need for frequent separate evaluations
may consider identifying ways to enhance ongoing evaluations.
Management selects, develops, and performs a mix of monitoring activities usually including both ongoing and
separate evaluations, to ascertain whether each of the five components of internal control is present and
functioning. As part of monitoring the five components, management uses these evaluations to ascertain
whether controls to effect principles across the entity and its subunits have been selected, developed, and
deployed. The decision of whether to conduct ongoing or separate evaluations, or some combination of the two,
may occur at different levels of the entity. Thought is given to the scope and nature of the entity's operations,
changes in internal and external factors, and the associated risks when developing the ongoing and separate
evaluations.
Rate of Change
Management considers the rate that an entity or the entity's industry is anticipated to change. An entity in an
industry that is quickly changing may need to have more frequent separate evaluations and may reconsider the
mix of ongoing and separate evaluations during the period of change. For example, banks subject to financial
regulatory reforms select and develop monitoring activities that anticipate future change and reactions to the
changing regulatory environment. Usually, some combination of ongoing and separate evaluations will validate
whether or not the components of internal control remain present and functioning.
Monitoring activities may be used to support external reporting including management assertions over the
entity's system of internal control or other forms of compliance reporting. The requirements of external reporting
or management assertions will usually affect the combination of ongoing and separate evaluations and how they
are selected, developed, and performed.
Baseline Information
Understanding the design and current state of a system of internal control provides useful baseline information
for establishing ongoing and separate evaluations. When using monitoring activities it is necessary to have an
understanding of how management has designed the system of internal control and how controls within each of
the five components effect principles. As management gains experience with monitoring activities, its
Internal Use Only

understanding will evolve based on the results of such activities. If an entity does not have a baseline
understanding in areas with risks of higher significance, it may need to perform a separate evaluation of those
areas to establish the baseline. When change occurs within any of the five components of internal control, the
baseline may need to be evaluated to make sure monitoring activities remain appropriate or updated so they are
aligned with other components of internal control.
Ongoing Evaluations
Manual and automated ongoing evaluations monitor the presence and functioning of the components of internal
control in the ordinary course of managing the business. Ongoing evaluations are generally performed by line
operating or functional managers, who are competent and have sufficient knowledge to understand what is
being evaluated, giving thoughtful consideration to implications of information they receive. By focusing on
relationships, inconsistencies, or other relevant implications, they raise issues and follow up with other personnel
as necessary to determine whether corrective or other action is needed.
Entities frequently use technology to support ongoing evaluations. Computerized continuous monitoring
techniques have a high standard of objectivity (once programmed and tested) and allow for efficient review of
large volumes of data at a low cost. Such techniques, combined with robust review and analysis of the results by
knowledgeable and responsible personnel, can result in an efficient and effective program for ongoing
evaluations.
The following examples illustrate ongoing evaluations.
A medium-size manufacturing entity has in place a process for conducting a monthly production meeting attended
by the manufacturing supervisor, inventory manager, and demand planning supervisor to review current
production levels and product modifications. The quality officer attends this routine meeting. As part of her ongoing
evaluation of the controls in the production planning process, the quality officer evaluates information obtained in
the meeting to raise probing questions of management and other personnel, to ascertain whether appropriate
analysis and actions are being performed and followed up on in a timely manner, and to identify unusual trends or
anomalies that may warrant immediate investigations. She also uses information obtained and analyzed during
the meeting to recommend modifications to control activities relevant to the production planning process.
Control activities embedded in the procurement process use software to automate the review of all payment
transactions. A software routine embedded within the payable process immediately identifies any unusual
transactions based on pre-established parameters (e.g., possible duplicate payments). The accounts payable
supervisor daily investigates any identified anomalies, determines root causes, and evaluates and communicates
any internal control deficiency to those in the procurement process responsible for taking corrective action.
Internal Use Only

The human resource department has developed policies and practices that support the organization's commitment
to attract, develop, and retain competent staff. These practices include training, mentoring, and evaluation
practices that encourage development and promotion of management positions. As part of the entity's human
resource policies and practices, staff mentors semiannually prepare and present to the human resource
supervisors a review of assigned individual's actual performance against expected performance levels and
standards of conduct. The director of personnel attends these semiannual presentations as part of the ongoing
evaluation of human resource policies and practices and provides objective, real-time feedback to department
supervisors and mentors about the effectiveness of the review process, compliance with labor laws, and
recommendations for improving subsequent processes.
An entity authorizes its accounts payable clerks to process contractor invoices with up to a 5% variance from
amounts specified for services pursuant to executed contracts without seeking supervisory approval. The
accounts payable manager monitors this control activity at the end of each month by reviewing disbursement
activity and focusing specifically on two trends: the volume of disbursements where there are variances from
contracts, and the frequency with which a particular clerk processes any variance payments. The accounts
payable manager investigates any instance of an excessive variance or abnormal frequency or trend from both an
operational and potential fraud perspective and takes action to assess and resolve root causes.
Separate Evaluations
Separate evaluations are generally not ingrained within the business but can be useful in taking a fresh look at
whether each of the five components of internal control is present and functioning. Such evaluations include
observations, inquiries, reviews, and other examinations, as appropriate, to ascertain whether controls to effect
principles across the entity and its subunits are designed, implemented, and conducted. Separate evaluations of
the components of internal control vary in scope and frequency, depending on the significance of risks, risk
responses, results on ongoing evaluations, and expected impacts on the control components in managing the
risks. Higher priority risks and responses should be evaluated often in greater depth and/or more often than
lower priority risks. While higher priority risks can be evaluated with both ongoing and separate evaluations,
separate evaluation may provide feedback on the results of ongoing evaluations, and the number of separate
evaluations can be increased as necessary.
Internal Use Only

A separate evaluation of the overall internal control system, or specific components of internal control, may be
appropriate for a number of reasons: major strategy or management change, acquisitions or dispositions,
changes in economic or political conditions, or changes in operations or methods of processing information. The
evaluation scope is determined by which of the three objectives categories — operations, reporting, or
compliance — are being addressed.
Knowledgeable Personnel
Separate evaluations are often conducted through the internal audit function, and while having an internal audit
function is not a requisite of internal control, it can enhance the scope, frequency, and objectivity of such
reviews.25 Since separate evaluations are conducted periodically by independent managers, employees, or
external reviewers to provide feedback with greater objectivity, evaluators need to be knowledgeable about the
entity's activities and how the monitoring activities function, and understand what is being evaluated. Procedures
designed to operate in a particular way may be modified over time to operate differently, or they may no longer
be performed. Sometimes new procedures are established, but are not known to those who described the
process and are not included in available documentation. Determining the actual functioning can be
accomplished by holding discussions with personnel who perform or are affected by controls, by examining
performance records, or by a combination of procedures.
The evaluator analyzes the presence and functioning of components of internal control, and the results of
evaluations. The analysis is conducted against the backdrop of management's established standards for each
component, with the ultimate goal of determining whether the process provides reasonable assurance with
respect to the stated objectives.
Separate Evaluation Approaches and Objectivity
There are a variety of approaches available to perform separate evaluations. The scope, nature, frequency, and
formality of approaches vary with the relative importance of the risk responses and related components and
principles of internal control that are being evaluated. Separate evaluations may include:
 Internal Audit Evaluations — Internal auditors are often objective and competent resources, whether in-house or
outsourced, and perform separate evaluations as part of their regular duties, or at the specific request of senior
management or the board of directors. Typically, each year the internal audit function develops an internal audit
plan of projects that are selected based on a risk-based approach aligned with organizational objectives and
stakeholder priorities. For instance, areas of review may include compliance with code of conduct, design of the
risk assessment process, reporting of data quality, and reporting of specific transactions and controls. Reports
are distributed to senior management, the board of directors or its audit committee, and other parties positioned
to take action on the recommendations in the report.
 Other Objective Evaluations — For entities that lack an internal audit group or for those that have other quality
functions that perform internal audit-like activities (such as a controls compliance group), management may use
Internal Use Only
other internal or external objective reviewers, such as compliance officers, operations specialists, IT security
specialists, or consultants. For example, an entity's IT security specialist may periodically evaluate the entity's
compliance with relevant information security standards.26
 Cross Operating Unit or Functional Evaluations — An entity may use personnel from different operating units or
functional areas to evaluate components of internal controls. For example, quality audit personnel from
operating unit A may periodically evaluate the internal controls of operating unit B. Also, adding personnel from
different operating units or functional areas on evaluations may improve communications between the operating
unit or functional area.
 Benchmarking / Peer Evaluations — Some entities compare or benchmark components of internal control
against those of other entities. Such comparisons might be done directly with another entity or under the
auspices of trade or industry associations. Other entities may be able to provide comparative information. A
word of caution: when conducting comparisons, consider the differences that always exist in objectives, facts,
and circumstances.
 Self-Assessments — Separate evaluations may take the form of self-assessments (also called self-reviews),
where those responsible for a particular unit or function will assess the presence and functioning of components
of internal control relating to their activities. For example, in one company the chief executive of a food product
division directs the evaluation of its internal control activities related to food safety regulations. She personally
assesses the controls associated with strategic choices and high-level objectives as well as the components of
internal environment, and individuals in charge of the division's various operating activities assess the presence
and functioning of components relative to their spheres of responsibility. Since self-assessments may have less
objectivity, depending on the person conducting the self-assessment, than other separate evaluation
approaches, the evaluator or those using the report will determine the weight and value to be placed on the
results.
Outsourced Service Providers
Entities that use outsourced service providers for services such as third-party warehousing, Internet hosting,
healthcare claims processing, retirement plan administration, or loan services need to understand the activities
and controls associated with the services and how the outsourced service provider's internal control system
impacts the entity's system of internal control.
Entities may use the following approaches to understand the outsourced service provider's system of internal
control:
 The user of outsourced services may conduct its own separate evaluations of the outsourced service provider's
system of internal control as relevant to the entity. In these circumstances an entity should build into its contract
with any outsourced service provider a right-to-audit clause to allow for its own separate evaluation and access
to visit the provider.
Internal Use Only
 Relevant information concerning internal control at an outsourced service provider may be attained by reviewing
an independent audit or examination report.27 When reviewing such reports, organizations consider the content
of the assertions and attestations to be satisfied that the outsourced service provider's controls interface with the
entity's controls, and that the tests and results of the outsourced service provider's controls provide sufficient
comfort to the user entity. Entities also consider the period of time covered by an independent audit or
examination report since it might not coincide with or provide the complete coverage needed by the entity. In
these circumstances an entity should build into its contract with any outsourced service provide a requirement
for an independent audit or examination report.
 When considering circumstances such as the nature and scope of information transferred between parties and
the nature of the processing and reporting the outsourced service provider performs, an entity may be able to
determine that there is sufficient internal control over processing provided by the outsourced service provider
without additional documentation.
Evaluates and Communicates Deficiencies
Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to
those parties responsible for taking corrective action, including senior management and the board of directors,
as appropriate.
Points of Focus
 Assesses Results — Management and the board of directors, as appropriate, assess results of ongoing and
 Communicates Deficiencies — Deficiencies are communicated to parties responsible for taking corrective
action and to senior management and the board of directors, as appropriate.
 Monitors Corrective Actions — Management tracks whether deficiencies are remediated on a timely basis.
Assess Results
In conducting monitoring activities, the organization may identify matters worthy of attention. Those that
represent a potential or real shortcoming in some aspect of the system of internal control that has the potential to
adversely affect the ability of the entity to achieve its objectives are referred to as internal control deficiencies. In
addition, the organization may identify opportunities to improve the efficiency of internal control, or areas where
changes to the current system of internal control may provide a greater likelihood that the entity's objectives will
be achieved. Although identifying and assessing potential opportunities is not part of the system of internal
control, the organization will typically want to capture any opportunities identified and communicate those to the
strategy or objective-setting processes.
Internal Use Only

Deficiencies in an entity's components of internal control and underlying principles may surface from a variety of
sources:
 Monitoring activities, including:
 Ongoing evaluations of an entity, including managerial activities and everyday supervision of employees,
which generate insights from those who are directly involved in the entity's activities. These insights are
obtained in real time and can quickly identify deficiencies.
 Separate evaluations performed by management, internal auditors, functional managers, and other
personnel, which can highlight areas that need to be improved.
 Other components of internal control provide input relative to the operation of that component.
 External parties such as customers, vendors, external auditors, and regulators frequently provide important
information about an entity's components of internal control.
Communicating Internal Control Deficiencies
Reporting on internal control deficiencies depends on the criteria established by regulators, standard-setting
bodies, and management and boards of directors, as appropriate. Results of ongoing and separate evaluations
are assessed against those criteria to determine whom to report to and what is reported. Alternatively, any
criteria established by the board of directors or management typically is based on the entity's facts and
circumstances and on established laws, rules, regulations, and standards.
Communicating internal control deficiencies to the right parties to take corrective actions is critical for entities to
achieve objectives. Additionally, the scope and approach of the evaluations, as well as any internal control
deficiencies, need to be communicated to those conducting the overall assessment of effectiveness of internal
control.
The nature of matters to be communicated varies depending on how the deficiency is evaluated against
appropriate criteria, individuals' authority to deal with circumstances that arise, and the oversight activities of
superiors. Deficiencies may be reported to senior management and the board of directors depending on the
reporting criteria as established by regulators, standard-setting bodies, or the entity, as appropriate. Internal
control deficiencies are usually reported both to the parties responsible for taking corrective action and to at least
one level of management above that person.
This higher level of management provides needed support or oversight for taking corrective action and is
positioned to communicate with others in the entity whose activities may be affected. Where findings cut across
organizational boundaries, the deficiencies are reported to all relevant parties and to a sufficiently high level to
drive appropriate action. For instance, deficiencies relating to a board member or subcommittee where the board
member or sub-committee is not independent to the extent required, or where the board did not provide
Internal Use Only
sufficient oversight, would be reported as prescribed by the entity's reporting protocols to the full board, the chair
of the board, lead director, and/or the nominating/governance or other appropriate board committees.
In considering what needs to be communicated, it is necessary to look at the implications of findings and the
entity's reporting directives. It is essential that not only a particular transaction or event be reported, but also that
related faulty procedures be re-evaluated. Alternative communications channels should also exist for reporting
sensitive information such as illegal or improper acts. Additionally, deficiencies may need to be reported
externally depending on the type of entity and the regulatory, industry, or other compliance requirements to
which it is subject.
Monitoring Corrective Actions
After internal control deficiencies are evaluated and communicated to those parties responsible for taking
corrective action, management tracks whether remediation efforts are conducted on a timely basis. Those
responsible for taking corrective actions are usually different from those conducting the monitoring activities. The
organization exercises judgment in determining how deficiencies are remediated and that judgment should be
applied by those responsible for selecting, developing, and deploying controls to effect principles.
As is the case with the initial communication of internal control deficiencies, deficiencies that are not remediated
on a timely basis are usually communicated to at least one level of management above the party responsible for
taking corrective action. In addition, management may need to revisit the selection and deployment of monitoring
activities, including a mix of ongoing and separate evaluations, until corrective actions have remediated the
internal control deficiency.
Footnotes
25 Some external bodies may require an entity to have an internal audit function. For example the New
York Stock Exchange requires all corporations who list securities on the exchange to have an internal
audit function (NYSE Listed Company Manual 303A.07(d)).
26 An entity might use ISO/IEC 27002, published by the International Organization for Standardization
(ISO) and by the International Electrotechnical Commission (IEC), which provides recommended
practices for information security management for use by those responsible for designing, implementing
or maintaining information security management systems.
27 Examples of attestations for external financial reporting include a Service Organization Control (SOC)
Internal Use Only

report issued pursuant to the AICPA's Statement on Standards for Attestation Engagements No 16
(SSAE 16 or SOC 1) or the International Standard on Assurance Engagements 3402 report (ISAE
3402).
10. Limitations of Internal Control
Chapter Summary
Internal control, no matter how well designed, implemented and conducted, can provide only reasonable
assurance to management and the board of directors of the achievement of an entity's objectives. The likelihood
of achievement is affected by limitations inherent in all systems of internal control. These include the realities
that human judgment in decision making can be faulty, external events outside the organization's control may
arise, and breakdowns can occur because of human failures such as making errors. Additionally, controls can be
circumvented by two or more people colluding, and because management can override the system of internal
control.
Internal control has been viewed by some observers as ensuring that an entity will not fail — that is, the entity
will always achieve its operations, reporting, and compliance objectives. In this sense, internal control
sometimes is looked upon as a cure-all for all real and potential business ills. This view is misguided. Internal
control is not a panacea.
In considering limitations of internal control, two distinct concepts must be recognized. The first set of limitations
acknowledges that certain events or conditions are simply beyond management's control. The second
acknowledges that no system of internal control will always do what it is designed to do. The best that can be
expected in any system of internal control is that reasonable assurance be obtained, which is the focus of this
chapter. Second, internal control cannot provide absolute assurance for any of the objective categories.
Reasonable assurance does not imply that systems of internal control will frequently fail. Many factors,
individually and collectively, serve to strengthen the concept of reasonable assurance. Controls that support
multiple objectives or that effect multiple principles within or across components reduce the risk that an entity
may not achieve its objectives. Furthermore, the normal, everyday operating activities and responsibilities of
people functioning at various levels of an organization are directed at achieving the entity's objectives. Indeed, it
is likely that these activities often apprise management about the process toward the entity's operations
objectives, and also support the achievement of compliance and reporting objectives. However, because of the
inherent limitations discussed here, there is no guarantee that, for example, an uncontrollable event, mistake, or
Internal Use Only

improper incident could never occur. In other words, even an effective system of internal control may experience
failures. Reasonable assurance is not absolute assurance.
Notwithstanding these inherent limitations, management should be aware of them when selecting, developing,
and deploying controls that can, to the extent practical, minimize them.
Preconditions of Internal Control
The Framework specifies several areas that are part of the management process but not part of internal control.
Two such areas relate to the governance process that extends the board's role beyond internal control and
establishing objectives as a precondition to internal control. There is a dependency established on these areas,
among others, to also be effective. For example, an entity's weak governance processes for selecting,
developing, and evaluating board members may limit its ability to provide appropriate oversight of internal
control. Similarly, ineffective strategy-setting or objective-setting processes would challenge the entity's ability to
identify poorly specified, unrealistic, or unsuitable objectives. A system of internal control cannot encompass all
activities undertaken by the entity, and weaknesses in these areas may impede the organization from having
effective internal control.
Judgment
The effectiveness of internal control is limited by the realities of human frailty in the making of business
decisions. Such decisions must be made with human judgment in the time available, based on information at
hand, subject to management biases, and under the pressures of the conduct of business. Some decisions
based on human judgment may later, with the clarity of hindsight, be found to produce less than desirable
results, and may need to be changed.
External Events
Internal control, even effective internal control, operates at different levels for different objectives. For objectives
relating to the effectiveness and efficiency of an entity's operations — achieving its mission, value propositions
(e.g., productivity, quality, and customer service), profitability goals, and the like — internal control cannot
provide reasonable assurance of the achievement when external events may have a significant impact on the
achievement of objectives and the impact cannot be mitigated to an acceptable level. In these situations, internal
control can only provide reasonable assurance that the organization is aware of the entity's progress, or lack of
it, toward achieving such objectives.
Breakdown
Even a well-designed system of internal control can break down. Personnel may misunderstand instructions,
make mistakes in judgment, or commit errors due to carelessness, distraction, or being asked to focus on too
many tasks. For example, a department supervisor responsible for investigating exceptions might simply forget
or fail to pursue the investigation far enough to be able to make appropriate corrections. Temporary personnel
Internal Use Only
conducting controls for vacationing or sick employees might not perform correctly. Changes in information
technology application controls may be implemented before personnel have been trained to recognize indicators
that they may not be functioning as designed.
Management Override
Even an entity with an effective system of internal control may have a manager who is willing and able to
override internal control. The term "management override" is used here to mean overruling prescribed policies or
procedures for illegitimate purposes with the intent of personal gain or an enhanced presentation of an entity's
performance or compliance. A manager of a division or operating unit, or a member of senior management,
might override the control for many reasons such as to:
 Increase reported revenue to cover an unanticipated decrease in market share

 Enhance reported earnings to meet unrealistic budgets
 Boost the market value of the entity prior to a public offering or sale
 Meet sales or earnings projections to bolster bonus payouts tied to performance
 Appear to cover violations of debt covenant agreements
 Hide lack of compliance with legal requirements
Override practices include deliberately making misrepresentations to bankers, lawyers, accountants, and
vendors, and intentionally issuing false documents such as purchase orders and sales invoices.
Management override should not be confused with management intervention, which represents management's
actions to depart from prescribed controls for legitimate purposes. Management intervention is necessary to deal
with non-recurring and nonstandard transactions or events that otherwise might be handled inappropriately.
Provision for management intervention is necessary because no process can be designed to anticipate every
risk and every condition. Management's actions to intervene are generally overt and subject to policies and
procedures or otherwise disclosed to appropriate personnel. Actions to override usually are not documented or
disclosed, and have the intent to cover up the actions.
Collusion
Collusion can result in internal control deficiencies. Individuals acting collectively to perpetrate and conceal an
action from detection often can alter financial or other management information so that it cannot be detected or
prevented by the system of internal control. Collusion can occur, for example, between an employee who
performs controls and a customer, supplier, or another employee, Sales and/or operating unit management
might collude to circumvent controls so that reported results meet budgets or incentive targets.
Appendices
Internal Use Only
A. Glossary
 Application Controls — Programmed procedures in application software and related manual procedures
designed to help ensure the completeness and accuracy of information processing.
 Automated Controls — Control activities mostly or wholly performed through technology (e.g., automated
control functions programmed into computer software; contrast with Manual Controls).
 Board — Governing body of an entity, which may take the form of a board of directors or supervisory board for
a corporation, board of trustees for a notfor-profit organization, board of governors or commissioners for
government entities, general partners for a partnership, or owner for a small business.
 Category — One of three groupings of objectives of internal control. The categories relate to operations,
 Compliance — Having to do with conforming with laws and regulations applicable to an entity.
 Component — One of five elements of internal control. The internal control components are the Control
Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.
 Control — (1) As a noun (i.e., existence of a control), a policy or procedure that is part of internal control.
Controls exist within each of the five components. (2) As a verb (i.e., to control), to establish or implement a
policy or procedure that effects a principle.
 Control Activity — An action established through policies and procedures that help ensure that management's
directives to mitigate risks to the achievement of objectives are carried out.
 Control Deficiency — A synonym for Internal Control Deficiency. A control deficiency may also describe a
deficiency with respect to a particular control or control activity.
 COSO — The Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative
of five private-sector organizations and is dedicated to providing thought leadership through the development of
frameworks and guidance on enterprise risk management, internal control, and fraud deterrence (see
www.coso.org).
 Design — (1) Intent; as used in the definition of internal control, the internal control system design is intended to
provide reasonable assurance of the achievement of objectives; when the intent is realized, the system can be
deemed effective. (2) Plan; the way a system is supposed to work, contrasted with how it actually works.
 Detective Control — A control designed to discover an unintended event or result after the initial processing
has occurred but before the ultimate objective has concluded (contrast with Preventive Control).
 Effected — Used with an internal control system: devised and maintained.
 Effective Internal Control — An effective system of internal control provides reasonable assurance of
achieving an entity's objectives. It requires that each of the five components of internal control and relevant
principles is present and functioning, and that the five components of internal control are operating together.
Internal Use Only

 Entity — A legal entity or management operating model of any size established for a particular purpose. A legal
entity may, for example, be a business enterprise, not-for-profit organization, government body, or academic
institution. The management operating model may follow product or service lines, division, or operating unit, with
geographic markets providing for further subdivisions or aggregations of performance.
 Entity-level — Higher levels of the entity, separate and distinct from other parts of the entity including
subsidiaries, divisions, operating units, and functions.
 Entity-wide — Activities that apply across the entity — most commonly in relation to entity-wide controls.
 Ethical Values — Moral values that enable a decision-maker to determine an appropriate course of behavior;
these values should be based on what is right, which may go beyond what is legal.
 Financial Statements — Typically a statement of financial position, a statement of income, a statement of
changes in equity, a statement of cash flow, and notes to the financial statements.
 Inherent Limitations — Those limitations of all internal control systems. The limitations relate to the
preconditions of internal control, external events beyond the entity's control, limits of human judgment, the reality
that breakdowns can occur, and the possibility of management override and collusion.
 Inherent Risk — The risk to the achievement of objectives in the absence of any actions management might
take to alter either the risk likelihood or impact.
 Integrity — The quality or state of being of sound moral principle; uprightness, honesty, and sincerity; the desire
to do the right thing, to profess and live up to a set of values and expectations.
 Internal Control — A process, effected by an entity's board of directors, management, and other personnel,
 Internal Control Deficiency — A shortcoming in a component or components and relevant principle(s) that
reduces the likelihood that the entity can achieve its objectives.
 Major Deficiency — An internal control deficiency or combination of deficiencies that severely reduces the
likelihood that the entity can achieve its objectives.
 Management Intervention — Management's overruling of prescribed policies or procedures for legitimate
purposes when dealing with non-recurring or non-standard transactions or events that otherwise might be
handled inappropriately.
 Management Override — Management's overruling of prescribed policies or procedures for illegitimate
purposes with the intent of personal gain or an enhanced presentation of an entity's financial condition or
compliance status.
 Management Process — The series of actions taken by management to run an entity. An internal control
system is a part of an integrated management process.
 Manual Controls — Controls performed manually, not through technology (contrast with Automated Controls).
 Operating Together — The determination that all five components collectively reduce, to an acceptable level,
the risk of not achieving an objective.
Internal Use Only
 Operations — Used with "objectives" or "controls": having to do with the effectiveness and efficiency of an
entity's operations, including performance and profitability goals, and safeguarding resources.
 Organization — People, including the board of directors, senior management, and other personnel.
 Policy — Management or board member statement of what should be done to effect control. Such statements
may be documented, explicitly stated in communications, or implied through actions and decisions. A policy
serves as the basis for procedures.
 Present and Functioning — Applied to components and principles. "Present" refers to the determination that
components and relevant principles exist in the design and implementation of the system of internal control to
achieve specified objectives. "Functioning" refers to the determination that components and relevant principles
continue to exist in the conduct of the system of internal control to achieve specified objectives.
 Preventive Control — A control designed to avoid an unintended event or result at the time of initial occurrence
(contrast with Detective Control).
 Procedure — An action that implements a policy.
 Reasonable Assurance — The concept that internal control, no matter how well designed and operated,
cannot guarantee that an entity's objectives will be met. This is because of Inherent Limitations in all internal
control systems.
 Relevant Principle — Principles represent fundamental concepts associated with components. There may be a
rare industry, operating, or regulatory situation in which management has determined that a principle is not
relevant to a component.
 Residual Risk — The risk to the achievement of objectives that remains after management's response has
been designed and implemented.
 Risk — The possibility that an event will occur and adversely affect the achievement of objectives.
 Risk Response — The decision to accept, avoid, reduce, or share a risk.
 Risk Tolerance — The acceptable variation relative to performance to the achievement of objectives.
 Senior Management — The chief executive officer or equivalent organizational leader and senior management
team.
 Stakeholders — Parties that are affected by the entity, such as shareholders, the communities in which an
entity operates, employees, customers, and suppliers.
 Technology — Software applications running on a computer, manufacturing controls systems, etc.
 Technology General Controls — Control activities that help ensure the continued, proper operation of
technology. They include controls over the technology infrastructure, security management, and technology
acquisition, development, and maintenance. Other terms sometimes used to describe technology general
controls are "general computer controls" and "information technology controls."
 Transaction Controls — Control activities that directly support the actions to mitigate transaction processing
risks in an entity's business processes. Transaction controls can be manual or automated and will likely cover
the information-processing objectives of completeness, accuracy, and validity.
Internal Use Only
B. Roles and Responsibilities
Introduction
Internal control is effected by personnel internal to the organization, including the board of directors or equivalent
oversight body and its committees, management and personnel, business-enabling functions, and internal
auditors. Collectively, they contribute to providing reasonable assurance that specified objectives are achieved.
When outsourced service providers perform controls on behalf of the entity, management retains responsibility
for those controls.
An organization may view internal control through three lines of defense:
 Management and other personnel on the front line provide the first line of defense as they are responsible for
maintaining effective internal control day to day; they are compensated based on performance in relation to all
applicable objectives.
 Business-enabling functions such as risk, control, legal, and compliance provide the second line of defense as
they clarify internal control requirements and evaluate adherence to defined standards. While they are
functionally aligned to the business, their compensation is not directly tied to performance of the area to which
they render expert advice.
 Internal auditors provide the third line of defense as they assess and report on internal control and recommend
corrective actions or enhancements for management to consider and implement; their position and
compensation are separate and distinct from the business areas they review.
Responsible Parties
Every individual within an entity has a role in effecting internal control. Roles vary in responsibility and level of
involvement, as discussed below.
The Board of Directors and Its Committees
Depending on the jurisdiction and nature of the organization, different governance structures may be
established, such as a board of directors, supervisory board, trustees, and/or general partners, with committees
as appropriate. In the Framework, these governance structures are commonly referred to as the board of
directors.
The board is responsible for overseeing the system of internal control. With the power to engage or terminate
the chief executive officer, the board has a key role in defining expectations about integrity and ethical values,
transparency, and accountability for the performance of internal control responsibilities. Board members are
objective, capable, and inquisitive. They have a working knowledge of the entity's activities and environment,
and they commit the time necessary to fulfill their governance responsibilities.
Internal Use Only

They utilize resources as needed to investigate any issues, and they have an open and unrestricted
communications channel with all entity personnel, the internal auditors, independent auditors, external
reviewers, and legal counsel.
Boards of directors often carry out certain duties through committees, whose use varies depending on regulatory
requirements and other considerations. Board committees may be used for oversight of audit, compensation,
nominations and governance, risk, and other topics significant for the organization. Each committee can bring
specific emphasis to certain components of internal control. Where a particular committee has not been
established, the related functions are carried out by the board itself.
Board-level committees can include the following:
 Audit Committee — Regulatory and professional standard-setting bodies often require the use of audit
committees. The role and scope of authority of an audit committee can vary depending on the organization's
regulatory jurisdiction, industry norm, or other variables. This is sometimes also called the audit and risk
committee to emphasize the importance of risk oversight. Management is responsible for the reliability of the
financial statements, but an effective audit committee plays a critical oversight role. The board of directors, often
through its audit committee, has the authority and responsibility to question senior management regarding how it
is carrying out its internal and external reporting responsibilities and to verify that timely corrective actions are
taken, as necessary.
As a result of its independence the audit committee, along with a strong internal audit function as applicable,
is often best positioned to identify and promptly act in situations where senior management overrides controls
or deviates from expected standards of conduct. The audit committee interacts with external auditors,
meeting regularly to discuss the scope of planned audit procedures and results of audit procedures. Meetings
with external auditors include executive sessions without management present to provide a forum for further
dialogue between external auditors and audit committees. While board composition requirements vary,
independent directors are important as they can provide an objective perspective. For example, the UK,
German, and other corporate governance codes, and the New York Stock Exchange (NYSE) and NASDAQ
listing requirements define the number and criteria for audit committee members to be independent from
management and financially literate (e.g., at least one member with accounting or financial management
expertise).
 Compensation Committee — Establishes the compensation for the chief executive officer or equivalent and
provides oversight of compensation arrangements to motivate without providing incentives for undue risk-taking
so as to ultimately protect and promote the interest of shareholders or other owners of the entity. It oversees
senior management in its role to balance performance measures, incentives, and rewards with the pressures
Internal Use Only

created by the entity's objectives, and helps structure compensation practices to support the achievement of the
entity's objectives without unduly emphasizing short-term results over long-term performance.
 Nomination/Governance Committee — Provides control over the selection of candidates for directors and senior
management. It regularly assesses and nominates members of the board of directors; makes recommendations
regarding the board's composition, operations, and performance; oversees the succession planning process for
the chief executive officer and other key executives; and develops oversight discipline, processes, and
structures. It promotes director orientations and training and evaluates oversight structures and processes (e.g.,
board/committee evaluations).
 Other Committees — Other committees of the board of directors that oversee specific areas. These committees
are often established in large organizations or due to particular circumstances of the entity. For example, in an
industry where compliance with certain laws and regulations is fundamental to the survival or development of
the organization, a board-level compliance committee may be necessary. Risk committees are formed to focus
on changes in risk levels and related impacts, and oversight of risk responses. Further to board committees that
provide oversight, management-level committees often exist to provide guidance in the execution of specific
areas, such as compliance committees, new product committees, and others.
Senior Management
Chief Executive Officer
The chief executive officer (CEO) is accountable to the board of directors and is responsible for designing,
implementing, and conducting an effective system of internal
control. In privately owned, not-for-profit, or other entities, the equivalent role may have a different title but
generally covers the same responsibilities as described below. More than any other individual, the CEO sets the
tone at the top that affects the control environment and all other components of internal control.
The CEO's responsibilities relating to internal control include:
 With the support of management, providing leadership and direction to senior management, shaping entity
values, standards, expectations of competence, organizational structure, and accountability that form the
foundation of the entity's internal control system (e.g. specifying entity-wide objectives and policies)
 Maintaining oversight and control over the risks facing the entity (e.g., directing all management and other
personnel to proactively identify risks to the system of internal control, considering the ever-increasing pace of
change and networked interactions of business partners, outsourced service providers, customers, employees,
and others and resulting risk factors)
 Guiding the development and performance of control activities at the entity level, and delegating to various
levels of management the design, implementation, conduct, and assessment of internal control at different levels
of the entity (e.g., processes and controls to be established)
Internal Use Only

 Communicating expectations (e.g., integrity, competence, key policies) and information requirements (e.g., the
type of planning and reporting systems the entity will use)
 Evaluating control deficiencies and the impact on the ongoing and longterm effectiveness of the system of
internal control (e.g., meeting regularly with senior management from each of the operating units such as
research and development, production, marketing, sales, and major businessenabling functions such as finance,
human resources, legal, compliance, risk management to evaluate how they are carrying out their internal
control responsibilities)
Other Members of Senior Management
Senior management comprises not only the CEO but also other senior executives leading the key operating
units and business-enabling functions. Examples include:
 Chief administrative officer

 Chief audit executive
 Chief compliance officer
 Chief financial officer
 Chief information officer
 Chief legal officer
 Chief operating officer
 Chief risk officer
 Other senior leadership roles, depending on the nature of the business
These senior management roles support the CEO with respect to internal control, specifically by:
 Providing leadership and direction to management in terms of shaping entity values, standards, expectations of
competence, organizational structure, and accountability that form the foundation of the entity's internal control
system (e.g. specifying entity-wide objectives and policies)
 Maintaining oversight over the risks facing the entity (e.g., directing all management and other personnel to
proactively identify risks to the system of internal control, considering the ever-increasing pace of change and
networked interactions of business partners, outsourced service providers, customers, employees, and others
and resulting risk factors)
 Guiding the development and performance of controls at the entity level, and delegating to various levels of
management the design, implementation, conduct, and assessment of internal control at different levels of the
entity (e.g., processes and controls to be established)
 Communicating expectations (e.g., integrity, competence, key policies) and information requirements (e.g., the
type of planning and reporting systems the entity will use)
Internal Use Only

 Evaluating internal control deficiencies and the impact on the ongoing and long-term effectiveness of the system
of internal control (e.g., meeting regularly with finance, controllership, risk management, information technology,
human resources, and business management from each of the operating units to evaluate how they are carrying
out their internal control responsibilities)
Senior management guides the development and implementation of internal control policies and procedures that
address the objectives of their functional or operating unit and verify that they are consistent with the entity-wide
objectives. They provide direction, for example, on a unit's organizational structure and personnel hiring and
training practices, as well as budgeting and other information systems that promote control over the unit's
activities. As such, through a cascading responsibility structure, each executive is a CEO for his or her sphere of
responsibility.
Senior management assigns responsibility for establishing even more specific internal control procedures to
those personnel responsible for the unit's functions or departments. These subunit managers can play a more
hands-on role in devising and executing particular internal control procedures. Often, these managers are
directly responsible for determining resource requirements, training needs, and internal control procedures that
address unit objectives, such as developing authorization procedures for purchasing raw materials, accepting
new customers, or reviewing production reports to monitor product output. They also make recommendations on
the controls, monitor their application within processes, and meet with upper-level managers to report on the
operation of controls.
Depending on how many layers of management exist, these subunit managers, or lower-level supervisory
personnel, are directly involved in executing policies and procedures at a detailed level. It is their responsibility to
execute remedial actions as control exceptions or other issues arise. This may involve investigating data-entry
errors, transactions flagged on exception reports, departmental expense budget variances, or customer back
orders or product inventory positions. Issues are communicated up the organization's reporting structure
according to the level of severity. Issues requiring senior management oversight include financial performance,
product quality, product safety, workplace safety, community involvement, compliance with emission targets, or
other areas related to the achievement of the entity's objectives.
Management's responsibilities come with specific authority and accountability. Each manager is accountable to
the next higher level for his or her portion of the internal control system, with the CEO being ultimately
accountable to the board of directors, and the board being accountable to shareholders or other owners of the
entity.
The chief financial officer (CFO) supports the CEO in front-line responsibilities, including internal control over
financial reporting. In certain reporting jurisdictions, the CFO is required by law to certify to the effectiveness of
internal control over financial reporting, alongside the CEO.
Internal Use Only

Business-Enabling Functions
Various organizational functions or operating units support the entity through specialized skills, such as risk
management, finance, product/service quality management, technology, compliance, legal, human resources,
and others. They provide guidance and assessment of internal control related to their areas of expertise, and it is
incumbent on them to share and evaluate issues and trends that transcend organizational units or functions.
They keep the organization informed of relevant requirements as they evolve over time (e.g., new or changing
laws and regulations across a multitude of jurisdictions). Such business-enabling functions are referred to as the
second line of defense, while front-line personnel execute their control activities.
While all controls function to serve a purpose, their efforts are coordinated and integrated as appropriate. For
example, a company's new customer acceptance process may be reviewed by the compliance function from a
regulatory perspective, by the risk management function from a concentration risk perspective, and by the
internal audit function to assess the design and effectiveness of controls. Disruptions to the business process
are minimized when the timing and approach to reviews and management of issues are coordinated to the
extent possible. Integration of efforts helps create a common language and platform for evaluating and
addressing internal control matters, as business-enabling functions guide the organization in achieving its
objectives.
Risk and Control Personnel
Risk and control functions are part of the second line of defense. Depending on the size and complexity of the
organization, dedicated risk and control personnel may support functional management to manage different risk
types (e.g., operational, financial, quantitative, qualitative) by providing specialized skills and guidance to front-
line management and other personnel and evaluating internal control. These activities can be part of an entity's
centralized or corporate organization or they can be set up with "dotted line" reporting to functional heads. Risk
and control functions are central to the way management maintains control over business activities.
Responsibilities of risk and control personnel include identifying known and emerging risks, helping management
develop processes to manage such relevant risks, communicating and providing education on these processes
across the organization, and evaluating and reporting on the effectiveness of such processes. The chief
risk/control officer is responsible for reporting to senior management and the board on significant risks to the
business and whether these risks are managed within the entity's established tolerance levels, with adequate
internal control in place. Despite such significant responsibilities, risk and control personnel are not responsible
for executing controls, but support overall the achievement of internal control.
Legal and Compliance Personnel
Counsel from legal professionals is key to defining effective controls for compliance with regulations and
managing the possibility of lawsuits. In large and complex organizations, specialized compliance professionals
Internal Use Only

can be helpful in defining and assessing controls for adherence to both external and internal requirements. The
chief legal/compliance officer is responsible for ensuring that legal, regulatory, and other requirements are
understood and communicated to those responsible for effecting compliance.
A close working relationship between business management and legal and compliance personnel provides a
strong basis for designing, implementing, and conducting internal control to manage adverse outcomes such as
regulatory sanctions, legal liability, and failure to adhere to internal compliance policies and procedures. At
smaller organizations, legal and compliance roles may be shared by the same professional, or one of these roles
can be outsourced with close oversight by management.
Other Personnel
Internal control is the responsibility of everyone in an entity and therefore constitutes an explicit or implicit part of
everyone's job description. Front-line personnel constitute the first line of defense in the performance of internal
control responsibilities. Examples include:
 Control Environment — Reading, understanding, and applying the standards of conduct of the organization
 Risk Assessment — Identifying and evaluating risks to the achievement of objectives and understanding
established risk tolerances relating to their areas of responsibility
 Control Activities — Performing reconciliations, following up on exception reports, performing physical
inspections, and investigating reasons for cost variances or other performance indicators
 Information and Communication — Producing and sharing information used in the internal control system (e.g.,
inventory records, work-in-process data, sales or expense reports) or taking other actions needed to effect
control
 Monitoring Activities — Supporting efforts to identify and communicate to higher-level management issues in
operations, non-compliance with the code of conduct, or other violations of policy or illegal actions
The care with which those activities are performed directly affects the effectiveness of the internal control
system. Internal control relies on checks and balances, including segregation of duties, and on employees not
"looking the other way." Personnel understands the need to resist pressure from superiors to participate in
improper activities, and channels outside normal reporting lines are available to permit reporting of such
circumstances.
Internal Auditors
As the third line of defense, internal auditors provide assurance and advisory support to management on internal
control. Depending on the jurisdiction, size of the entity, and nature of the business, this function may be
required or optional, internal or outsourced, large or small. In all cases, internal audit activities are expected to
be carried out by competent and professional resources aligned to the risks relevant to the entity.
Internal Use Only

The internal audit activity includes evaluating the adequacy and effectiveness of controls in responding to risks
within the organization's oversight, operations, and information systems regarding. For example:
 Reliability and integrity of financial and operational information

 Effectiveness and efficiency of operations and programs
 Safeguarding of assets
 Compliance with laws, rules, regulations, standards, policies, procedures, and contracts
All activities within an organization are potentially within the scope of the internal auditor's responsibility. In some
entities, the internal audit function is heavily involved with controls over operations. For example, internal
auditors may periodically monitor production quality, test the timeliness of shipments to customers, or evaluate
the efficiency of the plant layout. In other entities, the internal audit function may focus primarily on compliance
or financial reporting - related activities. In all cases, they demonstrate the necessary knowledge of the business
and independence to provide a meaningful evaluation of internal control.
The scope of internal auditing is typically expected to include oversight, risk management, and internal control,
and assist the organization in maintaining effective control by evaluating its effectiveness and efficiency and by
promoting continual improvement. Internal audit communicates findings and interacts directly with management,
the audit committee, and/or the board of directors.
Internal auditors maintain an impartial view of the activities they audit through their skills and authority within the
entity. Internal auditors have functional reporting to the audit committee and/or the board of directors and
administrative reporting to the chief executive officer or other members of senior management.
Internal auditors are objective when not placed in a position of subordinating their judgment on audit matters to
that of others and when protected from other threats to their objectivity. The primary protection against these
threats is appropriate internal auditor reporting lines and staff assignments. These assignments are made to
avoid potential and actual conflicts of interest and bias. Internal auditors do not assume operating
responsibilities, nor are they assigned to audit activities with which they were involved recently in connection
with prior operating assignments.
External Parties
A number of external parties can contribute to the achievement of the entity's objectives, whether by performing
activities as outsourced service providers or by providing data or analysis to functional/operational personnel. In
both cases, functional/operational management always retains full responsibility for internal control.
Outsourced Service Providers
Many organizations outsource business functions, delegating their roles and responsibilities for day-to-day
management to outside service providers. Administrative, finance, human resources, technology, legal, and
Internal Use Only

even select internal operations can be executed by parties outside the organization, with the objective of
obtaining access to enhanced capabilities at a lower cost. For example, a financial institution may outsource its
loan review process to a third party, a technology company may outsource the operation and maintenance of its
information technology processing, and a retail company may outsource its internal audit function. While these
external parties execute activities for or on behalf of the organization, management cannot abdicate its
responsibility to manage the associated risks. It must implement a program to evaluate those activities
performed by others on their behalf to assess the effectiveness of the system of internal control over the
activities performed by outsourced service providers.
Other Parties Interacting with the Entity
Customers, vendors, and others transacting business with the entity are an important source of information used
in conducting control activities. For example:
 A customer can inform a company about shipping delays, inferior product quality, or failure to otherwise meet
the customer's needs for product or service. Or a customer may be more proactive and work with an entity in
developing needed product enhancements.
 A vendor can provide statements or information regarding completed or open shipments and billings, which may
be used to identify and correct discrepancies and to reconcile balances.
 A potential supplier can notify senior management of an employee's request for a kickback.
 Experts can provide market data to help the organization adapt its business model and supporting processes
and controls to new challenges and opportunities.
 A non-governmental organization or newspaper may publish reports on working or environmental conditions at a
supplier or sub-supplier.
Such information sharing between management and external parties can be important to the entity in achieving
its operations, reporting, and compliance objectives. The entity has mechanisms in place with which to receive
such information and to take appropriate action on a timely basis — that is, it not only addresses the particular
situation reported, but also investigates the underlying source of an issue and fixes it.
In addition to customers and vendors, other parties, such as creditors, can provide insight on the achievement of
an entity's objectives. A bank, for example, may request reports on an entity's compliance with certain debt
covenants and recommend performance indicators or other desired targets or controls.
Independent Auditors
In some jurisdictions, an independent auditor is engaged to audit or examine the effectiveness of internal control
over external financial reporting in addition to auditing the entity's financial statements. (In some jurisdictions, the
auditor is also legally required to express an opinion on the effectiveness of the internal control over external
financial reporting in addition to his or her opinion on the financial statements.) Results of these audits enable
Internal Use Only
the auditor to provide information to management that will be useful in conducting its oversight responsibilities.
These reports and communications may include:
 Observations including analytical information and recommendations for use in taking actions necessary to
achieve established objectives
 Findings of internal control deficiencies that come to attention of the auditor, and recommendations for
improvement
Notwithstanding the depth and nature of the independent auditor's work, this is not a replacement or a
supplement to an adequate system of internal control, which remains the full responsibility of management.
Such information frequently relates not only to financial reporting but to operations and compliance activities as
well. The information is reported to and acted upon by management and, depending on its significance, to the
board of directors or audit committee.
External Reviewers
Subject matter specialists can be solicited or mandated to review specific areas of the organization's internal
control. Recognizing the various requirements or expectations of its stakeholders, an organization often seeks
expert advice to translate these into policies and procedures, as well as communications and training, and
evaluation of adherence to such requirements and standards. Workplace safety, environmental concerns, and
fair trade practices are some examples of areas where an organization proactively seeks to ensure that it is
complying with governing rules and standards. Certain functional areas may also be reviewed to promote
greater effectiveness and efficiency of operations, such as compliance reviews, information systems penetration
testing, and employment practices assessments.
Legislators and Regulators
Legislators and regulators can affect the internal control systems through specific requirements to establish
internal control across the organization and/or through examinations of particular operating units. Many entities
have long been subject to legal requirements for internal control. For example, companies listed on a US stock
exchange are expected to establish and maintain a system of internal control, and legislation requires that senior
executives of publicly listed companies certify to the effectiveness of their company's internal control over
financial reporting.
Various regulations require that public companies establish and maintain internal accounting control systems
that satisfy specified objectives. Various laws and regulations apply to financial assistance programs, which
address a variety of activities ranging from civil rights to cash management, and specify required internal control
procedures or practices. Several regulatory agencies directly examine entities for which they have oversight
responsibility. For example, federal and state bank examiners conduct examinations of banks and often focus on
Internal Use Only

certain aspects of the banks' internal control systems. These agencies make recommendations and are
frequently empowered to take enforcement action. Thus, legislators and regulators affect the internal control
systems in several ways:
 They establish rules that provide the impetus for management to establish an internal control system that meets
statutory and regulatory requirements.
 Through examination of a particular entity, they provide information used by the entity's internal control system
and provide comment letters, recommendations, and sometimes directives to management on needed internal
control system improvements.
 They may receive and, in turn, investigate whistle-blower allegations.
Financial Analysts, Bond Rating Agencies, and the News Media
Financial analysts, bond rating agencies, and news media personnel analyze management's performance
against strategies and objectives by considering historical financial statements and prospective financial
information, actions taken in response to conditions in the economy and marketplace, potential for success in
the short and long term, and industry performance and peer-group comparisons, among other factors. Such
investigative activities can provide insights, among many other outcomes, into the state of internal control and
how management is responding to enhancing internal control.
C. Considerations for Smaller Entities

Characteristics of Smaller Entities
Many different perceptions exist as to what constitutes a "smaller" entity. Some think of a local, family-owned
hardware store or corner bakery as a typical small business. Others may think of a not-for-profit entity that
generates several million dollars in annual donations. Others may consider a small entity in the context of a
company that has been public for many years manufacturing an innovative product, and which now generates
annual revenue of several hundred million dollars with hopes that future growth will catapult it to the Fortune 500
category. Depending on perspective, any or all of these may be considered "smaller" entities.
The Framework does not provide a definition in terms of revenue, capitalization, or other factors; that is the role
of regulators or other parties. Instead, the term "smaller" rather than "small," suggests there is a wide range of
entities to which these considerations apply. The focus here is on smaller entities that have many of the
following characteristics:
 Fewer lines of business and fewer products within lines

 Concentration of marketing focus by channel or geography
 Leadership by management with significant ownership interest or rights
Internal Use Only

 Fewer levels of management with wider spans of control
 Less complex transaction processing systems
 Fewer personnel, many having a wider range of duties
 Limited ability to maintain deep resources in line as well as support staff positions such as legal, human
resources, accounting, and internal auditing
The last bulleted item, limited ability to maintain deep resources, is a frequent cause of smaller entities being
lower on the economies-of-scale curve. Often, but not always, smaller entities have a higher per unit cost of
producing a product or providing a service. On the other hand, many smaller entities achieve competitive
advantage in cost savings through innovation, lower overhead (by retaining fewer people and substituting
variable for fixed costs via a part-time workforce or variable compensation plans), and narrower focus in terms of
product, location, and complexity.
Economies of scale is often a factor affecting support functions, including those that directly support internal
control. For example, establishing an internal audit function within a hundred-million-dollar entity likely would
require a larger percentage of economic resources than would be the case for a multi-billion-dollar entity.
Certainly, the smaller entity's internal audit function would be smaller, and might rely on co-sourcing or
outsourcing to provide needed skills, where the larger entity's function might have a broad range of experienced
personnel in-house. But in all likelihood the relative cost for the smaller entity would be higher than for the larger
one.
None of the above characteristics by themselves are definitive. Certainly, size, by whatever measure — assets,
revenue, spending, personnel, or other — affects and is affected by these characteristics, and shapes thinking
about what constitutes "smaller."
Meeting Challenges in Attaining Cost-Effective Internal Control
The characteristics of smaller entities tend to provide significant challenges for costeffective internal control.
Often managers of smaller entities view control as an administrative burden to be added to existing business
processes, rather than recognize the business need for and benefit of effective internal control that is integrated
within these processes.
Among the challenges are:
 Obtaining sufficient resources to achieve adequate segregation of duties

 Balancing management's ability to dominate activities, with significant opportunities for improper management
override of processes in order to appear that business performance goals have been met
 Recruiting individuals with requisite expertise to serve effectively on the board of directors and committees
 Recruiting and retaining personnel with sufficient experience and skill in operations, reporting, compliance, and
other disciplines
Internal Use Only
 Taking critical management attention from running the business in order to provide sufficient focus on internal
control
 Controlling information technology and maintaining appropriate general and application controls over computer
information systems with limited technical resources
Despite resource constraints, smaller entities usually can meet these challenges and succeed in attaining
effective internal control in a reasonably cost-effective manner.
Segregation of Duties
Many smaller entities have limited numbers of employees performing various functions, which sometimes results
in inadequate segregation of duties. There are, however, actions that management can take to compensate for
this circumstance. Following are some types of controls that can be implemented:
 Review Reports of Detailed Transactions — Managers review on a regular and timely basis system reports of
the detailed transactions.
 Review Selected Transactions — Managers select transactions for review of supporting documents.
 Periodically Observe Assets — Managers periodically conduct counts of physical inventory, equipment, and
other assets and compare them with the accounting records.
 Check Reconciliations — Managers from time to time review reconciliations of account balances such as cash,
accounts payable, and accounts receivable, or perform them independently.
Segregation of duties is not an end in itself, but rather a means of mitigating a risk inherent in processing. When
developing or assessing controls that address risks in an entity with limited ability to segregate duties,
management should consider whether other controls satisfactorily address these risks and are applied
conscientiously enough to reduce risk.
Management Override
Many smaller entities are dominated by the founder or a leader who exercises a great deal of discretion and
provides personal direction to other personnel. This positioning may be key to enabling the entity to meet its
growth and other objectives, and can also contribute significantly to effective internal control. With this leader's
in-depth knowledge of different facets of the entity — its operations, processes, policies and procedures,
contractual commitments, and business risks — he or she is positioned to know what to expect in reports
generated by the system and to follow up as needed. Such concentration of knowledge and authority, however,
comes with a downside: the leader typically is able to override controls.
There are a few basic but important things that can help to mitigate the risk of management override:
Internal Use Only

 Maintain a corporate culture where integrity and ethical values are held in high esteem, embedded throughout
the organization, and practiced on an everyday basis. This can be supported and reinforced by recruiting,
compensating, and promoting individuals where these values are appropriately reflected in behavior.
 Implement a whistle-blower program, where personnel feel comfortable reporting any improprieties, regardless
of the level at which they may be committed. Importantly, they may be able to maintain anonymity and
confidence that reported matters will be investigated thoroughly and acted upon, appropriately and without
reprisals. It is important that where circumstances warrant matters can be reported directly to the board or audit
committee.
 Position an effective internal audit function to detect instances of wrong doing and breakdowns at the entity and
subunit levels. Ready access to relevant information and ability to communicate directly with senior
management and the board or audit committee are key factors.
 Attract and retain qualified board members that take their responsibilities seriously to perform the critical role of
preventing or detecting instances of management override.
Such practices mitigate the risk of impropriety and promote accountability of leadership, while gaining the unique
advantages of cost-effective internal control in a smaller entity environment.
Board of Directors
The discussion above highlights the need for a board of directors with requisite expertise to perform its oversight
responsibilities well. With appropriate knowledge, attention, and communication, the board is positioned to
provide an effective means of offsetting the effects of improper management override. In smaller entities, the
board of directors typically has in-depth knowledge of what usually are relatively straightforward business
operations, and it communicates more closely with a broader range of personnel.
Many smaller entities, however, find it very difficult to attract independent directors with the desired skills and
experience. Typical challenges to finding suitable directors include inadequate knowledge of the entity and its
people, the entity's limited ability to provide compensation commensurate with board responsibilities, a sense
that the chief executive might be unaccustomed or unwilling to appropriately share governance responsibilities,
or concerns about potential personal liability.
Some entities address such concerns of desired board candidates and expand their search of valued or required
expertise such as financial and accounting expertise. In this way, they can shape the board to not only
appropriately monitor senior management, but also to provide value-added advice.
Information Technology
Many smaller entities do not have the extensive technical resources necessary to select, develop, and deploy
software applications in a controlled manner. Thus, these entities consider alternatives to meet their needs of
business processes and internal control.
Internal Use Only
Many smaller entities use software developed and maintained by others. These packages still require controlled
implementation and operation, but many of the risks associated with systems developed in-house are reduced.
For example, typically there is less need for program change controls, inasmuch as changes are done
exclusively by the developer, and generally the personnel in a smaller entity don't have the technical expertise to
attempt to make unauthorized program modifications.
Commercially developed software packages can bring additional advantages. Such packages may provide
embedded facility for controlling which employees can access or modify specified data, perform checks on data
processing completeness and accuracy, and maintain related documentation.
Monitoring activities routinely performed by managers running a business can provide information on the
presence and functioning of other components and relevant principles. Management of many smaller entities
regularly perform such activities, but have not always taken sufficient credit for their contribution to the
effectiveness of internal control. These activities, usually performed manually and sometimes supported by
computer software, should be fully considered in designing, implementing, and conducting internal control and
assessing the effectiveness of internal control.
D. Methodology for Revising the

Framework
Background
In November 2010, the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
announced a project to review and update its Internal Control — Integrated Framework (original framework).
This initiative was expected to make the original framework and related evaluation tools more relevant in the
increasingly complex industry, operating, and regulatory environment so that organizations worldwide could
better design, implement, and conduct internal control and assess its effectiveness. As the author of the original
framework, PwC conducted this project by bringing together indepth understanding of the original framework and
rationale for decisions made in creating the Framework, and sought input from users, stakeholders, and senior
resources who provided current perspectives on internal control.
The original framework has been widely accepted by organizations in implementing, designing, conducting, and
assessing internal control relating to operations, compliance, and financial reporting objectives, and more
recently to internal control over financial reporting in compliance with the US Sarbanes-Oxley Act of 2002 (SOX)
and similar regulatory requirements in other countries. Enhancement provided by this project is not intended to
change how internal control is defined, assessed, or managed, but rather to provide relevant conceptual
guidance and practical examples.
Internal Use Only
The COSO Board formed an Advisory Council comprising representatives from industries, academia,
government agencies, and non-profit entities, and observers from regulators and standard setters to provide
input as the project progressed. In addition, the Framework has been exposed to the public to capture additional
input. Such due process has helped the update adequately address current challenges for organizations within
their internal control.
Approach
The project consisted of five phases:
 Assess and Envision — Through literature reviews, global surveys, and public forums, this phase identified
current challenges for organizations in implementing the Framework. During this phase, PwC analyzed
information, reviewed various sources of input, and identified critical issues and concerns. COSO launched a
global survey, available to the general public for providing input on the original framework, soliciting over 700
responses.
 Build and Design — PwC, with COSO Board oversight, developed the updated Framework. Multiple drafts of the
documents were reviewed by the Advisory Council, and various user and stakeholder groups provided additional
insight about proposed updates via participation in conferences, webinars, and seminars sponsored by COSO
organizations.
 Preparation for Public Exposure — With assistance provided by the Advisory Council and oversight of the
COSO Board, PwC prepared exposure drafts and an on-line questionnaire to facilitate a review by the
general public. The COSO Board and PwC asked for comments from the general public on many relevant
topics, including whether the:
 Requirements of effective internal control are clearly set forth in the Framework
 Roles of components, relevant principles, and points of focus are clearly set forth in the Framework
 The Framework is sound, logical, and useful to management of entities of all sizes.
 Public Exposure — In this phase, PwC refined the update through reviews with the general public. The
Framework was issued for public exposure for a 104-day comment period. During this phase, PwC, COSO
Board members, and Advisory Council members presented the updated Framework at numerous professional
conferences, seminars, round tables, and meetings with users and stakeholders. The updated Framework was
also made available for comment during the public exposure of the companion documents: Internal Control over
External Financial Reporting: Compendium of Approaches and Examples, and Illustrative Tools for Assessing
Effectiveness of a System of Internal Control. PwC reviewed and analyzed all comments received during these
public exposure periods, and reviewed resolutions and modifications related to more significant issues raised
during public exposure with the COSO Board and Advisory Council.
Internal Use Only

 Finalization — PwC finalized the Framework and related publications and provided final documents to the
COSO Board for review and acceptance.
Within each project phase and between phases, as one might expect, many different and sometimes
contradictory observations or recommendations were expressed on fundamental issues relating to internal
control. PwC, with COSO Board oversight, carefully considered the merits of positions put forth, both individually
and in the context of related issues, and revised the Framework to help the development of a relevant, logical,
and internally consistent publication on internal control.
E. Public Comment Letters

As noted in Appendix D, Methodology for Revising the Framework a draft of the Framework was issued for
public comment from December 19, 2011 through March 31, 2012. There were more than 100 public responses
to the on-line survey and 96 public comment letters relating to this exposure draft. These letters contained more
than 1,000 comments on many aspects of the updated Framework, and each comment was considered in
further revisions.
Interested parties were also invited to comment on the Framework during the 78-day public exposure of Internal
Control over External Financial Reporting: A Compendium of Approaches and Examples. Responses to the on-
line survey questions and twenty-three public comment letters related to the post-public exposure version of the
Framework.
This appendix summarizes the more significant comments and any resulting modifications to the Framework
arising from these exposure periods. Many respondents concurred with COSO that the updates to the
Framework are expected to help management strengthen existing systems of internal control by responding to
many changes in the business and operating environments over the past twenty years, codifying principles
associated with the five components of internal control, and expanding the reporting objective to include other
important forms of reporting. There were divergent views as to whether the updates to the Framework would set
a higher threshold for attaining effective internal control, impose additional burdens on entities that report on
internal control, and should incorporate additional aspects of enterprise risk management.
Whereas some respondents sought fundamental changes to the Framework, others recognized that the
Framework remains relevant and useful today and should be used as the basis for an update in selected areas,
as discussed below.
Definition of Internal Control
Some respondents suggested amending the definition in different ways. Individual suggestions included aligning
the definition with other standards, embedding risk, removing objective categories, increasing emphasis on the
Internal Use Only

board, adding anti-fraud/ethical behavior expectations, removing the concept of reasonable assurance,
expanding the reporting objective to include other aspects such as timeliness and transparency, and stipulating
that effectiveness of internal control is attained by reducing the risk of not achieving an objective to an
acceptably low level. Other respondents, however, noted that the original definition has gained wide acceptance
(e.g., auditing standards, legislation and guidance) and should be retained.
The Framework revises the definition to remove the modifiers from each category of objectives. The reasons for
this change are that the objectives are discussed in some detail later in Chapter 1, Definition of Internal Control,
and with the broadening of the reporting category, respondents appropriately identified additional relevant
aspects of the reporting objective beyond just reliability.
Other than this change, the Framework retains a broad definition as other suggestions are either encompassed
in the definition, as amended, or are discussed more appropriately as part of the components of internal control.
Finally, incorporating the notion of reducing risk to a low level potentially pre-empts management's judgment and
may be too restrictive for some objectives.
Reporting, Operations, and Compliance Objectives
Some respondents called for reconsidering the expansion of financial reporting objectives and potential
regulatory implications, and reconsidering the measurability of the achievement of operations objectives. The
Framework retains descriptions of the three categories of objectives and provides supplemental descriptions of
operations and compliance objectives.
Principles
Respondents acknowledged the benefit of formalizing into principles internal control concepts introduced in the
original framework, providing clarity for management in designing, implementing, and conducting internal control,
and assessing the effectiveness of systems of internal control.
Some respondents suggested folding Principle 11, Selects and Develops General Controls over Technology,
into Principle 10, Selects and Develops Control Activities, based on a view that selecting and developing
technology general controls is a subset of selecting control activities in general, which are part of Principle 10.
Some also suggested combining Principle 8, Assessing Fraud Risk, with Principle 7, Identifies and Analyzes
Risks, on the basis that fraud risk may be viewed as only one type of risk potentially impacting objectives.
The Framework carries forward the seventeen principles. It retains the principles that focus on the use of
technology and the assessment of fraud risks, recognizing their important role in achieving effective internal
control. Some principles were also enhanced or clarified based on respondents' comments.
Effectiveness
Achievement of Operations Objectives

Internal Use Only
Some respondents suggested that effective internal control can provide management and the board with more
than an understanding of the extent to which operations are managed effectively and efficiently. Some
respondents suggested that if operations objectives are specified with sufficient clarity and the limitations
imposed by external events are either not significant or can be mitigated to an acceptable level, internal control
can provide reasonable assurance of achieving those operations objectives.
The Framework has been updated to recognize that when external events are considered unlikely to have a
significant impact on the achievement of objectives or where the organization can reasonably predict the nature
and timing of external events and mitigate the impact to an acceptable level, internal control can provide
reasonable assurance that operations are being managed effectively and efficiently.
However, there may still be instances when external events may have a significant impact on the achievement of
objectives and the impact cannot be mitigated to an acceptable level. In those instances effective internal control
can only provide management and the board with an understanding of the extent to which operations are
managed effectively and efficiently.
Relevant Principles
Comments on the post-exposure version focused on the requirements for effective internal control and whether
management can conclude that a system of internal control is effective when principles are not present and
functioning. The Framework presumes that principles are relevant. However, there may be a rare industry,
operating, or regulatory situation in which management has determined that a principle is not relevant to the
associated component. Considerations in applying this judgment may include the entity structure recognizing
any legal, regulatory, industry, or contractual requirements for governance of the entity, and the level of use and
dependence on technology used by the entity. The Framework clarifies the requirement that relevant principles
must be present and functioning to achieve effective internal control.
Components Operating Together
Respondents also requested clarification of the requirement that components operate together. A definition and
further discussion was added to Chapter 3 on components operating together.
Points of Focus
Some respondents expressed concern that including point of focus (named as attributes in the initial public
exposure draft) may trigger an undesirable checklist mentality by management, auditors, and regulators. Other
respondents requested clarity on whether the attributes represent requirements relating to whether principles are
present and functioning or whether the Framework presumes that attributes are present and functioning.
The Framework now replaces the term "attributes" with "points of focus," consistent with the original framework,
to reduce the perception that the use of points of focus is a requirement. The Framework clarifies the relevance
of points of focus by positioning them as important characteristics of principles. The Framework allows
Internal Use Only
management greater flexibility to exercise judgment in considering which points of focus are relevant for the
entity. The Framework was revised to remove the presumption that points of focus must be in place and
separately assessed.
Points of focus have been removed from Chapter 3, Effective Internal Control, to clarify that they are not to be
considered requirements associated with the relevant principles. Instead, they are introduced and their
relevance clarified in Chapter 4, Additional Considerations. Within the respective component chapters, they are
listed after the principle to which they apply.
Classification of Internal Control Deficiencies
Some respondents suggested removing major and minor non-conformities, and using a consistent terminology
for all categories of objectives in the Framework. Some suggested using terms "significant deficiency" and
"material weakness" for all categories.
The Framework presents a revised terminology when generally referring to the severity of deficiencies, and uses
the terms "internal control deficiencies" and "major deficiencies." However, for certain objectives, the Framework
acknowledges that management should use only the relevant criteria established in laws, rules, regulations, and
standards with respect to the severity classification of internal control deficiencies.
Objective-Setting
Some respondents suggested that the Framework include objective-setting as a component of internal control.
Others suggested that objective-setting remain a precondition of internal control, and that the Framework
provide greater clarity of the role of assessing suitability of objectives within internal control.
The Framework retains the five components and the concept that establishing objectives is a precondition to
internal control. It clarifies the distinction between establishing objectives (outside the system of internal control)
and specifying objectives (within the system of internal control) in Chapter 2, Objectives, Components, and
Principles. The Framework expands discussion on suitability of objectives and explains how management
should respond when specified objectives are viewed as unsuitable (see Chapter 4, Risk Assessment).
Objectives
Some respondents suggested including safeguarding of assets as a category of objectives based on established
laws, rules, regulations, and standards. Others suggested that safeguarding of assets is part of each category of
objectives.
The Framework retains safeguarding of assets as an operations objective, consistent with the original
framework. The Internal Control—Integrated Framework, Addendum to Reporting Parties (May 1994) affirmed
that the definition of internal control relates to operations, compliance, and financial reporting objectives, as set
Internal Use Only
out in the original framework, and remains appropriate. The Addendum also concluded that when management
reports on internal control over financial reporting there is a reasonable expectation that such reporting covers
controls to help prepare financial statements and prevent or detect in a timely manner any unauthorized
acquisition, use, or disposition of assets.
The Framework acknowledges that some laws, rules, regulations, and standards have established safeguarding
of assets as a separate category of objective. When management reports on an entity's system of internal
control, there may be established objectives or sub-objectives relating to physical security, prevention, or timely
detection of unauthorized acquisition, use, or disposition of assets. The Framework retains the view that
safeguarding of assets is primarily related to operations, but may be viewed within the context of reporting and
compliance objective categories.
Strategic Objectives
Some respondents suggested the addition of strategic objectives as a category of objectives. Some also
suggested that this change was already made in Enterprise Risk Management - Integrated Framework (ERM
Framework) and that the Framework should adopt a similar change.
The Framework retains operations, reporting, and compliance objective categories and the concept that strategic
objectives are not part of internal control. Including strategysetting and strategic objectives would require adding
other concepts, including risk appetite and risk tolerance, to provide a complete discussion of this objective
category. These concepts are more appropriate in the context of enterprise risk management, as discussed
below.
Enterprise Risk Management
Some respondents called for further integration of enterprise risk management concepts into internal control, in
particular seeking an expanded discussion of risk tolerance and adding risk appetite. Some also sought a
merger of COSO's ERM Framework with the Framework. Others supported keeping the two frameworks
separate and distinct.
The COSO Board considered merging the two frameworks and decided to keep them separate and distinct.
Accordingly, strategy-setting, strategic objectives, and risk appetite remain part of the ERM Framework. The
Framework retains the definition of risk appetite and the application of risk tolerance and retains strategy-setting
as a precondition of internal control.
The Framework expands the Foreword to acknowledge that the two frameworks are intended to be
complementary, neither superseding the other. The Framework includes a discussion of overlapping concepts in
Appendix G.
Smaller Entities and Governments
Internal Use Only

Some respondents called for expanded guidance specific to smaller entities and governments. Some suggested
that the Framework specifically highlight the differences in applicability to such entities. Others suggested that
the length of document is potentially overwhelming for smaller organizations.
The Framework contains additional discussion relating to Principle 2, Exercises Oversight Responsibility
concerning smaller entities. Additional discussion from the 2006 COSO Guidance for Smaller Public Entities is
included in Appendix C. This appendix has been expanded to consider entities beyond smaller public companies
and has relevance for other smaller entities.
Technology
Some respondents commented, in general, on expanding the guidance on technology in the Framework. Others
suggested including detailed technology topics such as backup and recovery in Principle 11, Selects and
Develops General Controls over Technology. And still others suggested adding detailed risks associated with
current technology initiatives such as cloud computing or continuous auditing techniques. Some recommended
referring to or incorporating other established frameworks specifically addressing technology controls and other
considerations.
The Framework includes enhanced discussion on technology both in the points of focus and in various chapters.
The Framework does not include extensive discussion on specific current technology initiatives or the risks
associated with them because of the evolving nature of technology and concerns that the Framework may
become dated. The Framework does not explicitly reference other technology-focused frameworks by name.
Structure and Layout
Some respondents expressed concern about the length of the Framework and suggested presenting only those
requirements of internal control. Others suggested revising the structure to emphasize requirements versus
supplemental guidance.
The COSO Board continues to believe that the Framework comprises all chapters. The Board acknowledges,
however, the importance of clearly setting forth that components and relevant principles are requirements of an
effective system of internal control.
Due Process
Some respondents questioned the sufficiency of the overall due process activities surrounding COSO's initiative
to update the Framework, suggesting, for instance, that PwC and COSO conduct additional outreach and public
consultations before releasing the Framework. The COSO Board believes the extensive level of activities over
the past several years have captured a wide range of views on the proposed revisions to the
Framework as described in Appendix D, Methodology for Revising the Framework. As part of this approach,
PwC and COSO:
Internal Use Only

 Surveyed users and stakeholders in the original framework to capture user views on the nature and extent of
necessary updates, receiving over 700 responses (December 2010 to September 2011)
 Conducted eleven meetings with the Advisory Council (whose members include representatives of AICPA, AAA,
FEI, IIA, IMA, public accounting firms, other professional organizations and various regulatory observers)
 Provided exposure drafts of the updated Framework for public comments (December 2011 to March 2012)
 Made available a revised draft of the Framework for public comments, in connection with providing exposure
drafts of the proposed Internal Control over External Financial Reporting: A Compendium of Approaches and
Examples, along with Framework and Illustrative Tools for Assessing Effectiveness of a System of Internal
Control (September to December 2012)
 Participated in many conferences, webinars, and seminars with membership of COSO to seek additional views
from stakeholders and users (January 2011 to January 2013)
COSO believes there has been a substantive due process effort to capture views on proposed updates to the
Framework and Appendices, Internal Control over External Financial Reporting: A Compendium of Approaches
and Examples, and Illustrative Tools for Assessing Effectiveness of a System of Internal Control.
F. Summary of Changes to the COSO

Internal Control — Integrated Framework
(1992)
This Appendix summarizes the broad changes from the original edition issued in 1992, as well as changes made
within each of the five components of internal control.
Broadbased Changes
The following significant changes are evident across all areas of the updated Framework:
 Applies a principles-based approach — The Framework focuses greater attention on principles. While the
original framework implicitly reflected the core principles of internal control, the Framework explicitly states the
seventeen principles, which represent the fundamental concepts associated with the components of internal
control. These principles remain broad as they are intended to apply to (1) any category of objectives and (2)
any type of entity, for-profit companies, both publicly traded and privately held companies; notfor-profit entities;
government bodies; and other organizations. Supporting each principle are points of focus, representing
important characteristics of principles.
 Clarifies requirements for effective internal control — The components and principles comprise the criteria that
will assist management in assessing whether an entity has effective internal control. The Framework requires
Internal Use Only

that each of the components and relevant principles be present and functioning and the five components be
operating together.
 Expands the reporting category of objectives — The financial reporting objective category is expanded to
consider other external reporting beyond financial reporting, as well as internal reporting, both financial and non-
financial.
 Clarifies the role of objective-setting in internal control — The original framework stated that objective-setting
was a management process, and that establishing objectives is a precondition to internal control. The
Framework preserves that view and expands the discussion on specifying objectives and considered suitability
of established objectives. This discussion is included in Chapter 2, Objectives, Components, and Principles.
 Considers globalization of markets and operations — Organizations expand beyond domestic markets in the
pursuit of value, entering into international markets, and executing cross-border mergers and acquisitions. The
Framework discusses changes in management operating models, legal entity structures, and related roles,
responsibilities, and accountabilities for internal control at the entity and subunit level. In addition, it considers
the identification and analysis of internal and external risk factors relating to mergers and acquisitions.
 Enhances governance concepts — The Framework includes expanded discussion on governance relating to the
board of directors and committees of the board, including audit, compensation, and nomination/ governance
committees.
 Considers different business models and organizational structures — Business models and structures have
evolved over the past twenty years, and many entities now expand their business models to encompass the use
of outsourced service providers for products or services necessary to the ongoing operation of the entity. The
competitive landscape, globalization, dynamic industry and technological changes, evolving business models,
competition for talent, cost management, and other factors have required management to look beyond internal
operations to access needed resources. The Framework explicitly considers the extended business model,
including the responsibilities for internal control in this model and the achievement of effective internal control.
 Considers demands and complexities in laws, rules, regulations, and standards — Regulators and standard
setters promote greater stakeholder protection and confidence in external reporting through changes in laws,
rules, regulations, and standards. The Framework recognizes the roles of regulators and standard-setters in
establishing objectives and in providing criteria to assess the severity and to report internal control deficiencies.
 Considers expectations for competencies and accountabilities — Demands for greater competence and
accountability increase as organizations grow more complex, acquire entities, restructure, introduce new
products and services, and implement new processes and technologies. Organizations may flatten and shift
management operating models and delegate greater authority or accountability. The Framework broadens the
discussion on these topics.
 Reflects the increased relevance of technology — The number of entities that use or rely on technology has
grown substantially since 1992, along with the extent that technology is used in most entities. Technologies
have evolved from large stand alone mainframe environments that process batches of transactions to highly
Internal Use Only
sophisticated, decentralized, and mobile applications involving multiple real-time activities that can cut across
many systems, organizations, processes, and technologies. The change in technology can impact how all
components of internal control are implemented.
 Enhances consideration of anti-fraud expectations — The original framework considered fraud, although the
discussion of anti-fraud expectations and the relationship between fraud and internal control was less prominent.
The
Framework contains considerably more discussion on fraud and also considers the potential of fraud as a
principle of internal control.
Achievement of Objectives
The original framework noted that internal control can be judged effective in each of the three categories,
respectively, if the board of directors and management have reasonable assurance that:
 They understand the extent to which the entity's operations objectives are being achieved
 Published financial statements are being prepared reliably
 Applicable laws and regulations are being complied with
The original framework noted that achievement of operations objectives is not always within the entity's control.
For these operations objectives, the system of internal control can provide reasonable assurance only that
management and, in its oversight role, the board are made aware, in a timely manner, of the extent to which the
entity is moving toward those objectives.
The Framework acknowledges that achievement of some operations objectives is not always within the
organization's control and in those instances retains the view set out in the original framework. The Framework
also recognizes that when external events are unlikely to have a significant impact on the achievement of
specified objectives, an organization may be able to attain reasonable assurance those objectives can be
achieved.
Changes to Components of Internal Control
Control Environment
In the two decades since the publication of the original framework in 1992, a number of factors have pointed to
the need for an update on what to consider in establishing a sound control environment. There is now greater
complexity in business models, with enterprises extending to a wide network of third parties and business
partners that are not only accountable for delivering results but also for adhering to expected standards that the
organization seeks to uphold. The multiple structures that define organizations today, whether by product line,
geography, legal entity, or some other factor, require
Internal Use Only

a flexible and multidimensional approach to governance and control and the ability to report accordingly.
Today, there is an increased need for transparency of how the organization operates and governs itself;
reporting now extends beyond financial performance; risk discussions are expected to be more robust and
detailed; corporate social responsibility reporting matters more to stakeholders; and the pace for publishing such
information has accelerated. Changes in expectations of governance as a result of regulatory developments,
listing standards, and other stakeholder requirements have mandated certain structures and processes. These
include independence of board members, disclosures of skill profiles, processes for board and audit committee
evaluation, and alignment of incentives, pressures, and rewards to ensure the right behavior is promoted and
negative behavior is corrected. All of this is designed to keep pace with the evolving risk profile of the
organization.
In the updates to Chapter 5, the Control Environment, key changes include:
 Combining into five principles the discussions relating to integrity and ethical values, commitment to
competence, board of directors or audit committee, management's philosophy and operating style,
organizational structure, assignment of authority and responsibility, and human resource policies and practices
 Explaining linkages between the various components of internal control to demonstrate the foundational aspects
of the control environment for a sound system of internal control
 Expanding the discussion of governance roles in an organization, recognizing differences in structures,
requirements, and challenges across different jurisdictions, sectors, and types of entities
 Clarifying the expectations of integrity and ethical values to reflect lessons learned and developments in ethics
and compliance (e.g., codes of conduct, the attestation process, whistle-blower processes, investigation and
resolution, and training and reinforcement both internally and with third parties)
 Expanding the notion of risk oversight and strengthening the linkages between risk and performance to help
allocate resources to support internal control in the achievement of the entity's objectives
 Emphasizing the need to consider internal control across the complexities in organizational structure resulting
from different business models and the use of outsourced service providers, business partners, and other
external partners
 Aligning roles and responsibilities discussed in organizational structure with the information presented in
Appendix B, Roles and Responsibilities, so that major roles are used consistently within the Framework.
Risk Assessment
Since 1992 the attention given to risk and the risk assessment component of internal control has continued to
increase, with risk and control being more closely aligned. Consequently, many organizations have shifted their
thinking away from being prescriptive to taking a more risk-based approach to internal control. Some users of
the original framework suggested that updates were needed to further enhance the understanding of risk and its
Internal Use Only

link to the overall system of internal control. As companies embrace risk management and enterprise risk
management programs, they are also seeking greater clarity of how risk assessments are considered in the
context of internal control, and what aspects of risk management remain incremental to internal control.
Users also noted that almost half of the original chapter on risk assessment focused on objectives, and that this
focus was not needed if objective-setting was truly a precondition to internal control. Many organizations have
expanded their reporting efforts, moving to include many other types of external reporting beyond just financial
reporting. Finally, often in response to events occurring within their organizations, industry, or within the general
business community, and as a result of expanding legislative pressures in some jurisdictions, many
organizations have also increased their efforts relating to anti-fraud efforts.
Therefore, Chapter 6, Risk Assessment, reflects these key changes by:
 Repositioning much of the discussion on objective-setting, which continues to be viewed as a precondition to

risk assessment, to Chapter 2, Objectives, Components, and Principles, and no longer including the discussion
on categories of objectives, linkage between objectives, and achievement of objectives in the Risk Assessment
component
 Focusing the Risk Assessment component on articulating objectives relating to operations, reporting, and
compliance with sufficient clarity so that any risks to those objectives can be identified and assessed, and
considering the need to assess the suitability of objectives for use as a basis for assessing effectiveness
 Broadening the financial reporting category of objectives to include other aspects of external reporting and to
include internal reporting
 Reflecting the view that non-financial reporting is conducted in relation to an external requirement or standard
 Clarifying that risk assessment includes processes for risk identification, risk analysis, and risk response
 Expanding the discussion on the risk severity beyond impact and likelihood to include velocity and persistence
 Incorporating risk tolerances (set as a precondition to internal control and pertaining to the level of acceptable
variation in performance and the relative importance of objectives) into the assessment of acceptable risk levels
 Expanding the discussion on management needing to understand significant changes in its internal and external
factors and how those might impact the overall system of internal control
 Considering fraud risk relating to material omission or misstatement of reporting, inadequate safeguarding of
assets, and corruption as part of the risk assessment process
Control Activities
Since 1992, the evolving role of technology in business has perhaps been most evident in the implementation of
control activities. While the fundamental concepts around control activities put forth in the original framework
have not changed, technology has changed many of the details. Today, information technology is much more
integrated into business processes throughout any entity. The variety of technologies being used at most entities
Internal Use Only

has mushroomed beyond largely centralized information systems in an organization's own data center to myriad
decentralized, mobile, intelligent and webenabled technologies, which are increasingly located at third-party
service organizations. Also, the recent focus on improving controls in organizations, which has been provoked
by the marketplace and regulation, has led to a deeper understanding of how control activities are effectively
designed and implemented.
Therefore, within Chapter 7, Control Activities, key changes include:
 Broadening the discussion to reflect the evolution in technology since 1992 (e.g., replacing data center concepts
with a more general discussion on the technology infrastructure)
 Expanding the discussion of the relationship between automated control activities and general controls over
technology to reinforce the linkages to business processes, with the details on automated control activities and
general controls over technology separated into discrete sections to clarify the distinction between the two
 Expanding the discussion that control activities constitute a range of control techniques while providing a more
detailed description of these types and techniques, and a way to categorize them; making distinct transaction-
level controls from controls at other levels of the organization; and discussing in more detail information-
processing objectives
 Updating the discussion on general technology controls to focus more on the universal concepts of what needs
to be controlled in this area rather than specifics applicable to 1992 technology
 Clarifying that control activities are actions established by policies and procedures rather than being the policies
and procedures themselves
The source, volume, and form of information and communication have expanded dramatically since 1992.
Information sources have grown more diverse and complex, spanning outsourced service providers that support
all or part of an organization's business processes (e.g., outsourcing service providers, joint ventures) and
internal and external networks designed to create unstructured information-sharing mechanisms (social media).
The volume of information, particularly in the form of raw data, accessible to and collected by organizations,
creates both opportunity and risk. The scope of regulatory regimes has created greater demand for information,
greater expectations for quality and protection, and greater requirements for communication. And, as
organizations and business models have become more complex in structure and geographic reach, quality
information and its communication within the organization has become an imperative. Additionally, the
importance of the free flow of information within the organization to allow management and employees to
understand new or changed events or circumstances to re-evaluate risks and modify the internal control system
has become more critical as the legal, management, and functional structures of business entities have become
more complex.
Internal Use Only

Within Chapter 8, Information and Communication, key changes include:
 Emphasizing the discussion of importance of quality of information

 Expanding the discussion of the expectations for verifying to a source and for retention when information is used
to support reporting objectives to external parties
 Expanding the discussion on the impact of regulatory requirements on reliability and protection of information
 Expanding the discussion on the volume and sources of information in light of increased complexity of business
processes, greater interaction with external parties, and technology advances
 Reflecting the impact of technology and other communication mechanisms on the speed, means, and quality of
the flow of information
 Adding content on the information and communication needs between the entity and third parties, emphasizing
the importance of considering how processes may occur outside the entity (e.g., by the use of third-party service
providers that manage specific processes) and how the entity needs to obtain information from and
communicate with parties that operate outside its legal and operational boundaries
In applying the original framework, users often focused monitoring efforts extensively on control activities. With
the change in regulatory reporting requirements in many jurisdictions, organizations have begun to consider
monitoring in its broader and intended context — assisting management in understanding how all components of
internal control are being applied and whether the overall system of internal control operates effectively. To
enhance internal consistency among components in the Framework and make the discussion more actionable,
the title of this component has been updated to Monitoring Activities and the discussion has been enhanced.
The changes to the principles in the Framework will not substantially alter the approaches developed for COSO's
Guidance on Monitoring Internal Control Systems.
Within Chapter 9, Monitoring Activities, key changes include:
 Refining the terminology, where the two main categories of monitoring activities are now referred to as "ongoing
evaluations" and "separate evaluations"
 Adding the need for a baseline understanding in establishing and evaluating ongoing and separate evaluations
 Expanding discussion of the use of technology and external service providers
Overall Framework Layout
The original framework contained one chapter that presented the definition of internal control, the components of
internal control, the relationship of objectives and components, and effectiveness. In the Framework, these
topics are covered in three different chapters: Chapter 1, Definition of Internal Control defines internal control;
Chapter 2, Objectives, Components, and Principles, discusses components of internal control and the
Internal Use Only
relationship of objectives, components, and principles; and Chapter 3, Effective Internal Control, considers the
requirements for assessing the effectiveness of a system of internal control. Further, Chapter 4, Additional
Considerations, discusses management judgment, points of focus, cost versus benefits of internal control, the
changing role of technology, documentation, and application of internal control in larger versus smaller entities.
G. Comparison with COSO Enterprise

Risk Management — Integrated
Framework
In 2004, COSO issued Enterprise Risk Management — Integrated Framework (ERM Framework), which
establishes a framework for enterprise risk management and provides guidance to business and other entities to
help them develop and apply their enterprise risk management activities. It identifies and describes eight
interrelated components necessary for effective enterprise risk management.
The ERM Framework defines enterprise risk management as a process, effected by an entity's board of
directors, management, and other personnel, applied both in strategysetting and across the entity, designed to
identify potential events that may affect the entity, to manage risk, and to provide reasonable assurance that the
objectives of an entity will be achieved. Organizations that have implemented the ERM Framework will likely see
minimal impact on their enterprise risk management efforts resulting from the issuance of this Internal Control —
Integrated Framework: Framework and Appendices.
This appendix outlines the relationship between the Internal Control — Integrated Framework and the ERM
Framework.
A Broader Concept
Internal Use Only

Enterprise risk management is broader than internal control, elaborating on internal control and focusing more
directly on risk. Internal control is an integral part of enterprise risk management, while enterprise risk
management is part of the overall governance process. This relationship is depicted in the illustration below.
The publication Enterprise Risk Management — Integrated Framework remains in place for entities and others
looking broadly at enterprise risk management.
Both Internal Control — Integrated Framework and Enterprise Risk Management — Integrated Framework cover
all reports developed by an entity, disseminated both internally and externally. These include reports used
internally by management and those issued to external parties, including regulatory filings and reports to other
stakeholders.
The two publications handle categories of objectives differently. While both specify the three categories of
objectives of operations, reporting, and compliance, ERM Framework adds a fourth category: strategic
objectives (illustrated in the diagram below). Strategic objectives operate at a higher level than the others. They
flow from an entity's mission or vision, and the operations, reporting, and compliance objectives should be
aligned with them. Enterprise risk management is applied in setting strategies, as well as in working toward
achievement of objectives in the other three categories.
An underlying premise of enterprise risk management is that every entity exists to provide value for its
stakeholders. Strategic objectives reflect management's choice of how the entity will seek to create value for its
stakeholders. Related objectives (referring to operations, reporting, and compliance objectives in the ERM
Framework) flow from these strategic objectives. While enterprise risk management focuses on how an entity
Internal Use Only

creates, preserves, and realizes value, internal control focuses primarily on the achievement of specified
objectives.
Enterprise risk management is often viewed as being more forward-looking, considering how much risk the
organization is willing to accept, how risks are both created and mitigated from strategic choices, and how
emerging risks may impact the organization. In contrast, internal control focuses on whether the organization is
mitigating risks to the achievement of specified objectives. In this context, internal control is often more
retrospective than prospective.
Risk Appetite and Risk Tolerances
The ERM Framework introduces the concepts of risk appetite and risk tolerance.
 Risk appetite is the broad-based amount of risk an entity is willing to accept in pursuit of its mission/vision. It
serves as a guidepost in strategy-setting and selecting related objectives.
 Risk tolerance is the acceptable level of variation in performance relative to achievement of objectives. In setting
risk tolerance levels, management considers the relative importance of the related objectives and aligns risk
tolerance with risk appetite.
Operating within risk tolerance provides management greater assurance that the entity remains within its risk
appetite, which in turn provides added comfort that the entity will achieve its objectives. The concept of risk
tolerance is included in the Framework as a precondition to internal control, but not as a part of internal control.
Portfolio View
Enterprise risk management requires considering composite risks from a portfolio perspective. This concept is
not contemplated in the Internal Control—Integrated Framework, which focuses on achievement of objectives on
an individual basis. Internal control does not require that the entity develop a portfolio view.
Components
With the enhanced focus on risk, the ERM Framework expands the internal control framework's risk assessment
component, creating three components: event identification, risk assessment, and risk response (shown in the
illustration below).
Internal Use Only

The objective-setting component of the ERM Framework considers the process used by management and the
board for setting operations, reporting, and compliance objectives. Setting risk appetite and risk tolerance are
key tenets of enterprise risk management. In contrast, internal control views the setting of objectives and risk
tolerance as preconditions to an effective system of internal control.
Summary of Similarities and Differences of Components
Each of the five components of internal control is reviewed below in relation to the ERM Framework. In each
case, a table is included setting out concepts that are:
 Common to both internal control (IC) and enterprise risk management (ERM)
 Included in internal control and expanded upon in enterprise risk management
 Incremental to enterprise risk management and not part of internal control
The principles for each component contained in the Framework are used where possible to depict these
similarities and differences.
Control Environment
Introduced in IC and expanded in

Common to ERM and IC Incremental to ERM
ERM
• Demonstrates commitment to • Establishes risk management

• Exercises oversight
integrity and ethical values philosophy
responsibility
 Establishes structures, authority,  Establishes risk culture
and responsibility
Internal Use Only

 Demonstrates commitment to  Establishes risk appetite
competence
 Enforces accountability
In discussing the Control Environment component, the ERM Framework discusses (in the chapter titled Internal
Environment) an entity's risk management philosophy, which is the set of shared beliefs and attitudes
characterizing how an entity considers risks, reflecting its values and influencing its culture and operating style.
As described above, the Framework encompasses the concept of an entity's risk appetite, which is supported by
more specific risk tolerances.
Because of the critical importance of the board of directors and its composition, ERM Framework expands on
the call for a critical mass of independent directors (normally at least two) stating that for enterprise risk
management to be effective, the board must have at least a majority of independent outside directors.
Risk Assessment

ERM
• Assesses fraud risk • Identifies and analyzes • Distinguishes risk and
risks/events opportunities
 Identifies and analyzes
significant change  Develops portfolio view
ERM Framework and Internal Control—Integrated Framework both acknowledge that risks occur at every level
of the entity and result from a variety of internal and external factors. And both frameworks consider risk
identification in the context of the potential impact on the achievement of objectives.
ERM Framework discusses the concept of potential events, defining an event as an incident or occurrence
emanating from internal or external sources that affect strategy implementation or achievement of objectives.
Potential events with positive impact represent opportunities, while those with negative impact represent risks.
Potential events with an adverse impact represent risks. The Framework focuses on identifying risks and does
not include the concept of identifying opportunities as the decision to pursue opportunities as part of the broader
strategy-setting process.
While both frameworks call for assessment of risk, ERM Framework suggests viewing risk assessment through
a sharper lens. Risks are considered as inherent and residual, preferably expressed in the same unit of measure
Internal Use Only
established for the objectives to which the risks relate. Time horizons should be consistent with an entity's
strategies, objectives and, where possible, observable data. ERM Framework also calls attention to interrelated
risks, describing how a single event may create multiple risks.
As noted, enterprise risk management encompasses the need for an entity-level portfolio view, with managers
responsible for business unit, function, process, or other activities having a composite assessment of risk for
individual units.
Like the Internal Control — Integrated Framework, the ERM Framework identifies four categories of risk
response: avoid, reduce, share, and accept. However, enterprise risk management requires an additional
consideration: potential responses from these categories with the intent of achieving a residual risk level aligned
with the entity's risk tolerances. Management also considers as part of enterprise risk management the
aggregate effect of its risk responses across the entity and in relation to the entity's risk appetite.
Control Activities

ERM
• Selects and develops control

activities
 Selects and develops general None None

controls over technology
 Deploys through policies and
procedures
Both frameworks present control activities as helping ensure that management's risk responses are carried out.
The Internal Control — Integrated Framework presents a more current view of technology and its impact on the
running of an entity.

ERM
Internal Use Only

• Communicates internally • Uses relevant information None
 Communicates externally
The ERM Framework takes a broader view of information and communication, highlighting data derived from
past, present, and potential future events. Historical data allows the entity to track actual performance against
targets, plans, and expectations, and provides insights into how the entity performed in the periods under
varying conditions. Current data provides important additional information, and data on potential future events
and underlying factors completes the analysis. The information infrastructure sources and captures data in a
timberman and at a depth of detail consistent with the entity's need to identify events and assess and respond to
risks and remain within its risk appetite. The Internal Control — Integrated Framework focuses more narrowly on
data quality and relevant information needed for internal control.

ERM
• Conducts ongoing and/or

separate evaluations None None
 Evaluates and communicates
deficiencies
Both frameworks present monitoring activities as helping to ensure that the components of internal control and
enterprise risk management continue to function and remain suitable over time. The Internal Control —
Integrated Framework presents a more current view of monitoring using baseline information and the monitoring
of external service providers.
Internal Control over External Financial

Reporting: A Compendium of Approaches
and Examples
Internal Use Only

Compendium_CMP01.pdf
.
May 2013

Board Members
American Institute of Certified Public Financial Executives International Jeffrey C.Thomson

Accountants
Accountants
PwC—Author
Miles E.A. Everson Stephen E. Soske J. Aaron Garcia
Internal Use Only

New York, USA Boston, USA San Diego, USA
Cara M. Beston Charles E. Harris Eric M. Bloesch
Partner Partner Managing Director
San Jose, USA Florham Park, USA Philadelphia, USA
James M. Downs Catherine Jourdan Frank J. Martens
Director Director Director
San Francisco, USA (Through Paris, France Vancouver, Canada

January 2012)
Jay A. Posklensky Charles J. Finn Natalie Protze
Director Senior Manager Senior Manager Washington D.C.,

USA (July 2011 to March 2012)
Florham Park, USA Detroit, USA
Sallie Jo Perraglia
Internal Use Only

Manager
New York, USA
Advisory Council
Bellarmine University Community Trust Bank Campbell Soup Company Finance

Director/Controller
Fr. Raymond J. Treece Executive Vice President and Chief
Pfizer AT&T
Members at Large
Internal Use Only


Partner LLP Partner
Chief Risk Officer
Chair Emeritus COSO
ISACA
2011-2012
Government Accountability Office Federal Deposit Insurance Securities and Exchange
Internal Use Only

Director in the Financial Corporation Commission
Management and Assurance Team
Assistant Chief Accountant Professional Accounting Fellow
(Through June 2012)

Commission Accountants
Oversight Board
Associate Chief Accountant Senior Technical Manager
Deputy Chief Auditor
Additional PwC Contributors
Mark Cohen Andrew Dahle Junya Hakoda
San Francisco, USA Chicago, USA Tokyo, Japan
Brian Kinman Pat McNamee Jonathan Mullins
Internal Use Only

St. Louis, USA Florham Park, USA Dallas, USA
Alexander Young Antoine Elachkar Frank Maggio
Partner Managing Director Director
Toronto, Canada Washington D.C., USA Chicago, USA
Christopher Michaelson Tracy Walker Qiao Pan
Director Director Senior Associate
Minneapolis, USA Bangkok, Thailand New York, USA
Foreword
In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an update
to its Internal Control — Integrated Framework (Framework). The original framework, which was released in
1992, has gained broad acceptance and is widely used around the world. It is recognized as a leading
framework for designing, implementing, and conducting internal control and for establishing requirements for an
effective system of internal control. To help users apply the Framework to internal control over external financial
reporting, COSO has released this companion publication, Internal Control over External Financial Reporting: A
Compendium of Approaches and Examples (Compendium). More specifically, the Compendium provides
approaches and examples to illustrate how entities may apply the principles set out in the Framework to a
system of internal control over external financial reporting.
In the twenty years since the release of the original framework, business and operating environments have
stakeholders have become more engaged, seeking greater transparency and accountability for the integrity of
systems of internal control that support business decisions and governance of the organization. The
Internal Use Only

Framework and the Compendium incorporate many of these changes including:
 Expectations for Governance Oversight — Higher regulatory and stakeholder expectations require the board of
directors to oversee internal control over external financial reporting. Some jurisdictions require specific
regulatory requirements for expertise and independence of board members of certain types of entities.
 Globalization of Markets and Operations — Organizations expand beyond domestic markets in the pursuit of
value, often entering into international markets and executing cross-border mergers and acquisitions.
 Changes and Greater Complexities in the Business — Organizations change business models and enter into
complex transactions in pursuit of growth, greater quality, and productivity, and in response to changes in
market and regulatory environments. These changes may include entering into strategic alliances, joint
ventures, and other complex contractual arrangements with external parties, implementing shared services, and
engaging outsourced service providers.
 Demands and Complexities in Laws, Rules, Regulations, and Standards — Regulators and policy makers
promote greater investor protection and confidence in the financial reporting systems through changes in rules,
regulations, and standards. Also, users of external financial reports seek greater amounts of information to
better evaluate an entity's financial condition and operating results as businesses become more complex.
 Expectations for Competencies and Accountabilities — Demands for greater competence and accountability
increase as organizations grow; acquire entities; introduce new products and services; comply with complex
rules, regulations, and standards; and implement new processes and technologies. Organizations may flatten
and shift management operating models and delegate greater authority or accountability to certain roles.
 Uses of, and Reliance on, Evolving Technologies — An increasingly mobile and interconnected world has made
technology more essential for many organizations to improve performance, business processes, and decision
making. Entities are investing in emerging technologies, such as cloud computing, mobile devices, and social
media, and using enterprise resource planning (ERP) and other technologies to standardize, automate, and
streamline business processes.
 Expectations Relating to Preventing or Detecting Material Omissions and Misstatements and Fraud —
Stakeholders today have higher expectations for effective internal control over external financial reporting in
preventing and detecting material omissions and misstatements due to error and fraud.
Each of these changes requires an organization to periodically evaluate the implications on its system of internal
control over external financial reporting and to design and implement appropriate responses so that the system
of internal control adapts and remains effective over time.
The Compendium provides practical approaches and examples that illustrate how the components and
principles set forth in the Framework can be applied in preparing external financial statements. It neither
replaces nor modifies the Framework; rather, it is a supplemental document that can be used in concert with the
Framework when considering internal control over external financial reporting.
Internal Use Only

Finally, the COSO Board would like to thank PwC and the Advisory Council for their contributions in developing
the Compendium. Their full consideration of input provided by many stakeholders and their attention to detail
were instrumental in ensuring that the Compendium will be helpful to a variety of organizations in applying the
Framework to internal control over external financial reporting.
David L. Landsittel
COSO Chair
1. Introduction
COSO's Internal Control — Integrated Framework (Framework) sets forth three categories of objectives:
operations, reporting, and compliance. The focus of this publication, Internal Control over External Financial
Reporting: A Compendium of Approaches and Examples (Compendium) is the external financial reporting
category of objectives, a subset of the reporting category. External financial reporting objectives address the
preparation of financial reports for external parties, including:
 Financial statements for external purposes

 Other external financial reporting derived from an entity's financial and accounting books and records
Using This Document
Intended Audience
The Compendium has been developed to assist those users of the Framework who are responsible for
designing, implementing, and conducting a system of internal control over external financial reporting (ICEFR)
that supports the preparation of financial statements and other external financial reporting. It is also relevant to
entities that report on the effectiveness of a system of internal control over external financial reporting relating to
the preparation of financial statements. The preparation of financial statements for external purposes and other
external financial reporting applies to the following types of entities:
 Public Entities — Often, public entities are required to prepare financial statements for external purposes in
accordance with applicable accounting standards, rules, and regulations. Additionally, they often prepare other
external financial reporting derived from its financial and accounting books and records, such as earnings press
releases, or information included in stipulated reports for business partners or lending agencies as required by
contract.
 Private Entities — Entities whose ownership may be closely held may prepare financial statements to provide to
banks and other third parties in order to raise capital or to meet contractual obligations. These statements can
be prepared in accordance with standards and regulations, even though often, doing so may not be a
Internal Use Only
requirement for private entities. More commonly, the form of the financial statements or of other external
financial reporting is stipulated by contractual obligations or a third party.
 Not-For-Profit Entities — These entities may prepare financial statements for external purposes in accordance
with appropriate rules and regulations. However, because the purpose of these entities is something other than
realizing and generating profit, they may also prepare financial reporting for donors, government agencies, or
other third parties that is not necessarily in accordance with specific standards, rules, or regulations, but aims to
raise funds to support the stated cause.
 Governmental Entities — These entities prepare financial statements that are required by law. As well, they may
prepare financial reporting in accordance with specific standards, rules, or regulations, but which is not
necessarily required, for the public or governmental oversight agencies.
Approaches and Examples for Applying Principles
In applying the Framework, users will find relevant approaches and examples in the Compendium of how
organizations may apply the principles in the design, implementation and conduct of internal control over
external financial reporting. These approaches and examples relate to each of the five components and
seventeen principles set forth in the Framework.
 Approaches describe how organizations may apply these principles within their system of internal control over
external financial reporting. Approaches are designed to give users of the Compendium a summary-level
description of activities that management may consider as they apply the Framework in an ICEFR context.
 Examples provide specific illustrations to users on the application of each principle, based on situations drawn
from practical experiences. Examples illustrate one or more points of focus of a particular principle. They are not
designed to provide a comprehensive example of how the principle may be fully applied in practice.
Further, the Compendium illustrates how various characteristics of principles may be present and functioning1
within a system of internal control relating to external financial reporting objectives.
Finally, the Compendium includes an index to all the examples, by topic, in Appendix A, organized by topics
relating to the changes in business and operating environments noted in the Foreword to the Framework.
Limitations of Illustrations
The approaches and examples do not attempt to illustrate all aspects of the components and relevant principles
necessary for effective internal control relating to external financial reporting objectives. Further, they are not
sufficient to enable an organization to determine that each of the five components and relevant principles is
present and functioning. Instead, the approaches and examples are intended to illustrate how principles may be
present and functioning.
Internal Use Only

The approaches and examples are samples of activities for management to consider, rather than a complete or
authoritative list. The components, principles, and definitions illustrated in the Compendium are consistent with
those found in the Framework, and readers should refer to the Framework for a comprehensive discussion of
how entities design, implement, and conduct a system of internal control, and for the requirements of effective
internal control.
Considerations for External Financial Reporting
This section considers some unique aspects of applying the Framework in the context of external financial
reporting, especially the preparation of financial statements for external purposes.
Types of External Financial Reports
External financial reporting objectives are consistent with accounting principles suitable and available for an
entity and appropriate in the circumstances. External financial reporting objectives address the preparation of
financial reports, including financial statements for external purposes and other external financial reporting
derived from an entity's financial and accounting books and records.
Financial Statements for External Purposes
Financial statements for external purposes are prepared in accordance with applicable accounting standards,
rules, and regulations.2 These financial statements may include annual and interim financial statements,
condensed financial statements, and selected financial information derived from such statements. These
statements may, for instance, be publicly filed with a regulator or distributed through annual meetings, an entity's
website, or other electronic media.
Another form of financial statements prepared for external purposes may be financial reports prepared in
accordance with a special purpose framework, such as those established by taxing authorities or regulatory
agencies, or those required through contracts and agreements. These financial reports are typically distributed
to specified external users (e.g., reporting to a bank on financial covenants established in a loan agreement,
reporting to a taxing authority in connection with filing tax returns, reporting on financial information to an energy
regulatory commission).
Other External Financial Reporting
Other external financial reporting derived from an entity's financial and accounting books and records rather than
from its financial statements for external purposes may include earnings releases, selected financial information
posted to an entity's website, and selected amounts reported in regulatory filings. External financial reporting
objectives relating to such other financial information may not be driven directly by regulators and standard
setters, but typically stakeholders expect them to align with such standards and regulations.
Objectives Established for External Financial Reporting
Internal Use Only

Regulators and accounting standard setters establish laws, rules, regulations and standards relating to the
preparation of financial statements for external purposes. These form the basis upon which management
specifies suitable objectives for the entity and its subunits. Regulators, standard-setting bodies, and other
relevant third parties also establish criteria for defining the severity of, evaluating, and reporting internal control
deficiencies. The Framework recognizes and accommodates their authority and responsibility as established
through laws, rules, regulations, and standards.
In the case of an entity applying a law, rule, regulation, or standard, management should use only the relevant
criteria contained in those documents when classifying the severity of internal control deficiencies, rather than
the classifications set out in the Framework. The Framework recognizes that if a deficiency results in a system of
internal control not being effective under such classification criteria then management cannot conclude that the
entity has met the requirements for effective internal control as set forth in the Framework.
For example, a company that must comply with the classification criteria established by the United States
Securities Exchange Commission (SEC) would use only the definitions and guidance set out for classifying
internal control deficiencies as a material weakness, significant deficiency, or control deficiency.3 If an internal
control deficiency is determined to rise to the level of a material weakness, the organization would not be able to
conclude that the entity's system of internal control over financial reporting has met the requirements for effective
internal control as set out in the Framework. If an internal control deficiency does not rise to the level of material
weakness the entity could achieve effective internal control over financial reporting.
Within the boundaries established by laws, rules, regulations, and standards, management exercises judgment
to assess the severity of an internal control deficiency, or combination of deficiencies, in determining whether
components are present, functioning, and operating together, and ultimately in concluding that the entity's
system of internal control is effective.
Suitable Objectives of Financial Statements for External Purposes
Applicable Accounting Standards
In specifying the suitability of external reporting objectives relating to the preparation of financial statements for
external purposes, management considers the accounting standards that apply to that entity and its subunits.
Management then assesses and affirms the accounting principles that are appropriate in the circumstances. For
example, management may set an entity-level external financial reporting objective as follows: "Our company
prepares reliable financial statements reflecting transactions and events in accordance with generally accepted
accounting principles."4
Management specifies suitable sub-objectives for the entity's divisions, subsidiaries, operating units, and
functions with sufficient clarity to support entity-level objectives. For example, a US company applies accounting
principles generally accepted in the United States of America (US GAAP) to all subunits in preparing its
Internal Use Only

consolidated financial statements; its subsidiaries also apply International Financial Reporting Standards (IFRS)
to submit their subsidiary financial statements in various statutory filings in local jurisdictions.
Further, management assesses and affirms the suitability of the accounting principles to apply to transactions
and events of the entity. For example, management specifies that FASB Accounting Standard Codification Topic
605 Revenue Recognition and SAB 101A Revenue Recognition in Financial Statements (US GAAP) or IAS 18
Revenue Recognition (IFRS) applies to all sales transactions as applicable to achieve the entity or subunits'
respective external financial reporting objective.
In specifying and using applicable accounting principles, management exercises judgment, particularly relating
to subjective measurements and complex transactions. For instance, management judgment is essential for
making assumptions and using data in developing accounting estimates, in applying accounting principles to
complex transactions and events, and in preparing reliable and transparent presentations and disclosures. In
addition, management regularly updates the specified accounting principles for any changes in objectives
established through law, rules, regulations and standards.
Considers Materiality
Financial statement materiality sets the threshold for determining whether a financial amount is relevant. Entities
must consider suitable laws, rules, regulations, and standards promulgated by regulators and standard setters.5
Reflects Entity Activities
External financial reporting must reflect the entity's transactions and events. When preparing financial
statements, management implicitly or explicitly considers suitable sub-objectives categorized into a set of
assertions (e.g., existence and completeness of transactions) underlying the financial statements. Accounting
standard setters may set forth these assertions as well as relevant qualitative characteristics for external
Management makes assertions regarding the recognition, measurement, presentation, and disclosure of
accounts, transactions, and events included in the entity's financial statements. For example, one grouping of
assertions6 relating to financial statements is summarized as follows:
 Existence or Occurrence — Assets, liabilities, and ownership interests exist at a specific date, and recorded
transactions represent events that actually occurred during a certain period.
 Completeness — All transactions and other events and circumstances that occurred during a specific period,
and that should have been recognized in that period, have in fact been recorded.
 Rights and Obligations — Assets are the rights and liabilities are the obligations of the entity at a given date.
 Valuation or Allocation — Asset, liability, revenue, and expense components are recorded at appropriate
amounts in conformity with relevant and appropriate accounting principles. Transactions are mathematically
correct and appropriately summarized and recorded in the entity's books and records.
Internal Use Only
 Presentation and Disclosure — Items in the statements are properly described, sorted, and classified.
For example, management specifies sub-objectives for sales transactions that address relevant financial
statement assertions such as:
 All sales transactions that occur are recorded on a timely basis.

 Sales transactions are recorded at correct amounts in the right accounts.
 Sales transactions are accurately and completely summarized in the entity's books and records.
 Presentation and disclosures relating to sales are properly described, sorted, and classified.
Risks to Achieving Suitable Objectives
Risk of Material Omission or Misstatement
Management specifies suitable objectives and sub-objectives with sufficient clarity to be able to identify and
analyze risks to the achievement of those objectives. Financial statements for external purposes are not
considered reliable or fairly presented if material omissions or misstatements exist in one or more of the
amounts or disclosures. In preparing financial statements, management should identify those risks that could,
individually or in combination, result in a material omission within or misstatement of the financial statements
Management's assessment of such risks involves a dynamic and iterative process. The initial assessment
undertaken by management likely requires a comprehensive effort to identify and analyze the risk of not
preventing or detecting, in a timely manner, a material omission within or misstatement of the entity's financial
statements. The nature and frequency of performing ongoing and periodic risk assessments vary among entities,
based on individual facts and circumstances.
Even though every entity requires a process to identify and assess the external and internal factors that
contribute to the risk of achieving its objectives, specific changes and rates of changes in these factors (including
those that could significantly impact internal control over external financial reporting) vary from entity to entity.
For example, different entities and subunits may:
 Operate in many industries, markets, geographic territories

 Operate in multiple regulatory environments that promulgate different laws, rules, regulations, and standards
 Execute a multitude of contracts with customers, vendors, and others transacting business with the entity
 Acquire, divest, and restructure operations
 Deploy new and evolving technologies and information systems
 Experience turnover of management and other personnel involved in the system of internal control
Additionally, the size and complexity of the entity play a part in determining the nature and frequency of the risk
assessment process. Large, complex organizations may require dedicated cross-functional and cross-territorial
Internal Use Only

management and other personnel with necessary expertise to perform comprehensive risk assessments.
Management of smaller entities may be able to perform its risk assessment through direct supervision and day-
to-day involvement in operations.
Risk of Material Omission or Misstatement Due to Fraud
Fraudulent reporting can occur when an entity's reports are wilfully prepared with material omissions of
misstatements. This may occur by the use of unauthorized receipts
or expenditures, financial misconduct, or other disclosure irregularities. A system of internal control over external
financial reporting is designed and implemented to prevent or detect, in a timely manner, any material omissions
within or misstatements of the financial statements due to error or fraud.
When assessing risks to the achievement of external financial reporting objectives, organizations typically
consider the potential for fraud in the following areas:
 Fraudulent External Financial Reporting — An intentional act designed to deceive users of external financial
reports and that results in a material omission within or misstatement of the external financial reports
 Misappropriation of Assets — Theft of the entity's assets where the effect may cause a material omission
within and misstatement of the external financial reports
As part of the risk assessment process, the organization identifies the various ways that fraudulent
financial reporting can occur, considering:
 Management bias in exercising judgment, for instance in selecting and using applicable accounting principles
and developing significant estimates
 Degree of estimates and judgments underlying the accounting for and disclosure of transactions and events
 Fraud schemes and scenarios common to the industry sectors and markets in which the entity operates
 Attitudes and rationalizations by individuals engaging in or justifying inappropriate actions
 Nature of technology and management's ability to manipulate technology and information
 Vulnerability to management override and potential schemes to circumvent controls
Also, as part of the risk assessment process, the organization identifies risks pertaining to the completeness and
accuracy of recording any material misappropriation of assets. Misstatements may arise from failing to record
the material loss of assets or manipulating the financial statements to conceal such a loss.
Management Override
Internal Use Only

"Management override" refers to actions taken by management in an attempt to override the entity's controls for
an illegitimate purpose such as personal gain or to enhance the presentation or disclosure of the entity's
financial condition or results of operation. As part of its assessment of fraud risk, management considers the risk
of management override of internal control. The board of directors or subset of the board (e.g., audit committee)
oversees this assessment and challenges management when warranted. The entity's control environment can
significantly influence the risk of management override. The risk of management override is especially relevant
for smaller entities where senior management is typically selecting, developing, and deploying controls to effect
principles.
Management override should not be confused with management intervention, which represents action that
departs from controls designed for legitimate purposes. At times, management intervention is necessary to deal
with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately.
Providing for management intervention is necessary because controls cannot be designed to anticipate and
mitigate every risk. Management's actions to intervene are generally overt and subject to policies and
procedures or otherwise disclosed to appropriate personnel.
Risk of Material Omission or Misstatement Due to Illegal Acts and Corruption
Illegal acts are violations of laws or governmental regulations that could have a material direct or indirect impact
on the external financial report. Management considers various indicators to help identify risks relating to
potential illegal acts, such as:
 Results of investigations by a governmental agency, an enforcement proceeding, or the payment of unusual

fines or penalties
 Violations of laws or regulations cited in reports of examinations by regulatory agencies
 Large payments for unspecified services to consultants, affiliates, or employees
 Sales commissions or agents' fees that appear excessive in relation to those normally paid or the services
actually received
 Unusually large payments in cash, purchases of bank cashiers' checks in large amounts payable to bearer,
transfers to numbered bank accounts, or similar transactions
 Unexplained payments made to government officials, employees, or third parties
 Failure to file tax returns or pay government duties or similar fees
 Allegations by whistle-blowers or former employees
Management also considers possible corruption occurring within the entity. Corruption is generally relevant to
the compliance category of objectives but could influence the control environment that affects achievement of
the entity's external financial reporting objectives. This includes considering the incentives and pressures across
the organization to achieve the entity's external financial reporting objectives while demonstrating adherence to
Internal Use Only

the expected standards of conduct and the effect of the control environment, specifically actions linked to
Principle 4 (Demonstrates Commitment to Competence) and Principle 5 (Enforces Accountability). Aspects of
corruption typically relate to illegal acts that are considered in government statutes relevant to external financial
reporting.
In assessing possible corruption, the entity is not expected to directly manage the actions of personnel within
external parties, including those relating to outsourced service providers and other parties interacting with the
entity. However, depending on the level of risk assessed, management may stipulate the expected level of
performance and standards of conduct through contractual relations, and develop controls that maintain
oversight of third-party actions. Where necessary, management responds to detected unusual actions of others.
Risk Response
When preparing financial statements for external purposes management exercises judgment in complying with
external financial reporting requirements. Management considers how risks of material omission and
misstatement should be managed across the entity. Management selects, develops, and deploys controls to
effect principles within each component to respond to assessed risks. Accordingly, management judgment is
necessary in developing appropriate responses to risks of material omissions or misstatements, considering:
 Laws, rules, regulations, and standards that apply to the entity

 Nature of the entity's business and the markets in which it operates
 Scope and nature of the management operating model
 Competency of the personnel responsible for internal control over external financial reporting
 Use of and dependence on technology
Management's alternatives to respond to risks relating to external financial reporting objectives may be limited
compared with some other categories of objectives. That is, management is less likely to accept a risk than to
reduce the risk when considering the preparation of financial statements for external purposes. For instance,
management may decide to outsource transaction processing to a third party that is better suited to perform the
business process. However, management always retains responsibility for designing, implementing, and
conducting its system of internal control even when outsourcing to a third party. For external financial reporting
objectives, risk acceptance should occur only when identified risks could not, individually or in aggregate,
exceed the risk threshold and result in a material omission or misstatement.
Management exercises judgment when selecting, developing, and deploying controls to mitigate risks.
Accordingly, management's responses and actions depend on its assessed risks of material omission and
misstatement, perceptions of benefits and costs of effective controls, and other facts and circumstances unique
to the entity (e.g., management operating model, use of technology, competency of management and other
personnel).
Internal Use Only

Further, management may enhance the efficiency in the design, implementation, and conduct of a system of
internal control over external financial reporting by, for instance, acknowledging the following;
 Understanding the importance of specifying suitable objectives may focus management's attention on those
risks and controls that are most important to achieving these objectives.
 Focusing on those areas of risk that exceed acceptance levels and need to be managed across the entity may
reduce efforts spent mitigating risks in areas of lesser significance.
 Coordinating efforts for managing risks across multiple objectives may reduce the number of discrete, layered-
on controls.
 Selecting, developing, and deploying controls to effect multiple principles may reduce the number of discrete,
layered-on controls.
 Applying a common language — the Framework — encompassing operations, reporting, and compliance
processes and controls may lessen the number of languages used to describe internal control across the entity.
Smaller Entities
The principles underlying the components of internal control apply to entities of all types and sizes. However,
smaller entities may apply these principles using different approaches. For example, all public companies have
boards of directors or other similar governing bodies with oversight responsibilities relating to the entity's external
financial reporting. A smaller entity may have a less complex business model, organizational and legal structure,
and operations, and more frequent communication with directors, enabling greater reliance on board oversight
for achieving effective internal control.
The approaches contained within the Compendium are designed to be universal in nature and apply to any
entity type or size. The examples, however, derived from actual situations, may include specific facts and
circumstances that relate more to a larger entity. In most cases though, the examples translate well to
applications for both smaller and larger entities.
Documentation
Two levels of documentation should be considered in relation to financial statements for external purposes:
 In cases where management asserts to regulators, shareholders, or other third parties on the design and
operating effectiveness of its system of internal control, management has a higher degree of responsibility.
Typically this will require documentation to support the assertion that all components of internal control are
present and functioning. The nature and extent of the documentation may be influenced by the entity's
regulatory requirements. This does not necessarily mean that all documentation will or should be more formal,
but that sufficient evidence that the components and relevant principles are present and functioning and
components are operating together is available and suitable to satisfy the entity's objectives.
Internal Use Only

 In cases where an external auditor attests to the effectiveness of the system of internal control, management will
likely be expected to provide the auditor with support for its assertion on the effectiveness of internal control.
That support would include evidence that the system of internal control is effective, as defined in the Framework
or as established by regulators, standard-setting bodies, or other third parties. In considering the nature and
extent of documentation needed, management should also remember that the documentation to support the
assertion will likely be used by the external auditor as part of his or her audit evidence, including the sufficiency
of such documentation for those assertions. Management may also document significant judgments, how such
decisions were considered, and the final decisions reached.
Internal Control over External Financial Reporting: A Compendium of Approaches and Examples
Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring
Activities
Structure of the Compendium
The Compendium illustrates through approaches and examples how the principles apply to external financial
reporting objectives. Each chapter focuses on one of the five components of internal control and contains:
 A summary of the component that is consistent with the Framework

 A list of principles associated with that component
 A list of relevant approaches for applying principles in an external financial reporting context
Each principle is accompanied by a list of approaches. The approaches illustrate how organizations apply the
principles in designing, implementing, or conducting certain aspects of internal control over external financial
reporting. Approaches apply to any size or type of entity and illustrate important characteristics of each principle.
The points of focus attached to each principle will assist users in understanding the linkages between the
sample activities and these important characteristics of principles. Organizations will apply these approaches as
appropriate depending on individual facts and circumstances, and application is likely to evolve as
circumstances change over time. Note that the approaches included in the Compendium are not intended to be
a comprehensive or authoritative list.
For each approach, one or more examples are provided to illustrate how an important aspect has been put in
place by entities that prepare financial statements for external purposes. The examples are based on actual
experiences of entities, although some details have been modified for the purposes of this publication (e.g.,
entity and personal names are fictional and should not be attributed to any specific entity). The examples are not
intended to be construed as "best practices" or suggested solutions for users of the Framework. Further, the
examples are not necessarily sufficient to demonstrate that a particular principle is present and functioning as
defined in the Framework.
Internal Use Only

These approaches and examples are likely to be relevant to many types of entities (whether public, private, not-
for-profit, or governmental) that aim to prepare financial statements for external purposes and other forms of
external financial reporting. Where an example does not apply to all types of entities, this is noted. Finally, even
though the approaches and examples primarily relate to preparing financial statements for external purposes,
any entity seeking to design, implement, and conduct a system of internal control to achieve other external
financial reporting objectives may find them beneficial.
Footnotes
1 The Framework uses the terms "present and functioning" with respect to principles and components,
and "selects, develops, and deploys" with respect to controls to effect principles.
2 Applicable accounting standards, rules, and regulations may include accounting principles generally
accepted in the US (US GAAP), International Financial Reporting Standards (IFRS), Securities and
Exchange Commission rules for disclosure, and others.
3 For the purposes of the Compendium, approaches and examples use the term "material weakness" as
defined by the Securities Exchange Commission in the United States in the Securities Exchange Act of
1934 Rule 12b-2 [17 CFR 240.12b-2]. "Material weakness" means a deficiency, or a combination of
deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a
material misstatement of the registrant's annual or interim financial statements will not be prevented or
detected on a timely basis.
4 The United States Securities and Exchange Commission (SEC) "Commission Guidance Regarding
Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the
Securities Exchange Act of 1934" states that "Management is responsible for maintaining a system of
internal control over financial reporting ('ICFR') that provides reasonable assurance regarding the
reliability of financial reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles."
5 For example, the SEC issued Topic 1M of the Staff Accounting Bulletins to provide guidance on
assessing materiality and immaterial misstatements that are intentional. The International Accounting
Standards Board provides a definition of materiality in paragraph QC11 of the "Conceptual framework
Internal Use Only

for financial reporting 2010."
6 These financial statement assertions are substantially consistent with those described in the standards
of the American Institute of Certified Public Accountants, the Public Company Accounting Oversight
Board, and the International Auditing and Assurance Standards Board.
2. Control Environment
Chapter Summary
and ethical values of the organization, the parameters enabling the board of directors to carry out its oversight
responsibilities, the organizational structure and assignment of authority and responsibility, the process for
attracting, developing, and retaining competent individuals, and, the rigor around performance measures,
Principles relating to the Control Environment component
2. The board of directors demonstrates independence from management and exercises oversight for the
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives.
alignment with the objectives.
objectives.
Principles Approaches
Internal Use Only

1. The organization demonstrates a commitment to  Establishing Standards of Conduct
integrity and ethical values.  Leading by Example on Matters of Integrity and
Ethics
 Evaluating Management and Other Personnel,
Outsourced Service Providers, and Business
Partners for Adherence to Standards of Conduct
 Developing Processes to Report and Promptly Act on
Deviations from Standards of Conduct
2. The board of directors demonstrates  Establishing the Roles, Responsibilities, and

independence from management and exercises Delegation of Authority of the Board of Directors
oversight for the development and performance of  Establishing Policies and Practices for Meetings
internal control. between the Board of Directors and Management
 Identifying and Reviewing Board of Director
Candidates
 Reviewing Management's Assertions and Judgments
 Obtaining an External View
 Considering Whistle-Blower Information about
Financial Statement Errors and Irregularities
3. Management establishes, with board oversight,  Defining Roles and Reporting Lines and Assessing
structures, reporting lines, and appropriate Them for Relevance
authorities and responsibilities in the pursuit of  Defining Authority at Different Levels of Management
objectives.  Maintaining Job Descriptions and Service-Level
Agreements
 Defining the Role of Internal Auditors
4. The organization demonstrates a commitment to  Establishing Required Knowledge, Skills, and

attract, develop, and retain competent individuals in Expertise
alignment with the objectives.  Linking Competence Standards to Established
Policies and Practices in Hiring, Training, and
Retention Decisions
 Identifying and Delivering on Financial Reporting -
Related Training as Needed
 Selecting Appropriate Outsourced Service Providers
Internal Use Only
 Evaluating Competence and Behavior
 Evaluating the Capacity of Finance Personnel
 Developing Alternate Candidates for Key Financial
Reporting Roles
5. The organization holds individuals accountable  Defining and Confirming Responsibilities

for their internal control responsibilities in the  Developing Balanced Performance Measures,
pursuit of objectives. Incentives, and Rewards
 Evaluating Performance Measures for Intended
Influence
 Linking Compensation and Other Rewards to
Performance
Demonstrates Commitment to Integrity and Ethical Values
Principle 1. The organization7 demonstrates a commitment to integrity and ethical values.
Points of Focus
 Sets the Tone at the Top — The board of directors and management at all levels of the organization
demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to
support the functioning of the system of internal control.
 Establishes Standards of Conduct — The expectations of the board of directors and senior management
concerning integrity and ethical values are defined in the entity's standards of conduct and understood at all
levels of the organization and by outsourced service providers and business partners.
 Evaluates Adherence to Standards of Conduct — Processes are in place to evaluate the performance of
individuals and teams against the entity's expected standards of conduct.
 Addresses Deviations in a Timely Manner — Deviations of the entity's expected standards of conduct are
identified and remedied in a timely and consistent manner.
Approaches and Examples for Applying the Principle
Approach: Establishing Standards of Conduct
Senior management, with guidance from the board of directors, defines and communicates expected standards
of conduct for the organization, including any specific to those responsible for preparing external financial
reporting. Such standards contain key provisions reflecting legal, ethical, and other expectations in the conduct
Internal Use Only
of business and financial reporting, and articulate management's philosophy and guidance for avoiding moral
hazards in the pursuit of objectives. They also leverage established professional codes of conduct, such as
those associated with financial and managerial accounting, legal, information technology, or other professional
organizations. To instill a common understanding of the company's standards, management develops various
means for:
 Communicating and reinforcing the accountability for responsible conduct of all personnel
 Permeating standards of conduct throughout the organization, including guidelines for application to high-risk
issues and geographies
 Setting the expectation that personnel raise issues or questions relating to the application of the defined
standards
 Making explicit the consequences for deviations from standards of conduct at any level in the organization
 Ensuring that new and existing employees are trained on the entity's standards of conduct and continuing
education, and providing appropriate briefings to third parties engaging in business with the company
 Developing performance evaluation processes and incentives (and service-level agreements as necessary) that
promote the right behavior in pursuit of objectives
 Providing staff with ethics training opportunities to ensure that all employees have the knowledge to identify and
deal with dilemmas
Example: Defining, Communicating, and Regularly Updating the
Code of Business Conduct and Ethical Standards
The senior management of Zanzibar Co., a publicly traded company, has created, maintains, and distributes the
company's code of business conduct and ethical standards to all employees and external parties acting on
behalf of the company, and has posted it on the company website. The code of conduct is available in all
relevant languages for ease of access and understanding by all within the global organization. The company
requires all employees to complete periodic interactive web-based training sessions on various aspects of the
code and ethical standards.
Furthermore, Zanzibar Co. provides a supplier code of conduct to its vendors as part of its service-level
agreements, which provide a basis for evaluation alongside product/service delivery evaluation.
These documents emphasize that every individual is responsible for maintaining an ethical environment and
reporting any ethical breaches. Service-level agreements and contracts with external parties include the relevant
language to specify the company's expected standards of conduct and serve as a basis for evaluating
adherence. The code also specifically sets out the expectation of reporting and resolving issues by providing
clear information on how to ask a policy question or report a violation through an independent third party.
Internal Use Only

Senior management and the board of directors annually review and discuss any changes needed to the code or
how it is administered, considering external and internal factors, including the coverage of the company's key
risk areas, any known compliance issues, and results of monitoring activities. For instance, over time, Zanzibar
Co. has added provisions to address new, applicable laws and has provided more guidance on what constitutes
an appropriate gift or entertainment.
Approach: Leading by Example on Matters of Integrity and Ethics
The CEO and key members of management at various levels in the organization articulate and demonstrate the
importance of integrity and ethical values across the organization. The various forms and mechanisms used to
do this may include:
 Communications from senior management that support the expected standards of conduct and that stay
consistent as they permeate the organization
 Day-to-day actions and decision making at all levels of the organization that are consistent with the expected
standards of conduct
 Interactions with suppliers, customers, and other external parties that reflect fair and honest dealings
 Performance appraisals and incentives that reinforce expected standards of behavior consistent with the entity's
objectives at all levels of the organization
 Timely inquiries and investigations into any alleged conduct that is inconsistent with the entity's standards of
conduct
 Corrective action when deviations from expected standards of conduct occur
While this approach can be synonymous with that of establishing standards of conduct when both operate
effectively, history has shown instances where organizations define and communicate honorable standards of
conduct, yet management does not internalize or exhibit these standards in its conduct, and therefore sets a
different tone than what is expected.
Example: Using a Company Newsletter to Reinforce Expectations of Integrity and Ethics
Aerospacial S.A., a small supplier to the aerospace industry, uses its monthly newsletter to employees,
outsourced service providers, business partners, and other external parties to emphasize the importance of
exercising sound integrity and ethical values. Each edition of the newsletter contains a section related to ethical
decision making and consequences of violations of the code. The newsletter draws attention to the multitude of
resources available to discuss and resolve ethical issues; it also reports what actions are taken by senior
management when the code is violated at any level of the organization. The newsletter illustrates the open
dialogue and resolution of issues that is actively promoted by senior management.
Examples of ethical dilemmas are provided, along with suggested resolutions. The newsletter points out that
reports of violations originate from a variety of sources, including employees, managers, the company's
Internal Use Only
anonymous hotline, and external parties. Responses range from no action (in cases where the violation is shown
not to have occurred) to various levels of discipline, including dismissal.
Finally, the newsletter reminds all Aerospacial S.A. employees — from senior management to entry-level — that
as part of their annual performance review they must certify that they have read the company's mission
statement and code of conduct and that they comply with policies at all times.
Approach: Evaluating Management and Other Personnel, Outsourced Service Providers, and Business
Partners for Adherence to Standards of Conduct
The board of directors and senior management evaluate adherence to the company's standards of conduct. This
is accomplished in a variety of ways, which may include:
 Assessing results from training and ethics certification processes

 Considering anomalies in key performance indicators and internal analytical reviews of operational and financial
information that could be a potential indicator of fraudulent financial reporting or other misconduct
 Considering the results from ongoing and separate evaluations of internal control, which include evaluations of
internal control at outsourced service providers and business partners who provide information necessary to
produce external financial reporting
 Analyzing issues and trends from hotlines and help lines made available within the organization that could
indicate potential fraud occurrences and other ethical concerns
 Requesting feedback from meetings held with outsourced service providers and business partners when
obtaining financial information or information that impacts the entity's internal control over external financial
reporting
Example: Conducting Ethics Audits
The not-for-profit organization Partners for Development conducts scheduled audits to determine whether
employees are receiving, understanding, and applying the boardapproved standards of conduct. A
completeness check is performed to verify that every employee has received and attested to these standards or
otherwise provided a specific explanation that is then reviewed and addressed by senior management and the
board. The audits also include non-employees and consultants from the organization's IT service provider. The
standards consist of three documents: the code of ethics and standards of personal conduct, the compliance
policy statement, and the expected standards of conduct.
Partners for Development's purpose in conducting these audits is to determine if there are any shortcomings in
understanding or instances of non-compliance and to use those findings to assess and correct any deficiencies
in the organization's new-hire orientation, communications, training, and employee review processes. Upholding
the organization's standards of conduct is intended to help safeguard against or escalate any instances of fraud,
Internal Use Only

management override, or other illicit transactions and support complete, accurate, and reliable financial reporting
to the organization's government sponsors.
Example: Evaluating Misconduct Reported through an Anonymous Hotline
All-World Food Distributors provides an anonymous hotline for employees to report potential fraud and other
ethical concerns. The entity engages a third-party service provider to administer the hotline to provide the
comfort of anonymity for its employees. This service immediately reports any potentially illegal acts or financial
reporting improprieties directly to the company's legal department and audit committee. Issues and trends are
analyzed and conclusions are reported to the audit committee of the board.
Approach: Developing Processes to Report and Promptly Act on Deviations from Standards of Conduct
Senior management develops and consistently follows a prescribed process and standard to promptly
investigate, report, and take action to correct any violations to the standards of conduct occurring at any level of
the organization, including outsourced service providers and business partners. The process may include:
 Having individuals who are independent of the alleged matter conduct the investigation (Note, however, where
the deviation is deemed significant — due to the seriousness or pervasiveness of the allegation, degree of
management involvement, regulatory interest, etc.—it may be necessary to have a board-led investigation, with
a special committee that is independent of management.)
 Applying criteria to prioritize deviations (e.g., monetary value, patterns, trends, reputation impact)
 Investigating occurrences of possible violations to ensure a thorough understanding of issues and
circumstances
 When applicable, assessing the financial statement impact and determining what internal controls over external
financial reporting may have failed to detect the matter
 Developing appropriate support documentation and reporting
 Identifying and communicating with anyone under investigation (or after thorough investigation in instances of
alleged fraud), and following up on any corrective actions taken to remedy the matter in a consistent and timely
basis and according to prescribed company guidelines
 Restricting access to sensitive information regarding the allegation to individuals authorized to handle the
investigation
 Informing the board of deviations in the application of the standards and any waivers that may have been
granted or that are being considered
 Determining how and when the violation will be communicated and if it will be made public
 Communicating to all company personnel that appropriate investigation and corrective actions have been taken
 Depending on the nature and pervasiveness of the deviation that has occurred, establishing remediation
activities as needed to make retrospective corrections and forward-looking improvements
Internal Use Only

Remediation may address accounting corrections needed, process control enhancements, systems
development or enhancements, accountability reinforcement, training, revisions to the standards of conduct,
providing management, personnel or third parties with increased awareness of the importance of applying the
standards, and other actions. The board reviews and approves the adequacy of remediation measures and
progress reports.
Example: Taking Action when Deviations Occur
Best Fit Shoes has established policies and procedures to address serious improprieties or illegal acts by
employees, such as theft or bribing a new supplier to secure a contract. The policy empowers the legal
department to initiate the investigation together with the internal audit department or an external third party in
order to understand, document, and report the facts of the alleged matter for evaluation and assessment.
Best Fit's policy clearly states that if such an illegal act or impropriety is confirmed, the company will terminate
the employee, revoke all access privileges, and file formal charges with appropriate authorities. The policy also
requires the human resources manager to document the situation and its resolution, analyze the root cause of
the breach, and implement any additional remedial steps to avoid similar occurrences in the future. Progress
reports are regularly provided to the audit committee.
During one instance, facilitation payments were made to obtain certain contracts, the policy was immediately
applied, and an investigation was launched. The audit committee was notified and regularly presented with
progress updates and the proposed corrective actions for approval.
Exercises Oversight Responsibility
Principle 2. The board of directors demonstrates independence from management and exercises oversight for
the development and performance of internal control.
Points of Focus
The following points of focus highlight important characteristics relating to this principle.
 Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight
responsibilities in relation to established requirements and expectations.
 Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills
and expertise needed among its members to enable them to ask probing questions of senior management and
take commensurate actions.
 Operates Independently — The board of directors has sufficient members who are independent from
management and objective in evaluations and decision making.
 Provides Oversight for the System of Internal Control — The board of directors retains oversight
responsibility for management's development and performance of internal control:
Internal Use Only

 Control Environment — Establishing integrity and ethical values, oversight structures, authority and
responsibility, expectations of competence, and accountability to the board
 Risk Assessment — Overseeing management's assessment of risks to the achievement of objectives,
including the potential impact of significant changes, fraud, and management override of internal control
 Control Activities — Providing oversight to senior management in the development and performance of
control activities
 Information and Communication — Analyzing and discussing information relating to the entity's
achievement of objectives
 Monitoring Activities — Assessing and overseeing the nature and scope of monitoring activities and
management's evaluation and remediation of deficiencies
Approach: Establishing the Roles, Responsibilities, and Delegation of Authority of the Board of
Directors8
The roles, responsibilities, and powers of delegation of the board of directors are defined in its corporate bylaws
and committee charters in accordance with applicable regulatory and listing requirements. For external financial
reporting purposes, the board typically forms an audit committee whose responsibilities include overseeing:
 The effectiveness of internal control over external financial reporting, including the assessment of risks,
significant deficiencies, and material weaknesses (if any)
 Management's assessment of any significant matters, considering the potential impact on financial reporting and
need for corrective action
 The establishment of formal communication with management of the internal audit function to facilitate
discussion of any sensitive issues
 The quality of financial reporting and disclosures
 The hiring of and payment to the external auditor
Audit committee members typically demonstrate independence of thought and substance by absence of any
material financial or other personal ties to the company, which could impede their ability to provide unbiased
guidance and oversight.
The responsibility of the board and audit committee is to oversee management's performance of internal control.
The board must therefore retain objectivity in relation to management.
Example: Reviewing and Documenting Key Activities of the
Audit Committee
Internal Use Only

Every year, the board of directors of Northern Power, a distributor of electricity, commissions an effectiveness
evaluation of its audit committee. An independent consultant with expertise in governance reviews the means by
which the audit committee fulfills its responsibilities, as set out in its charter. Specifically, it evaluates how the
members of the audit committee:
 Oversee the quality and reliability of financial reporting and disclosures

 Understand the key risks facing the organization and the processes management uses to identify, assess, and
manage risks, considering internal audit findings, litigation, compensation schemes, regulation, and compliance
 Evaluate organizational behavior, culture, and adherence to standards of conduct
 Challenge management and the external auditor in determining materiality for financial reporting purposes
 Assess reasonableness and appropriateness of critical accounting policies of the company
 Confirm or reject the basis for management estimates and proposed accounting policy changes before
approving
 Evaluate, retain, or change external auditors
 Review audit plans
 Review management's assessment of internal control over external financial reporting
The results of the evaluation are used to determine whether the roles and responsibilities of the committee have
been met and could result in committee member changes or impact remuneration. In addition to the annual
review, every three years the company conducts a benchmark review against leading practices and refines its
charter,
as appropriate.
Example: Reviewing Governmental Agency Financial Results and Underlying Internal Control
Public Aid is a governmental agency that is subject to oversight by various bodies, representing knowledgeable
and independent officials. In terms of its financial reporting, key roles include the following:
 The organization's deputy head is responsible for assuming overall stewardship for the integrity of the agency's
financial management capabilities, and for signing off on all key external financial management representations
and disclosures, including the Statement of Management Responsibility Including Internal Control over Financial
Reporting.
 An audit committee, whose chairman is responsible for ensuring that the committee acts as an independent and
objective advisor to the deputy head and provides guidance on the adequacy of the agency's system of internal
control, financial reporting and disclosures.
The comptroller general is responsible for providing government-wide functional direction and assurance for
financial management and stewardship over public resources, as assigned by the Treasury Board, in
Internal Use Only

collaboration with other central agencies. He provides oversight of government-wide financial information
systems and quarterly financial reporting. He monitors the qualifications and competence of the financial
management community across government for all aspects of financial management and reports periodically to
the Treasury Board on the state of financial management across government agencies.
Approach: Establishing Policies and Practices for Meetings between the Board of Directors and
Management
The board of directors reviews and approves policies and practices that support the performance of internal
control across the business in regular meetings between management and the board. The processes and
structures particularly relevant to the audit committee of the board are those that provide:
 Appropriate forums to enable board members to ask probing questions of management

 A calendar that establishes the timing and frequency of meetings with management
 Expected practices to keep board members current on both emerging and adopted accounting standards and
their impact on the entity's financial statements
 Procedures to review management's development and performance of internal control over external financial
reporting
 Authority to engage experts as needed and oversight to ensure that management appropriately resolves matters
raised by the board
 Criteria and procedures for calling special and/or urgent meetings as necessary
 Allocation of time in board meetings for discussions with external advisors, internal and external auditors, and
legal counsel without management being present
The policies and practices are updated as needed to reflect changes in internal and external expectations,
including rules and regulations.
Example: Establishing an Audit Committee Meeting Calendar
The audit committee of Outer Limits Innovations, an aerospace control systems supplier, uses its charter as
guidance when setting its meeting dates and agendas. Fred Krahn, the chair of the committee, plans for at least
one meeting during the year at which each responsibility set forth in the charter is discussed. This practice helps
the audit committee to cover all relevant responsibilities and management to anticipate and plan for the
committee's expectations. The meeting calendar, which is shown below, is periodically reassessed to adjust for
emerging regulatory and technical matters that could affect the company or the industry.
Internal Use Only

Example: Preparing Effectively for Meetings
The audit committee of Millennium Lighting, a manufacturer of lighting and ventilation equipment, is chaired by
Janis White, a CPA with financial reporting expertise and previous public accounting experience. Ms. White
regularly distributes to the committee members any updates from management on technical matters, such as
new accounting standards or developments affecting the company and related financial statement implications.
Internal Use Only

Before each committee meeting, she circulates the draft agenda both to the committee members and the
external auditors to solicit their input on any additional technical accounting agenda items they would like to
discuss. Ms. White is committed to keeping open channels of communication with the external audit
engagement partner and the company's chief audit executive to ensure she receives timely updates on any
discussions occurring with management as technical matters emerge. Internal audit, litigation, and corporate
social responsibility are a few of the areas that are regularly solicited for input by the board or audit committee.
Approach: Identifying and Reviewing Board of Director Candidates
The board of directors periodically assesses and confirms its collective ability to provide effective oversight.
Through independent review and self-assessment it determines the adequacy of its composition, whether it has
sufficient independent members, and the appropriate expertise.
To meet the entity's external financial reporting objectives, the board of directors identifies certain board
candidates who are independent of both management and the entity and who have requisite financial reporting
and other relevant expertise. These members are typically assigned to the audit committee.9 Such expertise
may be established through professional networks and organizations and by educational institutions whose
missions are aligned to the advancement of the financial reporting profession.
The board reviews the results of due diligence performed on potential board candidates and confirms their
competence and ability to remain unbiased. The procedures to ensure that potential board members meet the
defined criteria may include:
 Evaluating the key risks facing the organization and accordingly defining board member profile requirements
 Performing background checks and obtaining independent references
 Reviewing current affiliations and directorships to ensure independence relative to management and the entity
 Considering skills and expertise, ranging from financial to regulatory and various technical knowledge needed to
understand the issues that could affect the company's external financial reporting
 Validating that any credentials and certifications held demonstrate an achieved competence level
 Reviewing information about financial and other relationships with the company, its external auditors, or
management
 Using an independent nominating committee or search firm to oversee due diligence procedures
 Evaluating periodically the due diligence procedures used for identifying potential directors, including checking
that an individual director's certifications are complete, up-to-date, and comply with the entity's ethics guidelines
and independence rules
Example: Changing the Board Composition of a Closely Held Company
Giante Ore is a mining exploration company whose shares are traded on an "overthe-counter" bulletin board.
Giante Ore has long maintained a board of directors that includes three of the CEO's family members and three
Internal Use Only
outside, but not independent, directors: the company's outside legal counsel, a venture capitalist, and a personal
friend of the CEO.
Giante Ore recognized that it needed to strengthen its control environment and board effectiveness. To that end,
it revisited its board structure. The three relatives and one personal friend of the CEO left the board and have
been replaced by four independent directors, all of whom are financially literate. One of the four has specific
financial expertise. These directors have now been appointed to a newly formed audit committee with its
responsibilities set forth in a charter.
Example: Assessing and Disclosing Director Qualifications
When Greene Inc. needs to identify new members for its board, it follows a detailed procedure to ensure the
best possible candidates are chosen. The nominating committee works with the human resources department,
the legal department, and an independent executive search firm to identify candidates and conduct due diligence
in support of the interest of the company in its shortand longer-term objectives. The key skills it has identified are
financial literacy, liquidity risk management expertise, business continuity planning, and corporate social
responsibility reporting experience that reflects the business performance expectations of the company's
stakeholders.
The same team conducts an annual review to ensure that board members continue to have the requisite
competence and independence given the entity's stakeholder needs. The senior management of Greene Inc.
provides the results of the review in its public filings.
Approach: Reviewing Management's Assertions and Judgments
The board demonstrates an appropriate level of skepticism of management's assertions and judgments that
affect financial reporting by asking probing questions. In particular, the audit committee of the board seeks
clarification and justification of the company's process for:
 Selecting and implementing accounting policies

 Determining critical accounting estimates
 Making key assumptions used in the application of technical accounting and reporting matters
 Evaluating other risks facing the organization, with the potential impact on financial reporting
Example: Reviewing Financial Statement Estimates
Custom Engineering manufactures specialty polymer products. The audit committee meets regularly with
management to review the reasonableness of management's assumptions and judgment used to develop
significant estimates. The committee then meets privately with the external auditor to discuss its assessment of
management's estimates and the related impact on financial reporting.
Internal Use Only

This practice is carried out for all assumptions related to key financial statement accounts, disclosures, and
relevant assertions most subject to management judgment and bias. For example, for Custom Engineering's
annual goodwill evaluation, management provides relevant information on any specialists engaged to assist the
company, key judgments and assumptions included in the company's discounted cash flow model, plausible
sensitivity scenarios that were considered, and confirmation of the appropriate technical accounting standard
applied.
Approach: Obtaining an External View
The audit committee of the board meets regularly with internal and external auditors as well as independent
reviewers, in private when necessary, to review and discuss such topics as:
 Key risks facing the organization

 Audit scope and testing plans
 Basis for definition of materiality threshold
 Changes in accounting policies
 Assumptions in models and calculations
 Resources and staffing
 Organization and culture
 Management's assessment of internal control over financial reporting
 Significant audit findings
 Quality and reliability of financial reporting and disclosures
Example: Interacting with Auditors
Sara Greenburg is the chair of the audit committee of Seaworthy Solutions, a marine construction services
provider. In accordance with the audit committee charter, she arranges for the committee to meet quarterly with
the external auditor to discuss a wide range of issues such as audit scope, testing plans, internal control over
external financial reporting, quality of financial reporting, and audit findings and recommendations. She is
responsible for coordinating the audit committee's evaluation of the external auditor. She bases her evaluation
on a number of considerations, including the firm's reputation, the qualifications of the audit partner and team,
knowledge and experience in the company's industry, and the firm's quality control procedures. Ms. Greenburg
believes that these interactions, supplemented as needed with interim conversations, effectively positions her to
monitor the external auditor's performance and make an informed judgment on any need to modify or terminate
the relationship.
The audit committee also regularly meets with Seaworthy's chief audit executive to ensure that the same
oversight objectives of the internal audit function are attained. The chief audit executive reports directly to the
Internal Use Only

audit committee to enable an objective mindset within the internal audit organization and to facilitate the
escalation of issues independent of management, if so required.
Approach: Considering Whistle-Blower Information about Financial Statement Errors and Irregularities
The audit committee considers information obtained from the company's whistle-blower and anti-fraud programs
(or similar processes) to monitor the risks in misstatements in financial reporting. These may include risks of
inappropriate acts by staff and management override of controls. The audit committee reviews any whistle-
blower allegations and evaluates management's analysis of significant matters, potential impact on financial
reporting, and corrective actions being taken.
Example: Assessing the Potential of Management Override
Start-up Inc. is a privately held company that has grown rapidly and now faces heightened competition and
declining margins. The owners have become increasingly concerned about the potential for fraud and
management override to make quarterly results look more favorable and meet performance targets. In response,
Human Resources has made a help line available to management and staff, and an external service provider
now provides a hotline for anonymously reporting breaches of ethics and integrity that could impact external
financial reporting. The owners review all allegations received, assign the cases for investigation, and review the
findings to understand the motivations, opportunities, and rationalizations for management override and how
those activities might be concealed, and to ensure prompt corrective action is taken.
Example: Investigating and Reporting Whistle-Blower Allegations
Generation Now is an electricity transmission and distribution company that periodically receives calls on its
whistle-blower hotline. The business ethics committee chaired by the general counsel reviews the logs of all
calls and determines the appropriate course for follow-up action. Matters are opened and assigned to internal
audit for investigation and proposed resolution by senior management and the board, as appropriate.
Investigations are carried out by internal auditors or others who are independent of the issue. Every quarter,
internal audit, working in conjunction with the general counsel, provides a status report of progress and
proposed resolutions relating to each call. The board and management determine the final resolution and
oversee any follow-up actions.10
Establishes Structure, Authority, and Responsibility
Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives.
Points of Focus
Internal Use Only

 Considers All Structures of the Entity — Management and the board of directors consider the multiple
structures used (including operating units, legal entities, geographic distribution, and outsourced service
providers) to support the achievement of objectives.
 Establishes Reporting Lines — Management designs and evaluates lines of reporting for each entity structure
to enable execution of authorities and responsibilities and flow of information to manage the activities of the
entity.
 Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of
directors delegate authority, define responsibilities, use appropriate processes and technology to assign
responsibilities, and segregate duties as necessary at the various levels of the organization:
 Board of Directors — Retains authority over significant decisions and reviews management's assignments
and limitations of authorities and responsibilities
 Senior Management — Establishes directives, guidance, and control to enable management and
personnel to understand and carry out their internal control responsibilities
 Management — Guides and facilitates the execution of senior management directives within the entity and
its subunits
 Personnel — Understands the entity's standard of conduct, assessed risks to objectives, and the related
control activities at their respective levels of the entity, the expected information and communication flow,
and monitoring activities relevant to their achievement of the objectives
 Outsourced Service Providers — Adheres to management's definition of the scope of authority and
responsibility for all non-employees engaged
Approach: Defining Roles and Reporting Lines and Assessing Them for Relevance
Senior management prepares organizational charts to document, communicate, and enforce accountability for
the achievement of the entity's financial reporting objectives. The organizational charts can be used to:
 Set forth assignments of authority and responsibility

 Ensure duties are appropriately segregated
 Establish reporting lines and communication channels
 Define the various reporting dimensions relevant to the organization
 Identify dependencies for roles and responsibilities involved in financial reporting as well as those accountable
for external parties
Each unit or department within the entity that is relevant to external financial reporting aligns its roles and
responsibilities to processes supporting the financial reporting objectives. Senior management and the board of
directors verify that accountability and information flow within each of the various organizational structures (by
Internal Use Only
business segment, geographical location, legal entity, or other) continually support the achievement of the
entity's existing financial reporting objectives. Existing structures are periodically assessed for relevance
considering changes in the entity or the environment in which it operates to ensure such alignment.
Example: Reorganizing to Support Control Structure
Before Harmony Homes Real Estate became a public company, a wide range of the employees reported to the
owner and CEO, Milton Chang, and the business structures in the US and in Asia were loosely connected.
During the plans to go public, Mr. Chang, with the board's guidance, took steps to strengthen the organizational
structure to better support both operations and financial reporting objectives. Management created three
departments to oversee its core business activities: sales and customer service, purchasing/inventory, and
production. Geographic governance structures were also established to oversee operations by jurisdiction and
facilitate reporting to local regulators and other stakeholders. The managers charged with leading each of these
departments and territories, as well as the managers of key staff functions, documented each person's
responsibility in the processes. Job descriptions, including internal control responsibilities, were developed to
support full understanding of each person's role.
The clear statement of roles helps to ensure responsibilities are carried out in support of the organization's
objectives. It also provides the basis for risk assessment, control activities, information and communication, and
monitoring activities along different dimensions simultaneously.
Example: Redefining Roles with CEO and Board Input
Due to significant changes within the company and the industry, Pieter Jenssen, CEO of transportation services
provider General Trucking, recognized the need to redefine the role of each position within the company's midto
high-level management team, especially within the finance and accounting function. His initiative was launched
at an off-site meeting where the goals and objectives of the business were reviewed and realigned with
managers' specific roles and responsibilities, including those related to the financial reporting process. Two
board members attended the meeting to serve as a sounding board, and all participants reached a shared
understanding on how they will function and interact with one another in the future. The results of the meeting
were communicated to other managers throughout the organization. The communication included a description
of organizational lines by product line, geography, and management structure. It also included associated roles,
responsibilities, and communication procedures, incorporated into policies that were made readily accessible on
the company's intranet.
Approach: Defining Authority at Different Levels of Management
The board of directors outlines its oversight authority for financial reporting over senior management through its
charter. When assigning authorities and responsibilities, management considers the impact on the control
environment and the importance of effectively segregating duties. Policy documents define cascading levels of
Internal Use Only

authority, checks, and balances for authorizing transactions, and accounting and reporting of financial results.
Such authority and responsibility is deliberately limited in order to balance the need for the efficient achievement
of objectives against the risks that could result from unmonitored inappropriate conduct. Management empowers
employees to correct problems or implement improvements in their assigned business process as necessary.
Example: Maintaining an Authority and Approval Matrix
Muell AG, a waste management company maintains policies that detail the monetary commitment and
transaction approval authorities of its managers on a per occurrence basis. Managers who exceed their
individual transactions authority must obtain approval from the appropriate higher-level management, which in
some cases includes the board of directors. These authority and responsibility policies exist for a broad range of
the company's business functions, including mergers and acquisitions, sales and marketing, purchasing, risk
management, labor, capital expenditures (including landfills), IT expenditures, and leases. The policies are
updated when necessary to reflect changes in the business, and any revisions require the approval of the chief
accounting officer.
Approach: Maintaining Job Descriptions and Service-Level Agreements
Based on the delegated authority levels, management maintains job descriptions to outline financial reporting
responsibilities, and updates them when needed. In addition, management provides sufficient direction to ensure
that employees recognize their responsibility for internal control and the importance of applying appropriate
diligence and business judgment when they carry out their assigned job responsibilities.
For key financial reporting positions, the board of directors reviews management's descriptions of the related
authorities and responsibilities and considers how those positions affect the strength of internal control over
external financial reporting.
When applicable, the responsibilities of externally sourced support personnel are outlined through service-level
agreements, specifically targeting timeliness and the quality of financial reports generated.
Example: Aligning Roles and Responsibilities with Objectives
The senior management at MNO Games, a games software developer, has recognized that the company's
recent significant growth is causing many of the roles and responsibilities of its management executives to be no
longer relevant. Responsibilities of the controller and CFO overlap, systems for product being sold through new
channels are not adequately reviewed, and the CEO is not effectively communicating initiatives and agreements
across the senior management team.
In response, the senior managers have initiated a project to realign responsibilities among its leadership team.
The goals are to adequately support financial reporting objectives, with clear lines of reporting supported by new
written job descriptions. The project has already resulted in a new company policy for MNO Games that requires
Internal Use Only

each business unit manager to maintain the updated job descriptions and organizational charts depicting
positions and lines of reporting within the unit.
Example: Maintaining Control while Engaging Outside Service Providers
SureSafe provides identify-theft protection and credit management services to credit card companies and has
decided to outsource its payroll and 401(k) plan administration to capitalize on cost savings, ease access to
relevant specialists for technical and administrative questions, and improve segregation of duties between its
key payments and collections processes.
SureSafe identified a small reputable company, J.K. Green and Associates, as one that would meet its
processing, reporting, and internal control needs. The servicelevel agreement signed by both parties specifies
each party's expectations and responsibilities for the services provided and internal control over the outsourced
business processes.
Approach: Defining the Role of Internal Auditors
In companies with formal internal audit functions (which can vary from an individual assigned with internal audit
responsibilities to a formal department), the board of directors empowers the internal audit function to carry out
its purpose, authority, and responsibilities with direct access to the audit committee and/or the board of directors.
The board or audit committee is actively involved in reviewing the company's risk assessment, ensuring that the
internal audit plan provides adequate assurance on the adequacy of coverage of key risk areas, and overseeing
internal audit compensation to ensure it is structured in a manner that supports the need for objectivity.
Example: Reviewing and Approving the Internal Audit Plan
Sam Murphy, the chief audit executive officer of Pine Tree Real Estate, annually presents an internal audit plan
to the CEO and audit committee for review and approval. The audit plan includes the scope, work plan, staffing,
and budget for the coming year, as well as any modifications needed in the charter to define roles and
responsibilities.
The audit committee reviews and approves the plan, recognizing that it may need to be revisited periodically to
respond to significant changes in the company, such as new product lines, acquisitions, unexpected regulatory
issues, etc. The audit committee regularly assesses the independence of the chief audit executive and evaluates
the activities of the internal audit function.
Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals
in alignment with objectives.
Demonstrates Commitment to Competence
Points of Focus
Internal Use Only
 Establishes Policies and Practices — Policies and practices reflect the organization's expectations of
competence necessary to support the achievement of objectives.
 Evaluates Competence and Addresses Shortcomings — The board of directors and management evaluate
competence across the organization and in outsourced service providers in relation to established policies and
practices, and acts as necessary to address shortcomings.
 Attracts, Develops, and Retains Individuals — The organization provides the mentoring and training needed to
attract, develop, and retain sufficient competent personnel and outsourced service providers to support the
 Plans and Prepares for Succession — Senior management and the board of directors develop contingency
plans for assignments of responsibility important for internal control.
Approach: Establishing Required Knowledge, Skills, and Expertise
The audit committee of the board reviews and approves the competency requirements of all individuals serving
in key financial reporting and internal audit roles and for all members of the audit committee. These are based
on applicable laws and regulations, and on the expertise needed for applying the entity's existing policies and
practices related to external financial reporting.
Management develops and maintains policies and practices that reflect the organization's values and objectives.
For instance, job descriptions capture the expectations in terms of the knowledge, skills, expertise, and
credentials needed to effectively carry out responsibilities for each financial reporting position.
The finance department regularly reviews the entity's accounting and reporting policies and practices, and
updates these as necessary to keep pace with internal expectations and external factors, including changes in
technical standards and regulatory requirements.
The human resources department periodically updates materials outlining the company's policies and
procedures on attracting, training, coaching, evaluating, and retaining personnel.
Example: Periodically Reviewing Policies
Asha Sandhu leads the human resources department of NetTech Industries, a provider of networking technology
platforms. She works with the business unit and functional leaders to define the roles and responsibilities of
personnel and related job descriptions that are aligned to the company's objectives. For instance, she helps the
chief financial officer establish the job descriptions of financial reporting personnel, tying back to the
performance of accounting, reporting, and internal control policies and procedures.
She also brings together the respective owners of policies and procedures to review the continued relevance
and adequacy of content, considering relevant factors such as organizational changes, new accounting
Internal Use Only

standards, or revised disclosure requirements. She ultimately facilitates the update process, communications,
and training, as necessary.
Approach: Linking Competence Standards to Established Policies and Practices in Hiring, Training, and
Retention Decisions
Policies and practices that represent the entity's competence standards for financial reporting positions are used
as a basis for human resource and employee compliance activities, which may include:
 Selecting and interviewing candidates

 Performing background/reference checks
 Making hiring, retention, promotion, and termination decisions
 Developing training curricula
 Setting certification expectations
 Conducting exit interviews to uncover any concerns related to the entity's internal control over external financial
reporting
Example: Recruiting and Retaining Key Financial Reporting Positions
The CFO of La Porte, a garage door manufacturer, is looking to fill the position of controller for its affiliate in
France. The job requires someone with in-depth experience in local public filing reporting compliance
requirements, a high level of integrity, and sound ethical values.
La Porte has screened candidates through interviews by a cross-section of leaders of key departments, the
human resources department running background checks, and the CFO interviewing the candidates' references.
The assessment criteria included the extent of each candidates' technical accounting knowledge, the complexity
of issues they had dealt with in their career to date, their willingness to learn and take on new challenges, and
the ability to make ethical business decisions.
When hired, the successful candidate will be expected to participate in several relevant conferences throughout
the year to maintain a current level of knowledge of industry and financial reporting matters and recognize that
he or she is valued as an important asset to the company.
Example: Defining Performance Expectations
A leading provider of consumer credit, Credit Safe, believes in establishing and reinforcing a culture in which its
employees are aware of performance expectations and requirements. To that end, annual performance
objectives are established and documented for each employee. For example, employees working in finance and
internal audit roles are expected to either work toward obtaining a certification or attend a requisite amount of
continuing education training to maintain existing certifications.
Internal Use Only

Credit Safe periodically evaluates every employee's performance and tracks it against established objectives.
Management provides feedback and guidance to help employees achieve the objectives. At the end of each
year, an employee's performance is rated as one of several categories: superior, exceeds expectations, meets
expectations, needs improvement, or unsatisfactory.
Approach: Identifying and Delivering Financial Reporting - Related Training as Needed
Training needs are identified and delivered to targeted personnel. These address regulatory expectations,
emerging accounting and reporting standards, and in-house input on areas that require improvement. Training
needs are reprioritized as necessary in response to how often applicable changes occur, both within and outside
the organization.
Example: Implementing Complex Accounting Standards
Orex, a mining exploration company that makes extensive use of stock options in compensating its senior
employees, has been subject to a pronouncement on accounting for stock compensation. Max Tellemann, the
chief financial officer, and Arlene Shreve, the company controller, attended an external training session on the
pronouncement, which included working through examples of how the standard would be applied in various
cases. Mr. Tellemann and Ms. Shreve assessed the suitability of their company's practices by performing an
impact analysis based on expert opinions and trade publications that discuss expected impacts and pitfalls. They
then revised existing policies and procedures and provided communications and training to affected personnel.
This intensive training has provided senior management of Orex with the confidence that their CFO and
controller now have sufficient knowledge to make informed decisions on the proper application of the standard.
Documentation of the training attended has been tracked and included in Ms. Shreve's and Mr. Tellemann's
employee files.
Approach: Selecting Appropriate Outsourced Service Providers
Management identifies the required skills and experience necessary to support the entity's external financial
reporting objectives. It then decides whether to internally retain people with the skills and experience or to
outsource to a third party. The suitability of a third party is determined not only by assessing skills and
experience, but also by considering the entity's policies on using vendors and on ethical standards. The
contractual arrangement with the outsourced service provider captures these competence requirements and
provides the basis for the entity to periodically assess the outsourced service provider's continued commitment
to competence.
Example: Retaining External Tax Assistance
Compu Services, a developer of analytical software products, currently has limited tax accounting expertise
among its staff. The finance director therefore sought to contract with a third-party accounting firm, SMR Ledger,
LLP, to review its tax provisions. SMR Ledger is a different accounting firm from the Compu Services auditor.
Internal Use Only
For successful selection and use of the vendor's services, management was careful to verify that the vendor met
the suitability standards set forth in Compu Services' policies. Being directly affected by the quality of the control
procedures carried out by the vendor, the CFO spends time with the vendor to understand any assumptions
used in models or calculations, particularly as they may impact financial reporting. Indeed, while Compu
Services' management chooses to outsource certain tax activities, it remains responsible for the effectiveness of
relevant controls regardless of where they are operated. The company therefore requests annual independent
certifications of the vendor's internal control effectiveness.
Approach: Evaluating Competence and Behavior
To instill a common understanding and application of expected competence and behavioral standards,
management consistently communicates expectations through policies and conducts practices and evaluates
employee adherence by:
 Developing incentives and rewards that consider the multiple dimensions of conduct and performance
 Reinforcing expectations of continued demonstration and strengthening of expected levels of competence
 Ensuring individual and team goals in support of the achievement of the entity's objectives are defined, use
observable metrics, and are communicated to each employee
 Developing a performance appraisal process that confirms employee knowledge of both their progress against
their goals and their status within the organization
 Conducting periodic performance reviews and evaluating employees relative to their assigned roles to confirm
that the employees' skills are appropriate for their current job responsibilities
 Making appropriate advancement or termination decisions based on performance reviews
 Changing the performance appraisal process as needed based on lessons learned or changes in strategy and
operating objectives
 Continually endorsing behavior that is consistent with competence standards, and discouraging inconsistent
behavior
Using the same criteria, the board of directors evaluates the competencies of individuals serving in key financial
reporting roles, such as the chief executive officer, chief financial officer, and chief audit executive.
Example: Periodically Assessing Performance
City Government periodically reviews the performance of its employees who are responsible for owning,
executing, or testing financial reporting controls. Performance is evaluated against expectations that are
established at the beginning of each year. The progress achieved on needed improvements is reviewed with
employees at the end of each quarter, and a more formal annual review process occurs following the year-end
reporting cycle. An employee's career advancement is based on the overall performance rating. Management
identifies specific areas for improvement and professional growth, which employees can address with training
Internal Use Only

and development steps, as jointly agreed with the respective manager in the context of City Government's
finance function and overall performance objectives.
Example: Audit Committee Review of Managers' Roles
The bylaws of Lead Products Co. specify the responsibility of the audit committee of the board for reviewing the
principal roles and responsibilities of key financial reporting senior management. To this end, the chair of the
audit committee meets annually with the company's human resources director, chief audit executive, and legal
counsel to review the roles, responsibilities, and performance of the various company managers. The review
focuses on aligning respective managerial responsibilities with Lead Products' organization chart, and the
managers' expertise and experience in carrying out the responsibilities. The audit committee also evaluates the
independence of the relationship between management and the chief audit executive, considering input from the
chief financial officer and other primary customers of internal audit services.
Approach: Evaluating the Capacity of Finance Personnel
Senior management evaluates the capacity of personnel who are involved in recording and reporting financial
information, and in designing and developing financial reporting systems including underlying IT systems. Senior
management assesses the department's ability to identify issues, articulate positions supported by the relevant
literature, and stay abreast of technical financial reporting developments. Considerations when assessing the
adequacy of staffing levels and competence of financial reporting personnel include the extent of technical skills,
nature and frequency of their training, workload, and the number of personnel dedicated to financial reporting.
Example: Assessing the Adequacy of Staffing Levels for Financial
Reporting
The senior management of Tall Tree Finance, an investment bank and institutional securities company, annually
assesses the adequacy of staffing levels of its key financial reporting function to understand and manage
effectively the company's current business activities, related accounting questions, and IT implementation
challenges. The audit committee oversees this assessment.
In particular, the assessment considers how adequately personnel respond to emerging accounting, reporting,
and internal control issues. Senior management uses the results of this assessment to make decisions on staff
training, reassignments, or other organizational changes.
Example: Aligning Competencies with Key Financial
Reporting Positions
The start-up company of Wireless Data Communications has seen its revenue double over the last several
years, and business transactions and processing have become significantly more complex. Because of these
Internal Use Only

evolving corporate needs due to the rapid growth, it is essential for employee competencies in key financial
reporting positions to be aligned with increased levels of complexity.
Consequently, the CEO, CFO, and vice-president of human resources together annually review employee job
descriptions, workload, and performance assessments. During a recent review, they determined that the
company's controller, hired initially to perform basic accounting and bookkeeping functions, no longer had the
expertise needed for the associated financial reporting responsibilities. The company has now assigned the
controller to a position better suited to his skills, and hired an individual with the requisite competencies as
controller.
Approach: Developing Alternate Candidates for Key Financial
Reporting Roles
The board of directors identifies the essential roles for the functioning of the business, including the CEO and the
CFO, deemed most important to the achievement of the entity's financial reporting objectives. For each of those
roles, management defines succession plans to ease any future transition and to mitigate the risk of not meeting
financial reporting objectives. The board of directors oversees this process to ensure that management has
properly assessed and managed the risks associated with succession planning.
Example: Addressing Succession Planning
North-to-South Healthcare has an aging workforce and realizes it needs a succession plan. Over the past year it
developed a "talent management strategy," which formalizes a succession planning framework and a process
and leadership development program. The succession plan identifies those positions and external parties that
are critical to the organization.
North-to-South has assessed current personnel to determine potential candidates for those critical positions in
the future. The company has developed customized competency models for each of the critical positions and
assessed the competencies of current staff as possible future candidates. For each of the identified candidates,
an individual development plan and a leadership program have been established. These include experiential
learning programs and executive mentoring programs.
For outsourced service providers or business partners critical to the performance of external financial reporting
(such as information technology, payroll, accounts payable processing), North-to-South has defined contingency
plans to allow for alternative arrangements in the event that such external parties become unavailable. The
management member responsible for the relationship is also responsible for maintaining and executing the
contingency plan, as necessary.
The talent management strategy has allowed North-to-South to confidently plan for the future.
Enforces Accountability
Internal Use Only

Principle 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit
of objectives.
Points of Focus
 Enforces Accountability through Structures, Authorities, and Responsibilities — Management and the
board of directors establish the mechanisms to communicate and hold individuals accountable for performance
of internal control responsibilities across the organization and implement corrective action as necessary.
 Establishes Performance Measures, Incentives, and Rewards — Management and the board of directors
establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of
the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and
considering the achievement of both short-term and longer-term objectives.
 Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance — Management and
the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the
 Considers Excessive Pressures — Management and the board of directors evaluate and adjust pressures
associated with the achievement of objectives as they assign responsibilities, develop performance measures,
and evaluate performance.
 Evaluates Performance and Rewards or Disciplines Individuals — Management and the board of directors
evaluate performance of internal control responsibilities, including adherence to standards of conduct and
expected levels of competence, and provide rewards or exercise disciplinary action as appropriate.
Approaches: Defining and Confirming Responsibilities
Management develops descriptions of various roles to reinforce its responsibility for effective internal control
over external financial reporting. In pursuit of the entity's objectives, the board of directors and senior
management maintain a philosophy and operating style that demonstrate a strong commitment to ethics,
integrity, and competence.
Periodically, the CEO and CFO, as the parties ultimately responsible for internal control, request individuals
within the entity to confirm accountability and represent that they have fulfilled their internal control
responsibilities during any given period of time, highlighting any exceptions.
Example: Cascading Responsibilities throughout the Organization and Certifying Results
Auto Services is a publicly traded multinational automotive manufacturing, leasing, and sales organization that
administers an annual goal-setting and performance evaluation process to help its employees be aware of the
risks inherent in their day-to-day business decisions.
Internal Use Only

Representing its products adequately to its customers, saying no to bribes and other illicit practices, and
delivering timely products or services in accordance with quality standards are the explicit expectations of the
company and of each one of its representatives. Management communicates and reinforces these messages
continually and holds its people accountable to these measures in their day-to-day decisions and overall risk and
performance results, which it tracks proactively through client satisfaction dashboard reports and reactively
through incident reporting. The company requires its employees to sign off on the goals mutually agreed to with
management at the beginning of the year, recognizing that these may be revisited during the year as necessary
to respond to changes in the business, and on their achieved performance at year-end.
Goals are defined, performance is evaluated, and employees are held accountable within the local
organizational structure and within their functional reporting structure.
The chief financial officer further requires each of his finance managers to certify to him the absence of any
instances of fraud, the effectiveness of the internal control over external financial reporting, and the reliability of
the financial results produced.
Approach: Developing Balanced Performance Measures, Incentives, and Rewards
Senior management defines performance measures, incentives, and rewards that are:
 Aligned with the entity's ethical values

 Developed at all levels of the entity that management deems necessary to support and ensure accountability
toward meeting both the entity's short-term and longerterm objectives
 Balanced to include both financial and non-financial measures
 Incorporated into the entity's hiring, evaluation, and promotion structures
Senior management subsequently reports to the board what factors were considered in developing the
performance measures, incentives, and rewards and how they are expected to drive the desired behavior.
Example: Defining and Communicating the Basis for Reward
Modern Financial Services has implemented a rewards system that requires the achievement of defined
performance measures and encourages departments to monitor the effectiveness of their internal control
systems and to self-report possible control deficiencies or opportunities for enhancement. This encouragement
comes in the form of a policy that gives departments credit in the internal audit grading system for self-reported
deficiencies. Any deficiencies that are identified through internal audit procedures, rather than through a
department's monitoring efforts, are counted against the score.
The credit does not preclude the internal audit department from reporting specific deficiencies to management or
the board when warranted, but it does positively affect the grading system, which can affect departmental
Internal Use Only

compensation and benefits. The result is that Modern Financial Services is more likely to identify control
deficiencies before they can become material to the organization.
Approach: Evaluating Performance Measures for Intended Influence
The board of directors and management periodically evaluate the appropriateness of performance measures
used to determine whether they have the intended influence on how people respond to pressures, incentives,
and rewards. This evaluation may include:
 Reassessing the relevance of performance measures considering industry trends, regulatory changes, or
changes in the entity's objectives
 Considering past financial errors, ethical violations, and instances of non-compliance and whether the
established measures could have caused excessive pressures to override controls
 Engaging external parties to conduct benchmarking and to interview employees
 Monitoring the changing sources of threats that cause pressure to bypass established controls or take shortcuts
 Considering whether the selection of accounting policies has been unduly influenced by the established
performance measures
 Using the assessment to make changes in performance measures and associated hiring, evaluation, and
promotion structures
The board of director's oversees the periodic assessment to ensure it has been completed, and may
subsequently approve compensation plans. The board also provides oversight to ensure that the performance
measures and compensation plans established for senior management are appropriately aligned with the entity's
strategic objectives and balanced to promote the desired accountability without causing excessive pressure that
could lead to fraudulent financial reporting.
Example: Establishing and Overseeing Performance Measures, Incentives, and Rewards
The board of directors of A-Z Corp. has established a human resources compensation committee, which meets
to establish compensation for the executive officers. It has been granted substantial discretion to determine all
other bonuses under approved incentive plans.
The compensation committee routinely reviews the performance goals and awards for ongoing relevance and to
determine whether they create unnecessary pressures or unintended consequences. It continually focuses on
identifying those short-term sales objectives that may cause management to take undue risk, cut corners, or
commit fraud that could harm the company's sustainable growth objectives.
Based on these reviews, goals and awards are modified as necessary, and changes are approved by the board
of directors annually. The performance goals and awards consist of the following and are subject to audit:
 Earnings per share
Internal Use Only

 Audit scores
 Customer care
 Efficiency ratio
 Stock price (peer group comparison)
In addition, individual employee performance goals are determined annually in discussion between the
employee and the manager. They are then submitted to the human resources department for review, and to the
compensation committee for approval.
Any incentive compensation that is approved and ratified by the board is distributed to individuals annually.
Approach: Linking Compensation and Other Rewards to Performance
Management designs objective employee evaluation and compensation systems that periodically provide
individual rewards, or disciplinary actions, as necessary. Decisions about both rewards and disciplinary actions
are based on established objectives, including the individual's adherence to the standards of conduct and
performance toward the entity objectives regarding internal control over external financial reporting.
Example: Aligning Incentives with Ethics and Values
Timber Co., a forest products company, structures its bonus plan to have 30% of the potential incentive award
directly related to the demonstration of the company's core values. Information items that Timber Co. values are
specific comments on how management does or does not reflect values are captured through employee
feedback.
During the employee performance review and appraisal process, management provides feedback about the
extent to which each employee has performed in accordance with the company's core values of sound integrity
and ethics.
Example: Providing Recognition for Suggestions Made to Enhance
Internal Control
Medic Quest, a private company that researches, develops, produces, and markets medical scanning
equipment, encourages its employees to identify and submit suggestions for improving internal control, including
internal control over financial reporting. Employees are rewarded in the form of company awards and/or cash
bonuses for ideas that are used.
Components of Internal Control | Risk Assessment
Footnotes
Internal Use Only

7 The term "organization" is used to collectively capture the board of directors, management, and other
entity personnel as reflected in the definition of internal control.
8 In practice, many of the activities of the board of directors included here would be carried out by one of
its committees, such as the audit committee.
9 Standard setters, regulators, or listing agencies may have specific requirements for director
independence, qualifications, and the makeup of the audit committee, which will vary by
jurisdiction/country.
10 This example is continued in Chapter 6, Monitoring Activities, to illustrate how monitoring activities may
assess whether controls to effect principles in the control environment are deployed as intended (see
page 147).
3. Risk Assessment
Chapter Summary
Every entity faces a variety of risks from both external and internal sources. Risk is defined as the possibility that
an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and
assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the
establishment of objectives, linked at different levels of the entity. Management specifies objectives within
categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and
analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk
assessment also requires management to consider the impact of possible changes in the external environment
and within its own business model that may render internal control ineffective.
Principles relating to the Risk Assessment component
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks
relating to objectives.
Internal Use Only

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a
basis for determining how the risks should be managed.
control.
6. The organization specifies objectives with sufficient  Identifying Financial Statement Accounts,
clarity to enable the identification and assessment of Disclosures, and Assertions
risks relating to objectives.  Specifying Financial Reporting Objectives
 Assessing Materiality
 Reviewing and Updating Understanding of
Applicable Standards
 Considering the Range of Entity Activities
7. The organization identifies risks to the achievement of  Applying a Risk Identification Process
its objectives across the entity and analyzes risks as a  Assessing Risks to Significant Financial Statement
basis for determining how the risks should be managed. Accounts
 Meeting with Entity Personnel
 Assessing the Likelihood and Significance of
Identified Risks
 Considering Internal and External Factors
 Evaluating Risk Responses
8. The organization considers the potential for fraud in  Conducting Fraud Risk Assessments
assessing risks to the achievement of objectives.  Considering Approaches to Circumvent or Override
Controls
 Considering Fraud Risk in the Internal Audit Plan
 Reviewing Incentives and Pressures Related to
Compensation Programs
9. The organization identifies and assesses changes  Assessing Change in the External Environment
that could significantly impact the system of internal  Conducting Risk Assessments Relating to Significant
control. Change
Internal Use Only

 Considering Change through Succession
 Considering CEO and Senior Executive Changes
Specifies Relevant Objectives
Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and
assessment of risks relating to objectives.
Points of Focus
 Complies with Applicable Accounting Standards — Financial reporting objectives are consistent with
accounting principles suitable and available for that entity. The accounting principles selected are appropriate in
the circumstances.
 Considers Materiality — Management considers materiality in financial statement presentation.
 Reflects Entity Activities — External reporting reflects the underlying transactions and events to show
qualitative characteristics and assertions.
Approach: Identifying Financial Statement Accounts, Disclosures, and Assertions
Management specifies objectives relating to the preparation of financial statements, including disclosures, and
identifies significant financial statement accounts based on the risk of material omission and misstatement
(which includes consideration of materiality). Management identifies for each account and disclosure relevant
assertions, underlying transactions and events, and processes supporting these financial statement accounts.
The entity uses financial statement assertions relevant to its financial statement accounts and disclosures.
Example: Linking Accounts, Assertions, and Risks
As part of its risk assessment, the management of A-Middle Equipment, a 900-person manufacturer of heavy-
duty transmission equipment, uses the following financial reporting assertions:
 Existence
 Completeness
 Rights and obligations
 Valuation or allocation
 Presentation and disclosure
Internal Use Only

A-Middle's management considers the level of materiality when reviewing the company's activities and interim
reports and determining whether all significant risks and accounts have been captured. This information is used
as a guideline in focusing on detailed risks within each financial statement line item and disclosure. Further,
management also considers non-financial disclosures reported in the company's 10-K. This approach is
illustrated on the following page.
Approach: Specifying Financial Reporting Objectives
Management specifies a high-level financial reporting objective that forms the basis for all other sub-objectives.
In specifying objectives, management has documented objectives that are specific, measurable, attainable,
relevant, and time-bound (SMART). Management, as part of internal control, assesses whether the objectives
are consistent with accounting principles that are relevant for that entity and appropriate in the circumstances.
Example: Specifying Objectives
Management and the board of directors of H2O To Go, a bottled water company, set as the entity's broad
external financial reporting objective to prepare reliable financial statements in accordance with US Generally
Accepted Accounting Principles (GAAP). Management subsequently specified the suitable financial reporting
objectives and subobjectives for all significant accounts and activities of H2O To Go's worldwide business,
including sales, purchasing, and treasury. These objectives and sub-objectives include accounting policies,
financial statement assertions, and qualitative characteristics relating to its accounts and activities. For instance,
management has specified objectives relating to:
Internal Use Only
 Sales existence and completeness financial statement assertions for all sales transactions recorded during the
period11
 Purchasing completeness and accuracy of financial statement assertions for all purchasing transactions
recorded during the period
 Treasury valuation and allocation financial statement assertions for all investments held and recorded as of
period end
Annually, finance management reviews these objectives and sub-objectives for ongoing relevance and suitability
with respect to the company's accounts and activities. Where changes are expected to occur — for instance, the
adoption of a newly published accounting standard or guidance or new commercial event or trend — appropriate
management communicates the need to reconsider these objectives to those responsible for the objective-
setting process.
Example: Assessing the Suitability of Specified Objectives
The management of Valley Services, a supplier of high-end home theatre systems, set as the entity's broad
financial reporting objective to prepare reliable financial statements in accordance with International Financial
Reporting Standards (IFRS). This objective was cascaded into various areas of Valley Services business,
including sales.
Within the sales process, management accepts deposits from one frequent customer, Hall Electronics, which
relate to the purchase of several home theater systems. Valley Services sets aside the theater systems in its
inventory until Hall Electonics requests delivery, usually within thirty days. Valley Service must either refund to
Hall Electonics the cash or provide a replacement home theater system if a system is damaged or lost prior to
delivery.
Management had previously established a policy where revenue was recognized upon payment for goods,
regardless of whether the goods were delivered. In assessing the suitability of the objectives specified for
financial reporting, the controller, Alex Robertson, determined that this policy may not be in accordance with
IFRS. Consequently, he requested senior management to review this policy in conjunction with the
objectivesetting process. In addition, he advised the internal audit group, which then monitored the resolution of
this matter.
Approach: Assessing Materiality
Management assesses materiality of significant accounts, considering both quantitative and qualitative factors.
In conducting this assessment, management may consider factors such as:
 Who uses the financial statements (i.e., creditors, stockholders, suppliers, employees, customers, regulators)
Internal Use Only

 Size of financial statement elements (i.e., current assets, current liabilities, total assets, total revenues, net
income) and financial statement measures (i.e., financial position, financial performance, and cash flows)
 Uniqueness of the transaction(s)
 Difficulty in valuing the balance or specific transactions
 Trends (i.e., earnings, revenues, cash flows)
Example: Assessing Materiality for a Private Company
Financial Statement
The management of Bottomer Holdings, a private owner and renter of residential apartments, recently installed
coin-operated laundry facilities in several of its buildings. A contractor installed and maintains the machines and
will be paid a monthly amount plus a percentage of revenue earned through laundry services.
Looking at this new source of potential revenue relative to the income statement, Bottomer Holdings considered
the effect on its total revenues and net income and has now concluded that the laundry revenue is expected to
generate $150,000 to $200,000 of revenue per year.
Management has considered the overall materiality of this account using the quantitative measure of $500,000.
Management also considered other qualitative factors and determined that this new source of income would:
 Not change a loss into income — the company has been profitable over the past five years.
 Not impact compliance with loan covenants and other contractual agreements — none of the mortgages on the
buildings would require changes in loan repayment rates based on higher income levels.
 Not impact management's compensation, including on-site property management staff — the additional income
would have an insignificant impact on the management bonus plan.
Based on the assessment, management has concluded that the new source of income is not material to the
overall financial statement presentation. Accordingly, in specifying its external reporting objectives, management
has incorporated this new source of revenue into its overall revenue objectives as determined by Generally
Accepted Accounting Principles but has not set out new, unique objectives for laundry-related revenue.
Approach: Reviewing and Updating Understanding of
Management reviews publications from professional bodies for updates in accounting pronouncements relevant
to the business. Periodically, management presents to the audit committee an analysis of changes released or
emerging issues that may significantly impact financial reporting and notes any significant differences from
accounting policies of similar entities. For entities that have multiple reporting obligations, such as statutory
Internal Use Only

reporting in international locations, management assesses the requirements relative to the respective divisions
or operating units.
Example: Reviewing Financial Accounting Policies
Celia Mendez is the controller of a $100 million biotechnology company. She reviews its accounting principles by
considering:
 Policies selected that are acceptable according to the applicable standards (US GAAP)
 Situations where multiple acceptable alternatives are available and the rationale for selecting one policy over
another
 Differences in its accounting policies from those of its peers
Management discusses significant accounting policies with the audit committee on an annual basis.
Example: Reviewing and Updating Understanding of
The management of Middle Ocean Inc., an $800 million industrial products company, regularly reviews the
publications from professional bodies for updates in accounting pronouncements relevant to its business. The
controller, Sandy Wong, and the CFO, Fred Jazbowski, also subscribe to and review periodic email updates on
standards that may be of interest. Each quarter Ms. Wong presents to the company's audit and disclosure
committees, which consist of key management members, her analysis of any changes that will immediately
impact financial reporting, and any emerging issues that may impact financial reporting in the future. As part of
her standard procedures and before any change is implemented, Ms. Wong also communicates to these two
committees what impact any updated or new standard will have on the company's financial statements, systems,
and processes.
Example: Reviewing and Updating Statutory
Reporting Requirements
Fred DeQuincy is the local controller of an international subsidiary of a multi-billiondollar consumer products
company. In his annual reviews of the accounting principles used for statutory reporting, Mr. DeQuincy considers
the following:
 Consistency with the company's consolidated accounting standards

 Required differences as a result of the adherence to different standards
 Where differences are required, the alternatives that are available and the rationale for selecting one policy over
another
Internal Use Only

 Where differences are required, identifying the policies selected by other companies within an identified peer
group
Once he has completed his review, Mr. DeQuincy communicates the differences and the rationale for selection
to the corporate controller.
Approach: Considering the Range of Entity Activities
Management, with the oversight of the audit committee, considers the range of the entity's activities to assess
whether all material activities are appropriately captured in the financial statements. Management considers
whether the presentation and disclosure of the financial statements enable the intended users to understand
these material transactions and events.
Example: Considering the Range of Assessment Activities
Build Free Co. produces large-building products. The management of Build Free reviews its financial statements
on a quarterly basis. The purpose is twofold:
 To ensure all significant activities are included

 To analyze its various business units for new and discontinued product developments and changes in the
company's markets, ensuring that they are conveyed appropriately in the financial statements
In addition, the audit committee discusses with management how any significant activities that it is aware of will
be included in the financial statements.
Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes
Points of Focus
 Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels— The organization identifies
and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the
 Analyzes Internal and External Factors — Risk identification considers both internal and external factors and
their impact on the achievement of objectives.
 Involves Appropriate Levels of Management — The organization puts into place effective risk assessment
mechanisms that involve appropriate levels of management.
 Estimates Significance of Risks Identified — Identified risks are analyzed through a process that includes
estimating the potential significance of the risk.
Internal Use Only

 Determines How to Respond to Risks — Risk assessment includes considering how the risk should be
managed and whether to accept, avoid, reduce, or share the risk.
Approach: Applying a Risk Identification Process
Management includes a risk identification process that identifies risks of material omission and misstatement
and the likelihood of occurrence of the risks to relevant financial statement assertions for each significant
account and disclosure. In preparing this analysis, management considers the business processes and business
units supporting financial statement accounts and disclosures. The process of identifying the supporting
business units includes discussions with each business unit or process leader. It also includes identifying the
information technology systems that support those business processes that are relevant to the external financial
reporting objectives.
Example: Analyzing Risk across Functions
Lionel Tetrault is the CFO of Shark Tank Co., a firearms manufacturer. He convenes a working session of the
department heads of marketing, production, information technology, human resources, and administration to
perform a risk analysis by functional department. Risks are rated from 1 (least risk) to 5 (most risk) based on
potential impact on financial reporting and likelihood of occurrence. After the discussion sessions, the
participants document the results in a table that outlines each specific risk together with the rating and factors
contributing to the rating.
For example, the risk of material omission and misstatement due to revenue recognition was rated as 4
(medium-high). Contributing to this assessment was consideration of the likelihood and impact of the
organization failing to:
 Transfer ownership on specific sales in accordance with revenue recognition accounting standards for goods
sold on consignment
 Account for complex sales promotions and discounts completely and accurately
 Update IT systems to account for complex revenue transactions that could lead to inappropriate recognition of
revenue
Approach: Assessing Risks to Significant Financial Statement Accounts
Management identifies risks to the achievement of financial reporting objectives by considering risk factors
related to each significant financial statement account and the associated financial statement assertions. The
process of identifying and analyzing risk considers both quantitative and qualitative factors, including the
following:
Internal Use Only

 Impact on Financial Statement Accounts — The potential impact on financial reporting objectives is measured
quantitatively. Each account is assessed in relation to its respective category, such as total assets or revenues.
Management also qualitatively assesses the potential for certain accounts to be understated. Considering the
quantitative and qualitative characteristics, management categorizes accounts as high, medium, and low, based
on their impact on the financial statements. Where risks vary by sub-account, management considers risk at that
level.
 Account Characteristics — Management considers internal factors such as volume of transactions through an
account, judgment required, and complexity of accounting principles. Management also considers external
factors such as economic, competitive, and industry conditions; the regulatory and political environment; any
new regulations affecting the account; and changes in technology, supply sources, customer demands, or
creditor requirements.
 Business Process Characteristics — Management identifies business processes that generate transactions in
each of the financial statement accounts, considering factors such as complexity of the process, centralization
versus decentralization, IT systems supporting the process, changes made or new processes added, and
interaction with external parties such as vendors, creditors, shareholders, or customers.
 Fraud Risk — For susceptible accounts, management assesses the risk of misstatements due to fraud.12
 Entity-Wide Factors — Management considers internal entity-wide factors such as the nature of the company's
activities, employees' access to assets, number and quality of personnel and levels of training provided,
changes in information systems, and organizational changes (e.g., changes in senior personnel or
responsibilities). These factors are considered in relation to their effect on account characteristics, business
process characteristics, and fraud risk.
Example: Assessing Risks to Significant Financial
Statement Accounts
The management of Bachmann Tools, a hand tool importer, manufacturer, and distributor, identifies risks to the
achievement of financial reporting objectives by considering risk factors related to each significant financial
statement account and disclosure item. The criteria used for assessing risk are similar to those shown above in
Approach: Assessing Risks to Significant Financial Statement Accounts. Management also links each account
balance to financial statement assertions.
The resulting risk assessment is illustrated below. (Note: Additional detail underlying the risk assessment would
typically be present supporting this analysis. For purposes of this example the summary of the assessment is
provided.)
Risk Identification and Analysis by Account and Disclosure
Internal Use Only

Internal Use Only
Example: Using Risk Ratings
The management of Sure Health Care has developed a rating system to show general measures and trends of
relevant risks. It now uses the ratings to determine which processes require more in-depth attention. The
relevance of the financial reporting assertions for the related accounts is also considered. Management reviews
the identified risks and provides a rating based on the inherent and residual risks to the entity; it updates these
ratings periodically.
The information technology managers of Sure Health Care meet with finance personnel every month to discuss
process, changes, and projects in each functional area relating to financial reporting. The meetings are used to
update team members and discuss
Internal Use Only

issues or changes to the processes. Additionally, management meets with outside legal counsel every quarter to
discuss the effects of any external regulatory changes that may impact financial reporting.
The ratings are as follows:
 High — Critical processes that require in-depth documentation, including a matrix to describe identified risks and
controls that mitigate these risks. Process maps and narratives are also developed to describe the flow of
transactions and to identify control points. Controls are identified as preventive or detective, and manual
or computer-based. Policies and procedures that guide employees in applying control activities are identified.
 Medium — Processes for which management prepares process documentation that includes a matrix to
describe identified risks and controls that mitigate the risks. Process maps and narratives are developed where
applicable at a high level. Policies and procedures are identified and documented, but in less formal, summary
form.
 Low — Processes that require minimal process documentation, which identify policies and procedures and
applicable controls.
Approach: Meeting with Entity Personnel
Key finance personnel meet regularly with:
 Executive management to identify initiatives, commitments, and activities affecting risks to financial reporting
 Information technology personnel to monitor changes in information technology that may affect risks related to
financial reporting
 Human resources staff to identify and assess how changes in personnel and movement in positions may affect
competencies needed for internal control over external financial reporting
 Legal counsel to stay abreast of legal and regulatory changes
 Other members of the entity as areas of focus are identified by executive management
Example: Analyzing Risk for Information Technology
McFayden Inc. is a spirits distillation and distribution company with a dedicated information technology
department. Risk assessment is driven by the number and complexity of applications that support the financial
reporting process. This approach helps
the company establish which information systems management relies on for financial reporting. Prior to
implementing new systems, and whenever significant changes to existing systems are planned, McFayden Inc.
takes the following steps:
Internal Use Only

 IT personnel meet with the business process owners to consider IT process- related risks. At these meetings, IT
personnel learn how application data is used in the financial reporting process, identify risks of inaccurate or
incomplete processing, and consider existing general computer controls in determining whether computer
application controls or related user controls need to be enhanced.
 Relevant IT staff, along with business process owners, map the related applications to the operating systems,
databases, and supporting IT processes, and consider inherent risks and what improvements are needed.
 IT personnel with relevant experience review opportunities to automate manual controls to improve efficiency.
 IT discusses activities with finance personnel.
Approach: Assessing the Likelihood and Significance of
Identified Risks
Management analyzes the significance of identified risks based on the likelihood of the risk occurring and the
inherent risk of a material omission and misstatement to the entity's external financial reporting objectives.
Based on the outcomes of the analysis, management determines how to manage the risks to a tolerable level.
Example: Identifying and Responding to Risk
A social service organization with significant amounts of federal funding and operations in several foreign
countries prepares an annual risk assessment of its financial reporting processes in each country. Risk factors
considered include the following:
 Size of program and growth/downsizing

 Nature of funding in the country and types of program (federal or local)
 Nature of transactions
 Quality and timeliness of reporting (program and accounting)
 Quality of management and turnover (finance and program)
 Results of prior year's internal, external, and statutory audits
 Perception of country's political, social, and economic environment
 Oversight provided by funding sources in the countries
The risk assessment is prepared by the CFO, Gerald Timewell, and the COO, Inga Karran, with input from many
others within the organization. The resulting assessment, for financial reporting purposes, considers the above
risk factors in determining the significance of risks of material omission and misstatement related to the financial
reporting assertions. For instance, management increased the assessed risk relating to existence of federal
funding revenue from moderate to high after considering that there is:
 Uncertainty over the ongoing viability of funding programs in some foreign countries
 Irregular timing of funding payments in some foreign countries
Internal Use Only
 Weaknesses noted in a recent internal audit review
Based on this risk assessment, Mr. Timewell and Ms. Karran develop preliminary positions on the risk response.
These determinations are key inputs into determining required control activities.
Example: Using Benchmark Data to Assess Significance and
Response to Risk
A pet food retailer, Best Bits, uses benchmarking techniques to assess losses in physical inventory from theft.
The "shrink percentage" calculated is defined as the value of lost physical inventory divided by net sales. The
amount of physical loss is determined through a physical inventory count process.
The company is currently examining ways to enhance its risk response decisions to reduce the significance of
the risk by altering either likelihood or impact. Given the company's current level of losses (1.6%), accepting the
risk would not be acceptable, and management elects to implement control activities that reduce the likelihood of
losses and can detect losses sooner.
Best Bits management also notes the level of losses other companies incur due to shrinkage. The figure below
shows the shrinkage for several other similar companies within a benchmark group. Best Bits' losses are noted
underneath for comparison.
Using the data provided in this analysis, management believes that a loss rate target of 1.3% is suitable for the
company (e.g., top of quartile 2) and additional control activities are developed within the receiving and shipping
process (as part of the Control Activities component). Further, management accelerates the frequency of
physical inventory counts to quarterly to improve the accuracy of financial reporting.
Approach: Considering Internal and External Factors
Management considers external factors that may impact the ability to achieve financial reporting objectives, such
as:
 Economic changes
Internal Use Only
 Natural or human-caused catastrophes or environmental changes
 New standards
 Changes to laws and regulations
 Changing customer demands
 Technological developments
Management considers internal factors that may impact the entity's ability to achieve its financial reporting
objectives, such as:
 Use of capital resource determinations

 Change in management responsibilities
 Personnel hiring and training considerations
 Employee accessibility to assets
 Internal information technology changes
Where these factors are noted, management also considers—in conjunction with the Information and
Communication principles—whether some form of internal and/or external communications are needed.
Example: Analyzing Risks from External Factors
As CEO of global technology company World Find, Derek Burtnyk makes time for a quarterly discussion on
emerging financial accounting standards with each of the company's regional controllers. These discussions
focus on potential and announced changes occurring within each jurisdiction, and whether these would require
changes to the company's technology systems.
Based on the insights gathered from those discussions, Mr. Burtnyk provides feedback to the various
department leaders of World Find. In turn, the department heads use this information to identify additional
information requirements and potential technology changes.
In one instance, World Find determined that the accounting requirements for a new value-added tax in one
jurisdiction could impact operations in that jurisdiction as well as two other jurisdictions that interact with it.
Based on this assessment, management commenced a project to further refine the assessment of the risks
related to the accounting of the new commodity tax, which then served as a basis for how to respond to those
specific risks.
Example: Considering Changes in Information Systems
Paula Wing is the CEO of a specialty resin company with operations in nine countries. She continually reviews
risks to the company by leading monthly staff meetings at which she asks senior managers to comment on any
new risks identified, including those related to changes in systems, personnel processes, or activities. Ms. Wong
Internal Use Only

discusses any insights she has on risks facing the company, including those that impact financial reporting. As a
team, Ms. Wong and the senior managers develop the needed risk responses.
Approach: Evaluating Risk Responses
Management considers a variety of risk responses—avoid, accept, reduce, share— when evaluating whether
risks are reduced to an acceptable level. In this process, management may consider unique risks related to
financial reporting or a combination of risks. Management may also consider how risk responses impacting the
five components of internal control interact to reduce risk to an acceptable level.
Example: Considering Risk Response in a Revenue Process
Bailey Campbell, the controller for Center Bay Packaging, assesses the risk relating to completeness of
revenue. The company has grown over the past five years and now has annual revenues in excess of $50
million. Currently, Center Bay relies on a paper-based bill-of-lading system. Delivery is deemed to have occurred
when the bill of lading is signed by the customer as evidence that the goods have been received.
Ms. Campbell has noted instances in the past year where shipping documentation was not provided to the
finance department in a timely manner, sometimes as late as two weeks after the shipment was completed.
These delays have resulted in misstatement of revenue. Ms. Campbell has determined that the risk related to
revenue completeness needs to be further reduced, and so she has decided to implement a bar-code scanner
shipping system to track and capture shipments and revenue.
Assesses Fraud Risk
Principle 8. The organization considers the potential for fraud in assessing risks to the achievement of
objectives.
Points of Focus
 Considers Various Types of Fraud—The assessment of fraud risk considers fraudulent reporting, possible
loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
 Assesses Incentive and Pressures—The assessment of fraud risk considers incentives and pressures.
 Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition,
use, or disposal of assets, altering of the entity's reporting records, or to committing other inappropriate acts.
 Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and
other personnel might engage in or justify inappropriate actions.
Approach: Conducting Fraud Risk Assessments
Internal Use Only

Management conducts a comprehensive fraud risk assessment to identify the various ways that fraud and
misconduct can occur, considering:
 The degree of estimates and judgments in external financial reporting

 Methodology for recording and calculating certain accounts (e.g., inventory)
 Fraud schemes and scenarios that are common to the industry sectors and markets in which the entity operates
 Nature of automation
 Last-minute transactions
 Vulnerability to management override and potential schemes to circumvent existing control activities
From these considerations, management makes an informed assessment of specific areas where fraud might
exist and the likelihood of their occurrence and potential impact.
Example: Assessing Fraud Risk
David Kates, the chief compliance officer at a global retail operation, annually conducts a fraud risk assessment.
In doing so, he interviews management at all the international locations about fraud issues. He analyzes:
 Historical fraud activities, including theft of inventory and the processes in place to identify and record such theft
 The methodology used for recording and calculating inventory and shrinkage
 Whistle-blower reports
 The number of manual entries versus automated entries recorded
 The number of late entries due to subjective estimates
With this information, Mr. Kates forms a preliminary view of the potential fraud activities, which he discusses with
management of each jurisdiction in order to consider implications and what control activities can reduce the risk
of fraud. He also has discussions with human resources personnel and reviews information in the staff files. He
uses his historical knowledge and staff information to assess the attitude of the local management toward the
tolerance of fraud and to determine whether local management may rationalize fraudulent activities, including
corruption.
After completing his fraud risk assessment, Mr. Kates submits a report to the audit committee for its
consideration in management oversight.
Approach: Considering Approaches to Circumvent or Override Controls
Internal Use Only

In identifying and evaluating the presence of entity-wide controls that address fraud, management considers how
individuals might circumvent or override controls intended to prevent or detect fraud. Entity personnel, including
management, may intentionally override in a number of ways, which may include:
 Recording fictitious business events or transactions

 Changing the timing of recognition of legitimate transactions (particularly those recorded close to the end of an
accounting period)
 Establishing or reversing reserves to manipulate results
 Altering records and terms related to significant or unusual transactions
Example: Maintaining Oversight
The audit committee of Marker's Medical Supply Company takes the issue of management override of controls
very seriously. Consequently, every quarter the committee reviews the fraud risk assessment process. In doing
so, the members of the audit committee:
 Maintain an appropriate level of skepticism

 Discuss management's assessment of fraud risks
 Use the code of conduct to assess financial reporting culture
 Ensure the entity has a robust whistle-blower program
 Develop a broad information and feedback network
In addition, the audit committee asks the chief audit executive about:
 What fraud risks are being monitored by the internal audit team on a periodic or regular basis
 What specific procedures internal audit performs to address management override of internal controls
 Whether anything has occurred that would lead internal audit to change its assessment of the risk of
management override of internal controls
With this information in hand, the audit committee discusses with the full board and senior management any
concerns that need added management focus.
Approach: Considering Fraud Risk in the Internal Audit Plan
The chief audit executive incorporates results of the fraud risk assessment into the internal audit plan. He or she
reviews and confirms that the internal audit plan addresses relevant risks.
Example: Identifying and Analyzing Risk of Material Omission and Misstatement Due to Fraud
Divisional controllers at Maxwell's, a 24,000-employee consumer products company with locations in several
countries, work with business unit leaders to identify and assess potential fraud risks. These risks are prioritized
Internal Use Only

and categorized into various components, including risks of inventory theft, manipulation of data and bias in the
development of accounting estimates, and other potential means of overriding controls. Internal audit reviews
the resulting fraud risks and provides its point of view. In addition, the company meets with its external auditor to
discuss the fraud risks to determine if there are others that should be under consideration. Business unit
management plans responses and then selects and develops controls to mitigate these fraud risks.15
Approach: Reviewing Incentives and Pressures Related to Compensation Programs
Management considers how personnel may rationalize behavior regarding evaluations, compensation, or
employment. The board and management review the entity's compensation programs and performance
evaluation process to identify potential incentives and pressures for employees to commit fraud. This review
considers how meeting, or not meeting, financial reporting targets potentially impacts an individual's evaluation,
compensation, and continued employment.
Example: Analyzing Compensation Structure
The compensation committee of the board of directors of Schmidt Auto, a global automotive supplier, annually
reviews the executive officer compensation packages with the audit committee, chairperson, and chief auditor.
To determine the incentives to management, the following items are discussed:
 Thresholds for significant changes in compensation

 Mix of total compensation versus incentive compensation
 Structure of compensation compared with industry peers
 Mix of long-term compensation compared with short-term incentives
After these discussions for Schmidt Auto's last fiscal year, the board determined that the CFO's incentive
compensation, 80% of which was based on the current year's net revenue, was too high and focused too much
on the short term. The compensation committee subsequently reduced the incentive compensation, with 40%
derived from current year's net revenue.
Identifies and Analyzes Significant Change
Principle 9. The organization identifies and assesses changes that could significantly impact the system of
internal control.
Points of Focus
 Assesses Changes in the External Environment—The risk identification process considers changes to the
regulatory, economic, and physical environment in which the entity operates.
Internal Use Only

 Assesses Changes in the Business Model—The organization considers the potential impacts of new
business lines, dramatically altered compositions of existing business lines, acquired or divested business
operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new
technologies.
 Assesses Changes in Leadership-The organization considers changes in management and respective
attitudes and philosophies on the system of internal control.
Approach: Assessing Change in the External Environment
Management develops approaches for observing changes in the external market and assessing the potential
impact on the entity's operations and financial reporting. This may include reviewing the following:
 Websites and social media

 Website tracking tools
 Newspaper clipping services
 Search engines
 Trade publications and trade shows
 Conferences
 Professional organizations
Example: Reacting to Significant Change Caused by External Factors
Last year, Clear Blue Auto Manufacturing became aware of a hurricane approaching one of its off-shore
operations that had the potential to cause significant supply disruptions. In response, the company immediately
established an internal working team to assess the risks of such a disruption to its manufacturing capabilities,
and the risks of its own affected facilities to its overall manufacturing footprint. All significant suppliers were
contacted and asked to assess the impact the hurricane might have on their production abilities. A detailed list of
parts that might be delayed in production and shipping was created, and then alternative suppliers were
identified. Where no alternative suppliers could be found, management identified a prioritization list of which
manufacturing location should receive the limited number of parts as they became available.
During this process, the accounting and finance departments of Clear Blue Auto determined how plant
shutdowns would affect the financial statements. This included potential penalties contained within various sales
contracts, possible obsolescence of parts required for a particular model year being phased out, and greater
impacts from extended delays in supply of parts. They also evaluated what insurance coverage was available to
mitigate potential losses. These teams were also responsible for identifying incremental risks from required
system and process changes when working with the company's suppliers.
Internal Use Only

The potential impact of this hurricane was updated and communicated to the company's board of directors later
that day.
Approach: Conducting Risk Assessments Relating to Significant Change
Following a decision to pursue a new business strategy or significantly change the current strategy,
management conducts a detailed risk assessment to consider how the changes might impact the achievement
of all objectives set across the entity.
Example: Updating Risk Assessment for a New CEO
Geoffrey McPherson was recently appointed the CEO of Garner's Heating, a manufacturer of heating and air
conditioning components. One of his first tasks in his new position was to establish a 100-day plan to assess the
overall business and determine where changes were required. To initiate the process, Mr. McPherson called a
meeting with the leaders of all key functional areas to talk about risk.
Over the next 100 days, Mr. McPherson will be holding individual meetings with each functional team to discuss
their current objectives, how those objectives might be changed, and how those changes would impact the
assessment of risks to reliable financial reporting. He expects that some at Garner's Heating will be surprised
with his proposed changes to policies, which have been largely unchanged for several years. This includes the
company's CFO, Ruth Koziak, who is responsible for analyzing the change in strategy and the implications to
At the end of the 100 days, Mr. McPherson intends to reconvene the larger group to discuss how the company
should change, and the incremental risks (including financial reporting) that may come with the change. It will
then be up to Ms. Koziak and the chief audit executive to consider the implications of the company's new vision
and the effects it will have on the external financial reporting objectives.
Example: Responding to Significant Change from International Exposure
Consecutive Corp., a multi-billion-dollar technology equipment manufacturer that has historically focused on
sales in the United States, has decided to expand internationally with both sales and manufacturing. As part of
the expansion plans, Consecutive has assessed several factors:
 Incremental revenue opportunities

 Competition in the marketplace
 Cultural dynamics of the targeted international location
 Different laws and regulations, including those that would affect the company's ability to defend its patents
 Risk of increased fraud from theft and corruption
Each of these factors presents incremental risks to financial reporting and processes that need to be managed.
Therefore, Consecutive's corporate controller is performing a risk assessment with the finance teams in the
Internal Use Only
international locations to ensure these new risks are identified and to help management determine how best to
respond.
Example: Responding to Significant Change from an Acquisition
Industrial products giant Wilson & Zachary recently acquired another multi-billion-dollar company. During the due
diligence process, the company performed a risk assessment on the new business and updated its own risk
assessment considering the following items:
 New markets that will be encountered by the combined company (including differing financial reporting
standards)
 The ability to assimilate the financial reporting processes of the acquired company, including the effects on
migrating to a combined information technology system
 The ability to achieve the anticipated synergies from the acquisition and whether these synergies will create
incremental risks to financial reporting
A project team has been formed for the transition to ensure that all risks are appropriately identified across all
business units and functional areas. Any identified risks are passed on for assessment to senior management,
including the company's chief operating officer and chief financial officer.
Approach: Considering Change through Succession
As part of the overall succession process, management reviews planned changes in management and
leadership positions and the attitudes and values portrayed by the incumbents to those positions through
interviews with personnel within the entity.
Example: Planning for Executive Transition
The board of Turnball Insurance annually reviews the transition plans for key executive leadership in the
company. As part of this review, the board discusses with the chief audit executive the perceived attitudes and
values of those individuals who have been identified as successors. Such considerations may include focusing
on attaining profit expectations versus maintaining effective control, including any concerns about the potential
management override of controls.
If the transition for a particular position is expected to occur within the next two years, representatives of the
audit committee interview the candidates to ensure that their views on internal control are consistent with those
expected by the audit committee.
The board considers that feedback attained when making any decisions within the scope of its responsibility.
The audit committee communicates its findings to the CEO and other members of senior management, who
ultimately will make a decision on successors.
Internal Use Only

Approach: Considering CEO and Senior Executive Changes
The desired qualities relating to attitudes towards risk, risk tolerance, and internal controls are compiled as part
of a comprehensive leadership profile to identify the "ideal" future CEO. This leadership profile is used to
evaluate the potential candidates considered for the position. As part of recruiting for the CEO and other
executive team members, the audit committee asks candidates to articulate its views on the importance of
internal control and how it would balance the need for effective control with other pressures for performance and
cost considerations. When assessing the internal candidates, the audit committee also considers the candidates'
track record on maintaining control and effectively managing the pressure to perform.
Example: Preparing for a Change in CEO
As part of the recent interview process for a new CEO, the board of directors of Mills and Associates, an
industrial products company, asked all candidates their perspectives on risk, risk tolerance, and internal control,
including current areas of emphasis.
The successful candidate, Jenny Acosta, has a strong background and focus on cost management and
streamlining operations. However she agrees with the audit committee that this streamlining could result in fewer
processes and controls, especially those viewed to be labor intensive, and that such changes could erode the
quality of reporting and increase certain financial reporting risks.
With this in mind, the audit committee has begun to request quarterly updates of controls that have been
removed by management and the potential impact on financial reporting. In addition, this information is
incorporated by the internal audit group into its internal audit planning process.
Footnotes
11 For purposes of this example, not all relevant financial statement assertions have been included.
12 As noted in Principle 8, identifying and analyzing fraud risks are integral parts of the risk assessment
process.
15 This example is continued in Chapter 6, Monitoring Activities, to illustrate how monitoring activities may
assess whether controls to effect principles in the risk assessment are deployed as intended (see page
149).
Internal Use Only

Chapter Summary
activities.
Principles relating to the Control Activities component
11. The organization selects and develops general control activities over technology to support the achievement
of objectives.
12. The organization deploys control activities through policies that establish what is expected and in procedures
that put policies into action.
10. The organization selects and develops control  Using Matrices, Workshops, or an Inventory of
activities that contribute to the mitigation of risks to the Control Activities to Map Identified Risks to Control
achievement of objectives to acceptable levels. Activities
 Implementing or Monitoring Control Activities when
Outsourcing to a Third Party
 Considering the Types of Control Activities
 Considering Alternative Control Activities to the
Segregation of Duties
 Identifying Incompatible Functions
11. The organization selects and develops general  Using Risk and Control Matrices to Document
control activities over technology to support the Technology Dependencies
Internal Use Only
achievement of objectives.  Evaluating End-User Computing
 Implementing or Monitoring Control Activities when
Outsourcing IT Functions to a Third Party
 Configuring the IT Infrastructure to Support
Restricted Access and Segregation of Duties
 Configuring IT to Support the Complete, Accurate,
and Valid Processing of Transactions and Data
 Administering Security and Access
 Applying a System Development Life Cycle over
Packaged Software
 Applying a System Development Life Cycle over
Software Developed In-House
12. The organization deploys control activities through  Developing and Documenting Policies and
policies that establish what is expected and in Procedures
procedures that put policies into action.  Deploying Control Activities through Business Unit or
Functional Leaders
 Conducting Regular and Ad Hoc Assessments of
Control Activities
Selects and Develops Control Activities
Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to
the achievement of objectives to acceptable levels.
Points of Focus
The following points of focus highlight important characteristics relating to this principle.
 Integrates with Risk Assessment—Control activities help ensure that risk responses that address and mitigate
risks are carried out.
 Considers Entity-Specific Factors—Management considers how the environment, complexity, nature, and
scope of its operations, as well as the specific characteristics of its organization, affect the selection and
development of control activities.
 Determines Relevant Business Processes—Management determines which relevant business processes
require control activities.
Internal Use Only

 Evaluates a Mix of Control Activity Types—Control activities include a range and variety of controls and may
include a balance of approaches to mitigate risks, considering both manual and automated controls, and
preventive and detective controls.
 Considers at What Level Activities Are Applied—Management considers control activities at various levels in
the entity
 Addresses Segregation of Duties—Management segregates incompatible duties, and where such
segregation is not practical, selects and develops alternative control activities.
Approach: Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to
Control Activities
Once risks have been identified and mapped to relevant financial statements assertions, management
determines relevant business processes and selects and develops control activities to address each risk.
Management involves relevant stakeholders to identify the appropriate control activities. This includes those
individuals responsible for the risks in their areas, finance personnel responsible for financial reporting, and other
control experts, such as internal auditors or others who have relevant specialized knowledge. A centralized
group responsible for financial reporting or control activities periodically reviews the risk control matrices to help
ensure that the entity's financial reporting risks are being addressed.
The selection and development of control activities is achieved through various methods, and may include the
following:
 Using matrices to map identified risks to control activities

 Holding workshops to identify appropriate control activities for each identified risk
 Using an inventory of control activities, tailoring them as appropriate
Management considers the segregation of duties and a mix of transaction control activities and business
process reviews. Management considers using automated controls whenever the systems in place make it
possible. These are supplemented by manual control activities where automated controls are not available.
Example: Using Workshops to Map Identified Risks to Control Activities
A multi-million-dollar consumer products company, Prescott International, holds a number of workshops to select
and develop appropriate control activities for each identified risk relating to financial statement assertions for
revenue recognition. The meetings are attended by employees from various departments—credit, shipping,
billing, and customer service—who review the list of activities and link them to risks identified in the company's
risk assessment.
Internal Use Only

After these workshops, Prescott International is able to select and develop policies and procedures appropriate
to its business. The controller reviews the matrix of control activities and risks in order to identify any potential
risks not previously noted, recommend additional control activities if necessary, and remove unnecessary control
activities.
Example: Using a Risk and Controls Matrix to Map Risks to Control Activities
A multi-million-dollar manufacturer of sporting goods equipment, Go Rite Sports, develops a matrix in

conjunction with its risk assessment process. The matrix sets out:
 Financial reporting objectives and relevant assertions

 Identified risks
 Control activities
Matters such as general ledger maintenance, accruals, management estimates and reserves, period-end close
and consolidation procedures, financial statement preparation, and regulatory filings and disclosures are all
considered when building the matrix. The risks and controls are described in sufficient detail in the matrix to
allow Go Rite's management and others to evaluate whether, if implemented and operating as intended, these
actions can sufficiently mitigate the financial reporting risks. As part of this evaluation, management reviews the
type of control activity (e.g., preventive versus detective, manual versus automated) to determine if the mix is
appropriate. The following illustration is an excerpt of one of Go Rite's risk and control matrices with
accompanying flowchart.16
Extract of Procure to Pay Business Process Flowchart
Internal Use Only

Extract of Procure to Pay Risk and Controls Matrix
Internal Use Only

Internal Use Only
Example: Using an Inventory of Risks and Control Activities
Indigo Brewing is a large global beer brewing company. It has created a standard inventory of risk and control
activities that it uses as a basis for all its brewing subsidiaries. It created the inventory by customizing a generic
inventory of brewing industry risks and control activities that it obtained from Risk Reverse Inc. with Indigo entity-
specific considerations. Some of the entity-specific considerations include:
 Standard company-wide configurations for its enterprise resource planning (ERP) system
 Business performance reviews required of every business unit by corporate finance
 A baseline set of control activities to comply with Sarbanes-Oxley requirements
Following Indigo's recent acquisition of another brewery in China, management used the standard risk and
control inventory to develop and select the necessary control activities. It customized this list based on the
unique circumstances in the region and to suit the newly merged company, giving the functional leaders
responsibility for addressing these risks by implementing control activities in their specific areas.
Approach: Implementing or Assessing Control Activities when Outsourcing to a Third Party
The organization outsources some of its operations to a third party, which may or may not issue a "report on
controls at a service organization" following an appropriate local or international standard. Although the
organization may rely on an outsourced service provider to conduct processes, policies, and procedures on
behalf of the entity, management retains ultimate responsibility for designing, implementing, and conducting an
effective and efficient system of internal control.
Management obtains an understanding of the service organization's activities and whether those activities
impact significant classes of transactions, accounts, or disclosures in the company's reporting process. In
determining the significance of the service organization's processes to the financial statements, the entity
considers the following factors:
 The significance of the transactions or information processed by the service organization to the entity's financial
statements
 The risk of material omission and misstatement associated with the assertions affected by the processes of the
service organization, including whether the activities involve assets that are susceptible to loss or
misappropriation
 The nature and complexity of the services provided by the service organization and whether they are highly
standardized and used extensively by many organizations or unique and used only by a few
Internal Use Only

 The extent to which the entity's processes and control activities interact with those of the service organization
 The entity's control activities that are applied to the transactions affected by the service organization's activities
 The terms of the contract between the entity and the service organization, and the degree to which authority is
delegated to the service organization
If management determines that the service organization's processes are significant to internal control over
external financial reporting, then it:
 Identifies the specific control activities performed by the service organization that are relevant to financial
statement assertions, and/or
 Selects and develops control activities internally over the activities performed by the service organization.
If a report on controls at a service organization is available, management can use it to determine what financially
significant processes are covered, whether appropriate control activities are in place, and what control activities
are required in its own organization to address external financial reporting risks.
If an appropriate report does not exist, management can use the entity's own resources, such as internal audit,
to review the control activities and ensure that any external financial reporting risks are mitigated by the
combination of its own control activities and those of the service organization.
Example: Obtaining a Report on Controls at a Service Organization from a Service Payroll Provider
Green Grow Now is a 250-person company that packages and distributes organic produce. It uses a third-party
service, Jennssen Inc., to process payroll, which is considered significant to the company's financial reporting
because employee costs are a large part of Green Grow Now's expenses.
Jennssen Inc. engages a service auditor to audit its control activities over transaction initiation, processing, and
recording, and to issue an SSAE 16 (SOC1)17 report on controls. When Green Grow Now obtains the report, it
assesses whether the described control objectives and control activities performed by Jennssen impact internal
control over external financial reporting related to the existence, completeness, and valuation of payroll expense.
Green Grow Now considers the test results in the report and whether any exceptions have been identified. It
also considers the period covered by the report and concludes that it needs additional evidence of the operation
of control activities for the period not covered. The management communicates directly with Jennssen to inquire
about any changes to its processes; Jennssen confirms in writing that no changes have been made.
Based on this information, Green Grow Now concludes that no further action is needed. It also reviews the
control activities that it is expected to have in place in its own organization (as specified by the user control
activities in the SSAE 16 report) to verify they are implemented and operating as intended.
Internal Use Only

Example: Implementing or Assessing Control Activities when a Report on Controls at a Service
Organization is Not Available
Funnell Medi-Quip is a 500-person medical equipment manufacturer that decides to outsource its treasury
function to a service organization, Oxford Financial Experts. A report on control activities is not available.
The management of Funnell Medi-Quip evaluates the nature of the control activities of Oxford Financial Experts
and its own control activities over Oxford. The management team determines that the risk of material omission
and misstatement associated with the financial statement assertions affected by the processes of the Oxford is
high. Funnell Medi-Quip concludes that additional information is needed to evaluate the design and operating
effectiveness of Oxford's control activities. The management team performs tests at Oxford, using the internal
audit group to verify that the control activities are implemented and operating as intended. Funnell also tests its
own user control activities.
Approach: Considering the Types of Control Activities
Once risks have been identified and mapped to relevant financial statement assertions, management determines
relevant business processes and selects and develops control activities to address each risk. Management
considers using automated controls whenever the systems in place make it possible. These are supplemented
by manual control activities when automated controls are not available. Management also considers a mix of
transaction control activities and business performance reviews. In its selection and development of control
activities, management considers the likelihood that a control might fail to operate effectively. In assessing the
risk of failure, management assesses various factors, which may include:
 The type of control (i.e., manual or automated) and the frequency with which it operates
 The complexity of the control
 The risk of management override
 The degree of judgment required to operate the control
 The competence of the personnel who perform the control
 Any changes in key personnel who perform the control
 The nature and materiality of misstatements that the control is intended to prevent or detect
 The degree to which the control relies on the effectiveness of other controls (e.g., general technology controls)
 The evidence of the operation of the control from prior years
Certain financial reporting elements, such as those involving significant accounting estimates, related party
transactions, or critical accounting policies, will generally have higher risk for both material omission and
misstatement to the financial reporting element and control failure. In these situations a combination of control
activities is usually selected and developed by management to adequately address the risks of a financial
reporting element.
Internal Use Only

Example: Balancing the Types of Control Activities
During initial compliance efforts, EJ's Corporation faced uncertainty in determining how many controls were
needed to achieve management's objectives. Amid such uncertainty duplicate control activities were deployed.
EJ's management is re-evaluating its existing controls to:
 Determine whether duplicate control activities can be eliminated

 Identify opportunities to implement preventive control activities earlier in the business process and balance with
downstream detective control activities
 Where possible, automate controls and eliminate manual control activities
In balancing its control activities within the processing of journal entries in the financial reporting cycle, EJ's
Corporation focuses on the following preventive control activities:
 Restricted Access—Ensuring that different people initiate, approve, and record key transactions such as manual
journal entries.
 Authorization, Approval, Verification—Clearly defining lines of responsibility and expectations with written job
descriptions. Setting limits for the authorization of journal entries by job function in excess of a specified limit;
controlling access to the general ledger software program through passwords, access codes, and program
permission; and requiring a senior-level individual to review supporting documents to verify that journal entries
are appropriate, valid, and in agreement with the company's policies.
The following detective control activities complement these control activities:
 Reconciliation—Performing regular, independent comparison of different sets of data to identify and investigate
any discrepancies
 Monitoring and Performance Reviews—Regularly comparing reported results to budgets, forecasts, prior
periods, and other benchmarks to identify unexpected results or unusual relationships that require additional
follow-up.
Example: Evaluating Preventive versus Detective Control Activities
As part of its regular assessment of control activities, Mountain High University reviews the mix of preventive
and detective control activities and finds a high proportion of detective control activities. This high proportion of
detective control activities is resulting in the processing of transactions to be slow, labor intensive, and error
prone as a considerable amount of time is spent fixing errors that occurred earlier in the process. To address the
problems management implements more preventive controls earlier in the process, through automated controls,
such as edit checks and automated data verification, and review and approval controls at transaction initiation to
reduce the number of errors that need to be detected and corrected after transactions are processed.
Internal Use Only

Example: Setting the Threshold for Business Performance Reviews
The senior management of Zephyr Corp., a multinational consumer products company, reviews the monthly and
quarterly income statement and balance sheet analysis in order to prevent or detect on a timely basis material
omission and misstatements to one or more financial statement assertions. This analysis compares the current
year results against prior year actual results, the current year budget, and the latest forecast. It also includes key
performance indicators such as gross margin, accounts receivable, inventory turnover days, and return on
equity.
To begin the analysis, the CFO of each of the company's five business units reviews the balance sheet and
income statement in detail to identify and explain any variances from budget and prior year actual results over a
predetermined threshold (which varies by business unit). The threshold, which ranges from 5% to 10% of pre-tax
income, has been developed by senior management to help detect potentially material differences considering
the following factors:
 Significance of the business unit in relation to the group

 The nature of assets and liabilities and transactions executed at the business unit, including significant
transactions or initiatives undertaken outside the normal course of business
 Specific risks associated with the business unit
 Degree of centralization of processes and financial reporting applications
 The effectiveness of the control environment at the business unit
 Results of past monitoring activities by the company
 Potential for error to exist at the business unit
The analysis is then submitted to Zephyr's corporate center for review. Senior management hold monthly
meetings with the representatives from each business unit (usually a business unit CFO) to understand why
there are significant differences that are exceeding predefined thresholds and to determine whether corrective
action is necessary.
Example: Controlling Significant Accounting Estimates
Finance management at the Judge Mint Company (JMC) is responsible for preparing accounting estimates
relating to the valuation of trade receivables on a monthly and quarterly basis. Management estimates the
underlying allowance for uncollectible receivables considering:
 Historical percentages of uncollectible receivables to total receivables

 Historical collections and write-offs relating to customers with specific receivables outstanding at period end
 Judgments relating to customers' ability and intent to pay
Internal Use Only

Management's assessment of customers' ability and intent to pay outstanding receivables is subjective and
susceptible to error. Accordingly, management selects, develops, and deploys a mix of control activities to help
mitigate this valuation risk, including the following:
 The treasurer periodically reviews existing customers' historical financial and credit information as provided by
Dun & Bradstreet to identify any changes in the customers' ability to pay.
 Automated preventive controls are embedded within JMC's ERP system support generation of sub-ledger
reporting, including historical aging, collection, and write-off of receivables by customer, which provides a level
of consistency for the completeness and accuracy of reporting used in making estimates.
 Specific adjustments proposed by accounting personnel who are knowledgeable about customers must be
supported by analyses including reasons for such adjustments (e.g., communications, disputes, payments,
write-offs).
 The assistant controller approves proposed adjustments to the calculated preliminary estimate for specific
uncollectible receivables based on review of supporting analyses and information.
 The controller assesses the reasonableness of the final estimate by reviewing the rationale supporting the
selection of the historical percentage used to calculate the preliminary estimate and the rationale supporting any
material adjustments, and considering the consistency with her knowledge of industry, business, and customer
trends/events.
Example: Automating Balance Sheet Reconciliations
Gentry Co., a large decentralized industrial products company, has identified the account reconciliations part of
the financial reporting process as a critical control activity for reducing the risk of material omission and
misstatement in the financial statements. The number of accounts in the company's books has increased
significantly over the years as new processes and transactions have been added, other entities have been
formed or acquired, and the number of employees has grown. Today, a large volume of accounts are reconciled
manually on a monthly basis, but this is a time-consuming process that is prone to error.
Gentry Co. is considering implementing account reconciliation software, which would help automate the process
and allow Jeremy Brewster, who is responsible for the process, to spend more time on the more subjective and
complex areas of account reconciliation.
Gentry has identified the following benefits that would arise out of using an automated account reconciliation
tool:
 A continuous controls monitoring framework would be able to identify significant and material reconciling items,
allowing management to quickly respond to potential issues.
 Adjusting entries would be identified and efficiently recorded, followed by a review by Mr. Brewster.
 Labor and cost would be reduced.
Internal Use Only

 Automation would integrate seamlessly with ledgers, sub-ledgers, and other financial systems.
 Exception management would reduce exposure to risk by establishing an action plan for all exception items.
 Reconciliation processes would be integrated into the email system, automating workflow.
Gentry Co. decides to implement a partial automated process. It uses both qualitative and quantitative factors to
determine which reconciliations will be automated and which will continue to be manual. The factors considered
favorable to automation include low complexity of transactions, absence of significant judgments and estimates,
low number of manual journal entries and adjustments, low susceptibility of transactions to fraud, and high-
volume, low-dollar value of transactions, combined with low degree of variation against the expected account
balance.
Approach: Considering Alternative Control Activities to the Segregation of Duties
Where resource or other constraints compromise the ability to appropriately segregate duties, management
considers alternative control activities, such as timely periodic management reviews of reports that are prepared
in sufficient detail for misstatements to be identified.
Example: Using Alternative Control Activities when Access to Purchasing Transactions Are Not
Segregated18
Luther Optical is a multi-million-dollar designer, manufacturer, and distributor of consumer and industrial optical
products. There are two staff members in the purchasing department, each of whom is authorized to prepare,
authorize, and issue purchase orders up to $5,000. Because no one reviews these purchase orders before they
are sent to vendors, there is a risk that unintentional errors or intentional fraudulent acts will result in inventory
valuation errors, obsolescence, or shortages due to diverted shipments. To reduce this risk to an acceptable
level, management relies on a combination of control activities carried out by other staff members. These
include, but are not limited to, the following:
 An inventory clerk documents and tracks all inventory levels, reducing the risk of obsolescence.
 An inventory receiving clerk evaluates, documents, and reports to management unusual inventory movement,
such as excessive ordering that could lead to obsolescence.
 A payables clerk matches invoices to purchase orders and receiving reports before amounts are paid, reducing
the risk of errors resulting from diverted shipments.
 A controller reviews exception reports of all inventory purchases with a price more than 10% above current
average costing.
Approach: Identifying Incompatible Functions
Using automated tools, organization charts, process flowcharts, or other means by which activities are
documented, management identifies incompatibilities in functions that are needed to appropriately segregate
Internal Use Only
duties. These incompatible functions are considered when developing or revising the policies for granting access
to assets and systems. The policies are regularly updated to reflect changing responsibilities and activities.
Example: Manually Assessing Incompatible Functions Across an Entity
Finansis Corporation is a manufacturer of bicycles that recently implemented an enterprise resource planning
system but continues to use its legacy procurement application. Management has identified a risk that personnel
perform incompatible functions across the entity's financial reporting systems, and in turn, have inappropriate
access to those systems. The CFO, Steve Wu, has formed a task force of representatives from finance,
accounting, operations, internal audit, compliance, and IT to review process flowcharts and procedure manuals
and to assess the financial reporting risks of the same person being able to perform two incompatible functions
(e.g., bill creation and payments). The task force has now created a matrix of incompatible functions across the
financial reporting processes and assessed any business justification for the incompatibility. If the business
justification is deemed valid, the task force evaluates the sufficiency of alternative controls selected, developed,
and deployed. If the justification is found not valid or not existing, the task force develops a recommendation for
the controller to implement a policy for segregating the functions.
Senior finance, operations, IT, internal audit, and compliance management have reviewed and approved the
task force's recommendations. Commensurate with the policy changes, IT has updated access rights across the
various systems. Control activities were selected and deployed to help ensure that the segregation of duties is
maintained, including policies and procedures for user management and IT's review and approval of access
requests. The policies also include the segregation of duties as criteria in the annual review of access rights
performed by user management for each financial reporting relevant system.
Example: Using Automated Tools to Enforce the Segregation of Incompatible Functions
Frencorp is a multi-billion-dollar public industrial products manufacturer. Recently it installed and configured a
governance, risk, and compliance access management application. The purpose is to assess sensitive access
and segregation-of-duty risks and conflicts during the development of security roles and the assignment of those
roles to end users. The application allows Frencorp to define processes and transactions that should not be
combined in a security role or assigned to the same end user. It prevents the assignment of any access that is
deemed incompatible.
Furthermore, the application routinely scans security roles and end-user access, generates reports of access
risks and conflicts, and routes the reports to the appropriate people for review. If a user requires access to
conflicting transactions, the application recommends a mitigating control activity. Frencorp management's review
of the access risks and conflicts reports and mitigating control activity decisions are logged in the application.
Selects and Develops General Controls over Technology
Internal Use Only

Principle 11. The organization selects and develops general control activities over technology to support the
Points of Focus
The following points of focus highlight important characteristics relating to the principle:
 Determines Dependency between the Use of Technology in Business Processes and Technology
General Controls—Management understands and determines the dependency and linkage between business
processes, automated control activities, and technology general controls.
 Establishes Relevant Technology Infrastructure Control Activities—Management selects and develops
control activities over the technology infrastructure, which are designed and implemented to help ensure the
completeness, accuracy, and availability of technology processing.
 Establishes Relevant Security Management Process Control Activities— Management selects and
develops control activities that are designed and implemented to restrict technology access rights to authorized
users commensurate with their job responsibilities and to protect the entity's assets from external threats.
 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control
Activities—Management selects and develops control activities over the acquisition, development, and
maintenance of technology and its infrastructure to achieve management's objectives.
Approach: Using Risk and Control Matrices to Document Technology Dependencies
Management documents the underlying technology that supports control activities in risk and control matrices,
flow charts, or narratives. Using this information, management can document the linkage between control
activities and technology. Management should understand which aspects of technology (infrastructure, security,
technology acquisition, development, and maintenance processes) are important to the continued, proper
operation of the technology and any associated automated controls. Management also develops an
understanding of how various applications and technologies interface with each other.
Example: Using a Walkthrough to Understand Technology Dependencies
A global publicly traded information services organization, Signal Corp., recently acquired a privately held
newspaper chain. During the due diligence process, Signal Corp. determined that the management of the
newspaper chain did not have a good understanding of which applications were critical to the integrity and
reliability of its financial information. To assess this linkage, the internal audit department of Signal Corp.
performed a walkthrough of each of the newspaper chain's significant financial processes and documented in a
process flow diagram all the applications that supported these processes. These included the automated
controls and any controls that depended on system-generated reports.
Internal Use Only

The walkthrough covered each major class of transactions. The internal audit team asked the relevant personnel
of the newspaper chain about all significant aspects of the process.
Approach: Evaluating End-User Computing
Management understands the use of end-user computing, which includes spreadsheets, that supports its
financially significant processes and associated control activities. Management assesses the risks of a
misstatement resulting from an error in one of these end-user computing applications. Based on the level of risk,
management selects and develops general control activities over the technology covering the relevant
processes over:
 Technology infrastructure
 Security management
 End-user computing development and maintenance
 Completeness and accuracy controls between the end-user computing system and other systems
For high-risk end-user computing applications, management considers converting to an IT-supported

application.
Example: Evaluating Financial Close End-User Spreadsheet Control Activities
Smythe & Smythe International recently evaluated the use of spreadsheets in its financial close process. In
doing so, it identified that the spreadsheets supporting the calculation of LIFO (last-in, first-out) adjustment and
the fair values of goodwill, intangible assets, and debt were of high risk, based on their susceptibility to error and
significance to the financial statements.
Smythe & Smythe also classified the spreadsheets as high in complexity because they included the use of
macros and multiple supporting spreadsheets to which cells and values were interlinked. The spreadsheets were
used either as the basis for journal entries into the general ledger (LIFO reserve) or as financial statement
disclosures (fair value of goodwill, intangible assets, and debt).
The company considered the security, maintenance, and update risks of the spreadsheets and then selected
and developed the following control activities:19
 Input Control—Input data is reconciled to source documentation to cover its completeness and accuracy.
 Access Control—File-level access to the spreadsheets on a central server is limited to approved users, and a
password is required to access the LIFO reserve spreadsheet.
 Version Control—Standard naming conventions and directory structures are in place so only current and
approved versions of the spreadsheets are used.
 Calculation Testing—When changes to formulas are made they are tested against a manual calculation for
accuracy. All spreadsheet formulas are checked for accuracy at least once a year.
Internal Use Only

 Overall Analytics—Analytical business process reviews using pre-established thresholds based on operating
income and working capital function as a detective control to find errors in any of the spreadsheets.
Approach: Implementing or Assessing Control Activities when Outsourcing IT Functions to a Third Party
Management outsources certain aspects of its IT infrastructure to an outside service provider, which may or may
not have a "report on controls at a service organization" following an appropriate local or international standard.
If a report is available, management uses it to determine what financially significant IT processes are covered,
whether appropriate controls are in place at the service organization, and what controls are required in its own
organization to mitigate risks to external financial reporting to an acceptable level.
If an appropriate report does not exist, management uses internal resources (e.g., internal audit) to review the
controls at the third party, verifying that the combination of the company's controls and those at the service
organization mitigate risks to external financial reporting to an acceptable level.
Example: Obtaining a Report on Controls at a Service Organization from a Cloud-Based Service Provider
E-Book Frontier, a retailer of electronic books, has outsourced its enterprise resource planning (ERP) application
to a cloud-based service provider (CSP). To prepare for its initial public offering, the company began to develop
and implement a system of internal control in support of its anticipated external financial reporting objectives. E-
Book Frontier uses the ERP application to support its revenue, inventory, purchasing, and payables processes,
so it supports a number of financial statement line items and their associated assertions.
To that end, the management of E-Book Frontier assessed the risks associated with the business processes
outsourced to the ERP cloud service provider and determined a number of control activities and information
requirements that needed to be addressed. E-Book Frontier management obtained a Statement on Standards
for Attestation Engagements (SSAE) No. 16 (SOC 1) report on internal controls prepared by a third-party service
auditor. As part of developing and deploying internal controls across the end-to-end business processes
managed in part by the CSP, E-Book Frontier incorporated the review of the audit report as a control activity. In
performing its review, management noted the following:
 The scope of the report included certain application controls and technology general controls that were
evaluated for both design and operating effectiveness. The controls relating to the customized configuration for
the organization were not addressed in the service auditor's report. Management evaluated the impacted
business process and related financial reporting risks and selected and developed additional actions and control
activities to address these risks.
 The tests of controls covered a time period that correlated with ten months of the company's fiscal year,
resulting in a gap of the last two months. Based on management's analysis on the relevance and risk of the
related controls, E-Book Frontier determined that corroborative inquiry with the CSP would be adequate for the
gap period. To evaluate the continued operation of the CSP controls, management interviewed key CSP
Internal Use Only
personnel to assess whether any changes in the controls or known failures had occurred since the date of the
report.
Management reviewed the results of the tests of controls and the service auditor's opinion on the operating
effectiveness of the controls to determine whether each control objective was achieved. Two exceptions were
noted in the report, and management reviewed the additional information related to these that was provided by
the CSP in the unaudited portion of the report. They concluded that one exception was not relevant to their
organization. For the second exception, additional procedures were needed.
The second exception related to evidence of customer approval of program changes; management evaluated
the sufficiency of E-Book Frontier's controls over approval of changes requested to be performed by the CSP. In
addition, it requested a report of all changes for the past six months from the CSP and verified that the report of
all changes was complete and accurate. It then compared the list of changes and noted no variances from its
internal records.
Based on these additional procedures, management concluded that the exceptions did not result in a deficiency
of their system of internal control.
Approach: Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties
The applications, databases, operating systems, and networks that support financially significant processes are
configured to support restricted access to financial applications and data consistent with the organization's
policies and procedures. The configuration includes a means to authenticate users or systems and enforce
restricted access, as well as key parameters, such as minimum password length and the aging of passwords.
Example: Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties
Woodlawn Wireless Telecommunications, which has a number of applications critical to its financial reporting
process, was recently cited for poor infrastructure security controls by its internal audit group. Specifically, the
setup of key security parameters, such as password length and complexity, was not consistently applied across
these applications, and in many cases they were below industry standards for good practices. To correct the
situation, Woodlawn developed a four-step approach:
 Create a three-tier risk rating of the importance of an application and its data to the reliability of the financial-
reporting process.
 Develop policies for the settings of key security parameters for all financially relevant technology in use at the
company for each risk rating level.
 Assess the importance of each application and its associated infrastructure to the reliability of financial reporting
and assign it a risk rating.
Internal Use Only

 Implement procedures to put in place and monitor compliance with the policies for each application consistent
with its associated rating.
Approach: Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and
Data
Management selects and develops control activities so that transaction processing, whether batch or real-time,
is complete, accurate, and valid. Processing is actively checked for problems, either through a manual review of
system status and logs or by automated programs with alarms. Timely corrective action is taken when problems
are identified. Critical financial data and programs are regularly backed up and procedures are in place to
completely and accurately do a restore. The restoration process is regularly tested to help ensure the backup
and restoration processes work properly.
Example: Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and
Data
In the data center of Sullivan Financial Services, the IT operations staff monitors the batch and real-time
processing of applications (including all financially significant applications) for errors using automated software.
The scheduling software on the mainframe application checks for various problems with batch jobs, including
data errors and programs that don't complete properly or that run out of order. The operators are alerted to any
of these issues and alert the appropriate business process owner based on standard documented procedures.
For applications that process in real time, software is also used to automatically monitor for errors, such as
incomplete, inaccurate, or invalid record transfers between systems. When a possible error is detected, the
software attempts to resend the record without error. If the error persists, an email alert is sent to an operator
who corrects the error following standard documented procedures. Financial management is notified of any
errors in a weekly report. The weekly report is reviewed to determine if any accounting record adjustments are
required due to the system problems. The controller reviews and approves any changes. (Note: this could be
considered a process-level control.)
Approach: Administering Security and Access
Financial management establishes policies that define appropriate access rights to be consistent with job
functions, including segregation of duties, for financially significant applications and processes. New access
requests or changes to access are reviewed against the policy by the functional owner of the IT resource (i.e.,
application, database, operating system, or network). The owner of the IT resource periodically recertifies
access to ensure it is commensurate with policy. Problem reports, such as excessive improper logins, are
regularly reviewed, and follow-up actions are taken when issues are identified.
Example: Establishing Logical Security
Internal Use Only

The management team of a compensation and benefits consultancy reviews logical security controls to prevent
unauthorized access to its financial reporting systems as follows:
 User Accounts—Formal user account setup and maintenance procedures are in place to request, establish,
issue, suspend, change, and delete user accounts.
 Authentication Controls—Authentication standards establish minimum requirements for password length and a
finite number of login attempts. Only unique user IDs are used to promote accountability and auditability.
 Privileged Accounts—The use of privileged ("super-user") accounts is limited to two-system and application
administrators who are responsible for IT security management and therefore deemed appropriate. These
accounts are monitored by management for improper use.
 Application Reviews—The configuration settings for who has access to data related to critical applications and
systems are periodically reviewed. Any violations detected are reported to management and corrective action is
taken.
 Security Reviews—Applications and systems generate security logs, enabling user activity to be monitored and
security violations to be reported to management.
Approach: Applying a System Development Life Cycle over Packaged Software
Management considers many factors when selecting new packaged software, including functionality, application
controls, security features, and data conversion requirements. Management utilizes competent internal
resources or hires a third-party vendor to implement the software, following the organization's requirements.
Management follows a defined change-control process to implement system upgrades or patches. This includes
assessing the nature of the upgrade or patch and whether it is appropriate to implement. If deemed appropriate,
the patch or upgrade is system and user tested in an environment that mirrors production before being
implemented. Key stakeholders, such as the functional users, finance, and IT, sign off on the change before it is
implemented. Appropriate documentation is maintained to provide evidence that the changes have been made.
Example: Managing Changes to Packaged Software
FabFun Toys is a manufacturer of plastic toys. For several years it has been using packaged general ledger
software, and it has developed a set procedure for managing vendor announcements of software upgrades,
which is as follows:
 Obtain a description of the change, the rationale for it, the impact on the company's security environment, and
implications for user interfaces.
 Outline steps for a back-out plan should the upgrade not perform as expected.
 Develop a plan to test that the edit and validation rules work properly, desired system functions operate as
expected and produce the desired results, undesired processing results are prevented, and existing technical
capabilities, including control activities critical to external financial reporting, continue to work properly.
Internal Use Only
 Execute the tests and document the results.
 Maintain a change control log.
 Obtain approval from financial and operational management and end users of the test results prior to releasing
the upgrade into production.
Approach: Applying a System Development Life Cycle over Software Developed In-House
Management follows a full system development life cycle (SDLC) covering problem fixes to major
implementations. The SDLC covers a number of process steps and control activities, including the following:
 Initiation, Authorization, Tracking, and Analysis—Changes are captured in a change control or development
specification. The change's progress is tracked and authorization to proceed is made by the appropriate
stakeholders. The possible impact to internal controls over financial reporting is assessed, and changes are
approved by relevant financial stakeholders.
 Design and Construction—Programming standards are followed during the design phase and procedures are
put in place to provide version control.
 Testing and Quality Assurance—Testing is performed before going live to check if the change meets the
specification and has not caused any unintended changes to the existing software. The amount and type of
testing varies based on the nature of the change (size, complexity, etc.) and includes unit, system, integration,
and user acceptance testing, as appropriate.
 Data Conversion—When applicable, data is converted completely, accurately, and validly from the previous
technology.
 Program Implementation and Go-Live Authorization—The change is approved by the relevant stakeholders
before going live, and only the approved version of the software is implemented.
 Documentation and Training—End-user and IT support documentation and training are created and updated as
needed.
Example: Managing Changes to Custom Software
Summer Run Co. provides material-based solutions for electronic, acoustical, thermal, and coated metal
applications. IT has recently decided to significantly modify inventory management software, which is considered
a financially significant application. To do so, the company must rely on the only two developers on staff to
develop, test, and migrate the software to production.
Because Summer Run does not have an automated code promotion utility to control versions and migrations to
the production environment, the IT manager, James Robb, takes the following steps:
 Identifies and analyzes risk resulting from the required changes

 Assigns changes to developers so that each works on specific tasks only
Internal Use Only

 Assigns to the developer not working on a particular change the responsibility for testing the change and
migration to production
 Reviews any significant changes
 Locks versions following user acceptance testing to prohibit further change prior to release
Mr. Robb also relies on these manual controls to manage the code version and migration:
 Creating a manual log listing the version of the code copied to the development environment, along with date
and time, and manually tracking the migration to test and then to production.
 Separating the review of all version control procedures prior to moving the code to production from those
performed by the individual responsible for the IT functions.
Example: Varying Control Activities in an SDLC Based on Risk
The multi-billion-dollar telecommunications organization, Brassen Systems, uses an SDLC to update and
maintain more than 200 applications. The changes vary from large and complex development initiatives to
simple report changes. Brassen seeks to match the degree and rigor of control activities to the range of risks of
these changes.
The organization assigns the level of risk to one of four categories based on several factors, including the length,
level of effort, possible risks to financial processing and control activities, and complexity of the change. Level 1
changes (the most risky) are required to go through twenty quality gates, or control points, before
implementation, while Level 4 changes (the least risky) are required to go through only ten gates. All changes
that may affect financial processing and control activities are required to be reviewed by someone in the finance
department before being implemented.
Deploys through Policies and Procedures
Principle 12. The organization deploys control activities through policies that establish what is expected and
Points of Focus
 Establishes Policies and Procedures to Support Deployment of Management's Directives—Management

establishes control activities that are built into business processes and employees' day-to-day activities through
policies establishing what is expected and relevant procedures specifying actions.
 Establishes Responsibility and Accountability for Executing Policies and Procedures—Management
establishes responsibility and accountability for control activities with management (or other designated
personnel) of the business unit or function in which the relevant risks reside.
Internal Use Only

 Performs in a Timely Manner—Responsible personnel perform control activities in a timely manner as defined
by the policies and procedures.
 Takes Corrective Action—Responsible personnel investigate and act on matters identified as a result of
executing control activities.
 Performs Using Competent Personnel—Competent personnel with sufficient authority perform control
activities with diligence and continuing focus.
 Reassesses Policies and Procedures—Management periodically reviews control activities to determine their
continued relevance and refreshes them when necessary.
Approaches for Applying the Principle
Approach: Developing and Documenting Policies and Procedures
Management develops and documents policies and procedures for all significant external financial reporting-
related control activities. Procedures are documented using various formats, such as narratives, flowcharts, and
control matrices. Management develops a standardized format for policies and procedures, which may include:
 Reasons for the policy and procedure, including the risks to the achievement of management's objectives
 Locations, units, and processes to which the policy and procedure applies
 Roles and responsibilities for owning, creating, implementing, executing, and maintaining the policy and
procedure
 Matters covered by the policy and procedure, including corrective action to be taken as part of performing the
control activity
 Escalation procedures for policy exceptions
 Cross-references between associated policies and procedures
 Required competency of personnel performing procedures
 Required timberman for performing procedures
 Review date
Example: Using Templates to Document Policies
Greyson Gas, a natural gas utility, uses a standardized template to format its policies. Its loss contingencies
policy helps ensure that transactions are recorded as necessary to permit preparation of financial statements in
accordance with generally accepted accounting principles. The policy includes the following sections:
 Purpose—This policy establishes criteria that are to be used to determine if a loss contingency should be
recorded in the financial statements.
Internal Use Only

 Location and Applicability—This policy applies worldwide to any unit of any company owned fully or partially,
either directly or indirectly through a subsidiary, by the company, whether consolidated or accounted for by the
equity method.
 Key Provisions—A definition stating what constitutes a contingency is included and related accounting model is
described.
 Roles and Responsibilities—Descriptions are provided for everyone involved in the loss contingencies
identification, accounting, and disclosure process including the timberman for completion. This includes each
location's senior financial executive notifying the group's senior financial executive and the corporate controller
of the existence of an actual or potential loss contingency, including the facts and circumstances giving rise to
the possible loss and the estimated amount of such loss. Existing actual and potential loss contingencies are
reviewed and evaluated on an ongoing basis (not less than once each calendar quarter) by each location's
senior financial executive. As a part of this review, the current status, including revised estimates for each loss
contingency, is reported to the corporate controller. Information required for the disclosure of loss contingencies
is provided to the corporate office by location in quarterly financial/legal reporting in a prescribed template. The
template is updated, as necessary, through and including the date of the related public filing.
 Escalation Procedure for Exceptions—All instances of identified non-compliance with accounting policy must be
referred to the corporate controller and the appropriate business unit CFO. All accounting policy exception
requests must be referred to the appropriate business unit CFO for preliminary approval, and then submitted to
the corporate controller for final approval.
 Review Date—The policy is reviewed every two years or when circumstances change for compliance with
certain criteria, such as legal and regulatory requirements; applicable rules and regulations; relevance; and
appropriateness in supporting business objectives.
A record of all accounting policy changes, additions, and retirements is maintained, which includes revision
number and date, effective date, a brief description of the changes made, and the person who approved the
change.
Example: Establishing Policies and Procedures
A national trade association establishes a policy that all payments must be appropriately authorized before cash
is remitted. It uses an authorization approval matrix for expenditures.
The board of directors reviews and approves the annual budget, over and above the required approval provided
by the CEO. Authorization to incur liabilities on behalf of the trade association is limited if they fall outside of the
amounts approved in the budgeting process for normal operations. The limits are:
 Board of directors: $50,000 or more

 CEO: Up to $50,000
Internal Use Only

 Vice-presidents: Up to $10,000
 Staff directors and managers: Up to $2,500
 Supervisors: Up to $500
Siobhan O'Reily, the association CEO, must review and approve in writing any capitalized purchases above
$10,000. A purchase order must be prepared for all purchases, and every disbursement of funds requires the
receipt of an invoice. This policy does not apply to the purchase of association investments, which are
authorized by the board of directors through its corporate investment policy.
Ms. O'Reily reviews all purchase orders for more than $10,000 for appropriateness. She compares the amounts
to budget, and if she uncovers a discrepancy, she sends the purchase order back for investigation and follow-up.
Example: Establishing Responsibilities for Reviewing Financial Statements
Good Chip Company, a public company in the US that manufacturers microchips, issues interim and annual
financial statements. As part of the entity's policies and procedures relating to its financial reporting process,
responsibilities for reviewing the financial statements are established. Abby Champion, chief financial officer,
Alex Pender, controller, and the disclosure compliance committee have separate responsibilities for reviewing
draft financial statements before issuance.
Mr. Pender is responsible for reviewing initial draft financial statements (initial draft) along with the corporate
financial reporting package, which was prepared by Jayden Roberts, director of financial reporting with input
from Jack Jones, director of tax. Mr. Pender's responsibilities include:
 Reviewing reconciliations to trial balances, other accounting records, and analyses to ascertain that the initial
draft has been prepared in accordance with policies set forth in the corporate financial reporting manual
 Reviewing the completed financial reporting checklist (which is periodically updated for changes in financial
reporting rules and standards) to ascertain that material presentations and disclosures have been prepared in
accordance with Generally Accepted Accounting Principles
 Reviewing internal financial reports prepared by controllers of operating units that are expected to identify any
material (or unusual) transactions and events that require judgment in presentation and disclosure (For these
transactions or events, Mr. Pender inquires of controllers and/or examines supporting records and analyses to
concur or challenge the proposed presentation and disclosure.)
 Reviewing comments on initial draft provided by operating unit managers, treasurer, director of tax, and others
to identify any other financial reporting matters that require resolution
 Completing his review, updating initial draft, and submitting the final draft and summary of any matters, which
require resolution by senior management, to both Ms. Champion and the disclosure compliance committee
Internal Use Only

Ms. Champion is responsible for reviewing the final draft and summary of matters that require resolution. Her
responsibilities are:
 Asking Mr. Pender about the results of his review procedures and summary of matters requiring resolution of
senior management
 Reading the final draft to identify any potential material misstatement (or omission) in presentations and
disclosures of business conditions, significant transactions, and events
 Evaluating proposed resolutions of specific presentation and disclosure matters and considering which issues to
escalate for discussion and concurrence by the disclosure compliance committee
 Approving the financial statements following completion of review by the disclosure compliance committee
 Presenting financial statements and summary results of significant accounting and financial reporting matters to
the chief executive officer and audit committee for their review and approval
The disclosure compliance committee comprises the chief operating officer, chief financial officer, chief
compliance officer, chief audit executive, vice-president of research and development, vice-president of supply
chain, controller, vice-president of tax, and general counsel. The committee members review the final draft.
Responsibilities of committee members are:
 Inquiring about the results of both Ms. Champion's and Mr. Pender's review procedures
 Reviewing all information to be published and its draft wording
 Concurring with proposed resolutions of specific presentation and disclosure matters or remanding matters to
functional management for further research and recommendation for resolution
 Overseeing disclosure procedures and coordinating disclosures to external parties (shareholders, market
authorities, investors, the press, etc.)
 Informing the chief executive officer and chief financial officer of any changes, deficiencies, or material
weaknesses pointed out by the disclosure compliance committee
Example: Reassessing Policies and Procedures for Revenue Recognition
A large multinational software provider revised its revenue recognition policy due to the risk that lucrative sales
commissions have tempted sales personnel to record software orders improperly. Depending on the nature of
the software sale, there are different commissions paid to sales personnel. Also, depending on product code,
there are different revenue recognition requirements; some products require revenue recognition at the time of
sale whereas others require revenue to be recognized over time. Sales personnel occasionally record sales
under the wrong product codes, which leads to inappropriate recognition of revenue and sales commissions.
The CEO and CFO approved modifications to the company's revenue recognition policy and related approval
matrix that requires all significant software contracts be reviewed by the CFO and other finance personnel before
software revenue and sales commissions are recognized. In addition, finance, legal, and sales personnel
Internal Use Only
collaborated in establishing standard contractual terms and conditions that would result in proper recognition of
revenue and commissions, and identifying variances from such standards that would require review and
approval by the CFO and/or other finance personnel with appropriate technical competencies in applying the
company's revenue recognition policy.
In addition, the CFO, sales executives, and legal staff meet annually with sales personnel to review the
company's policies, its standard and non-standard contractual terms and conditions, its historical revenue
recognition issues, and any specific commercial arrangements to avoid. All subsidiary sales and finance
personnel attend annual training that focuses on how to comply with local laws and regulations and with the
company's revenue recognition policies and procedures.
Example: Reviewing Cost Overruns by Competent Personnel
The CFO of Boxtop Construction, Suri Navrat, evaluates the process and control activities for assessing cost
overruns. She determines that the project manager, George Whitfield, is critical to the process because he is
skilled in understanding client needs and project requirements and in analyzing the effects of the alternatives on
the project costs and schedule, and, ultimately, the revenues over the project's lifetime.
Mr. Whitfield periodically reviews actual costs incurred for a long-term project, ensuring they are accurate, that
indirect costs are appropriately allocated, and that change orders and potential cost overruns do not exceed the
authorized funding. If any variances from the cost baseline appear, he promptly investigates them and excludes
incorrect or inappropriate changes from the reported cost or resource usage, which is used as the basis for
revenue recognition for the period. He also reviews the estimated costs for reasonableness, taking into account
the actual stage of construction at the end of the reporting period.
Example: Performing Control Activities in a Timely Manner
A large for-profit educational institution, Learn Now College, promptly deactivates or removes access rights to
the general ledger from employees who no longer require them. Several steps are followed in this process:
 When an employee is terminated or transferred, a Termination Personnel Action Form/Employee Clearance

Form is completed. This form includes a security section, which is completed by someone in the finance
department. This section indicates that an information systems change order has been submitted to delete
system access permissions for a particular employee.
 The IT group sends a confirmation to the finance department and human resources when the change order is
completed.
 The human resources department maintains a list of open change orders that is reviewed daily for receipt of the
confirmation from the IT department. If a receipt is not received within twenty-four hours, a human resources
representative follows up with the IT group until the request is processed.
Internal Use Only

Example: Taking Corrective Action
As part of the business performance review process, management of White and Stack Co. reviews the results of
its business unit, comparing the actual results for the current three-month period with budgets and prior period
actual results. The management team observes any significant shortfall in current results compared with the
budget, and any existence of performance-based bonus accrual to be paid out when actual performance
exceeds budgeted results. Management follows up on the results of its top-level review, identifying any
overstatement in bonus accrual.20 Corrective action is taken as necessary by adjusting the amount recorded for
bonus payouts.
Approach: Deploying Control Activities through Business Unit or Functional Leaders
Business unit or functional leaders deploy control activities in their areas of responsibility by building the policies
and procedures into their organization's day-to-day activities. In some cases, a centralized control function or
team works with the business unit or functional leaders to help deploy policies and procedures consistently
across the organization. The policies and procedures are communicated in various ways, including running
training programs, holding meetings, and distributing formal and informal documentation.
Example: Deploying Control Activities through a Central Control Function
A federal agency has identified its most significant financial reporting risk as the misclassification of expenditures
as capital or expense. As a result, the agency director has mandated far-reaching organizational changes in
procedures and control activities.
Budget formulation and execution processes and structures have been redesigned centrally to identify and
distinctly categorize funds for capital projects. These have been distributed to individual departments by the
financial planning and budgeting group. The standard contract has also been modified to require purchased
capital items to be separately identified for each project (by budgetary funding code) and to not include items for
any other projects.
The agency has instituted new policies, mandatory annual training, weekly reviews of pending contract actions,
and monthly reviews of expenditures to ensure program compliance. The efforts have dramatically reduced
misclassifications and overcome audit qualifications for plant, property, and equipment reporting.
Approach: Conducting Regular and Ad Hoc Assessments of Control Activities
On a regular basis, or when changes are made to financially significant processes and systems, control activity
owners in conjunction with financial reporting and control experts review control activity documentation for
continued relevance. Changes are made when redundant, obsolete, or ineffective control activities are found.21
Example: Regularly Assessing Policies and Procedures
Internal Use Only

Central Community Bank maintains a policy checklist on its intranet. The checklist references all the pertinent
company policies and management's last review date, next review date, and board of director review and
approval as applicable. The policies and procedures are reviewed annually or more frequently if necessary, in
response to changes in underlying business processes. The internal audit department assesses compliance with
company policy and procedures in conjunction with its internal audit reviews.
Example: Ad Hoc Assessing of Control Activities
Following a finance effectiveness review, Cymbol Creative, a global paper products manufacturer, reduced the
number of its business unit accounting groups from six to four, combining accounting for related business
operations under one CFO. Following the reorganization, the company reassessed and, in certain instances
modified, its control activity policies and procedures to reflect the new organizational structure.
Footnotes
16 Note that this is an illustrative matrix and flowchart and does not represent a complete list of all financial
risks and control activities in a typical purchasing and payables process.
17 An independent auditor's report on the design and operating effectiveness of controls at a service
organization
18 This example is likely to be most relevant for smaller entities or the smaller sub-units of larger
entities.
19 Note that not all these control activities are technology general controls only. The first and last bullets
could be considered business process-level controls; however the entire list is included to illustrate a
more complete consideration of spreadsheets.
20 Investigation of the root cause of why the overstatement occurred is discussed in Chapter 6, Monitoring
Activities.
21 This approach applies to changes that are not significant enough to go back through the risk
assessment process.
Internal Use Only

Chapter Summary
and external sources to support the functioning of internal control. Communication is the continual, iterative
process of providing, sharing, and obtaining necessary information. Internal communication is the means by
which information is disseminated throughout the organization, flowing up, down, and across the entity. It
enables personnel to receive a clear message from senior management that control responsibilities must be
taken seriously. External communication is twofold: it enables inbound communication of relevant external
information and provides information to external parties in response to requirements and expectations.
Principles relating to the Information and Communication component
13. The organization obtains or generates and uses relevant, quality information to support the functioning of
internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal
control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal
control.
13. The organization obtains or generates and uses  Creating an Inventory of Information Requirements
relevant, quality information to support the functioning of  Obtaining Information from External Sources
internal control.  Obtaining Information from Non-Finance
Management
 Creating and Maintaining Information Repositories
 Using an Application to Process Data into
Information
 Enhancing Information Quality through a Data
Governance Program
 Identifying, Securing, and Retaining Financial Data
and Information
Internal Use Only

14. The organization internally communicates  Communicating Information Regarding External
information, including objectives and responsibilities for Financial Reporting Objectives and Internal Control
internal control, necessary to support the functioning of  Communicating Internal Control Responsibilities
internal control.  Developing Guidelines for Communication to the
Board of Directors
 Reviewing Financial and Internal Control Information
with the Board of Directors
 Communicating a Whistle-Blower Program to
Company Personnel
 Communicating through Alternative Reporting
Channels
 Establishing Cross-Functional and Multi-directional
Internal Control Communication Processes and
Forums
15. The organization communicates with external  Communicating Information to Relevant External
parties regarding matters affecting the functioning of Parties
internal control.  Obtaining Information from Outside Sources
 Surveying External Parties
 Communicating the Whistle-Blower Program to
Outside Parties
 Reviewing External Audit Communications
Uses Relevant Information
Principle 13. The organization obtains or generates and uses relevant, quality information to support the
Points of Focus
 Identifies Information Requirements—A process is in place to identify the information required and expected
to support the functioning of internal control and the achievement of the entity's objectives.
 Captures Internal and External Sources of Data—Information systems capture internal and external sources
of data.
Internal Use Only

 Processes Relevant Data into Information—Information systems process and transform relevant data into
information.
 Maintains Quality throughout Processing—Information systems produce information that is timely, current,
accurate, complete, accessible, protected, and verifiable and retained. Information is reviewed to assess its
relevance in supporting the internal control components.
 Considers Costs and Benefits—The nature, quantity, and precision of information communicated are
commensurate with and support the achievement of objectives.
Approach: Creating an Inventory of Information Requirements
Extensive information is available to management and comes from a wide variety of sources. For information to
be relevant, it must be directly aligned to management's needs and responsibilities for overseeing external
financial reporting and monitoring the internal control system. A process for identifying information requirements
and building an inventory enables management to focus attention on information that directly supports its needs.
To achieve this, financial management defines common categories and types of information that are aligned to
external financial reporting objectives and related risks as specified by management. From these categories,
financial management identifies relevant information from both internal and external sources that are best suited
to management's needs. Financial management creates an inventory of information and maps each item to one
or more members of management that have a role in external financial reporting. This inventory is then used to
assign responsibility to personnel for gathering the required information.
The following diagram illustrates key categories and types of information senior management may require in
support of external financial reporting objectives:
Internal Use Only

Example: Evaluating Business Activities to Identify Information Requirements
Over the past year, a network of healthcare providers, NetHealth, has experienced significant growth in the
number of patient visits. This has created challenges at the medical offices in capturing adequate information for
the central processing group. The central processing group relies on adequate information to track and record
information on patient visits, which in turn is used to update insurance reimbursement limits and to bill patients
and insurance companies.
The management organization overseeing NetHealth recognizes that timely, relevant information is needed to
support control activities and keep each physician office in the network up-to-date on patient activities, insurance
arrangements, and billing and collection activities. Consequently, the COO has hired an advisor to interview
members of the central processing group, receptionists, nurses, doctors, and others who work in physicians'
offices across the network. From these interviews, the advisor provided the following:
 Summary of the end-to-end activities of typical patient visits

 Identification of the information requirements to be gathered during each visit
 Definition of roles and responsibilities for information gathering to allow the central processing group to update
patient records and process bills accurately and in a more timely fashion
 Identification of data flow challenges that were impacting financial transaction processing and control activities
Management is now developing guidelines for gathering information during patient visits. To reduce the costs of
distributing the guidelines to each office in the network, the IT manager is building a section on the network's
website where the guidelines will be available and where updates and comments can be posted.
Example: Maintaining Data Flow Diagrams, Flowcharts, Narratives, and Procedures Manuals
Internal Use Only
The management at Rahmany Marine Group has effectively adopted the use of narratives, flowcharts, data flow
diagrams, and procedures manuals to document the endto-end process flows that support the corporate internal
control and financial reporting. These documents are produced so that information about these processes can
be easily understood by users throughout the company, including the IT team, finance and accounting
specialists, systems developers, support personnel, and auditors. This documentation allows these personnel
and other users to identify the source of data, responsible personnel, storage locations, source systems,
relevant transformation processes and quality checks, and the primary users.
The data flow diagram below illustrates part of the company's purchasing cycle. (Note: The following data flow
diagram does not depict a complete account of all the information needs for the example. It does depict the flow
of information at a high level, but keep in mind that additional detailed specifics would be included in
corresponding narratives, or additional flow diagrams or flowcharts would show a level deeper.)
Approach: Obtaining Information from External Sources
Finance personnel often rely on publications, events, and other information from external parties to gather
information relevant to performing their responsibilities. The sources of data and information vary depending on
the specific role and responsibilities of the individual. Sources of information may include:
 Subscriptions to industry publications and regulatory updates

 Participation in industry conferences, trade shows, and other events
 Regular communications, both verbal and electronic, with suppliers, customers, or third-party service providers
 Membership and participation in relevant organizations
Internal Use Only

 Subscription to third-party mailing lists and social media feeds (e.g., podcasts and blogs) that pertain to the
industry and company
 Industry research reports
 Peer industry calls and financial fillings
Finance personnel evaluate the external information gathered and incorporate significant events, trends, and
changes into their day-to-day financial reporting or related internal control responsibilities. In addition, finance
personnel ensure that any announcements about changes to current accounting standards or regulatory
requirements are summarized, reviewed, and disseminated to the others within the external financial reporting
organization.
Example: Gathering Information from External Sources
J.J. Power Utility Corp. offers a learning and development program that includes guidelines and funding for
finance and accounting personnel to attend external training and conferences. These activities help employees
achieve their ongoing professional educational requirements, maintain their relevant certifications, and develop
new skills. The external training also provides information about new or changed accounting, disclosure, and
internal control requirements, as well as best practices important to J.J. Power Utility's business. To supplement
the external training sessions, finance and accounting personnel also subscribe to relevant accounting
publications.
Accounting and finance personnel meet regularly with the internal audit department to review and update
internal accounting and control policies and procedures based on the information gathered. In addition, they
meet with the CFO to pass on any new information and to discuss the impact on financial reporting and policies
and procedures. Accounting and finance managers update policies and procedures to reflect the impact of the
new information.
Example: Capturing Information through Electronic Data Interchange
Mandela & Co., a distributor of electronics products, engages in tens of thousands of high-volume, low-dollar
transactions with customers and suppliers. Historically, sales orders and invoices for purchasing transactions
have been entered and validated through a combination of manual and semi-automated processes.
To reduce time, costs, and errors caused by human intervention, management has implemented electronic data
interchange (EDI) to replace the original process. Relevant information about key business transactions is now
automatically populated into the company's ERP system, and automated validation checks are in place to
confirm that information is transmitted completely and accurately. As well, the information generated through the
EDI process is also available to production managers, order management, and billing personnel, which allows
them to perform control activities to support proper end-to-end transaction processing, including creating the
corresponding accounting entries.
Internal Use Only
Approach: Obtaining Information from Non-Finance Management
External financial reporting objectives are impacted by non-financial activities that occur throughout the
business. Information about new events, changes, or significant trends is needed to support accounting,
disclosure, and internal control activities. Therefore, senior accounting and finance personnel meet at least
monthly with management and personnel in other areas of the business—such as operations, human resources,
compliance, and product development. During these meetings, information is gathered verbally and in writing on
business events and trends. Topics may include:
 New or lost significant customers, suppliers, or other stakeholders

 Rate and impact of employee turnover
 Unexpected trends, whether negative or positive
 Indications of unethical or improper behavior
 Budget versus actual and forecast expectations
 Contractual, compliance, or regulatory issues
 Customer or supplier complaints
 Findings from internal audit reports
Accounting and finance personnel summarize the information gathered and meet with the appropriate member
of senior management to evaluate the impact on the financial statements, internal control effectiveness, or
changes needed to policies and procedures.
Example: Conducting Quarterly Interviews of Operations and Other Management
Juan Fernandez is the chief accounting officer of Friesens Fresh Foods, a perishable food supplier company. He
is responsible for evaluating inventory reserve balances as part of the monthly close process.
Significant changes in purchase commitments, inventory usage trends, product configuration preferences, and
cycle count results have impacted the judgments and estimates made in applying the inventory reserves
policies. Consequently, Mr. Fernandez now obtains and reviews reports from the company's ERP system to
identify unusual or unexpected trends, changes in balances or volumes of transactions, and other relevant
details. He then meets monthly with department heads of customer service, procurement, inventory
management, and logistics (who oversee third-party warehouses) to collect additional information about
customers, products, inventory, and balances.
Based on these meetings, Mr. Fernandez reviews inventory reserve policies, documents key data points that
impact prior estimates, and prepares an updated analysis supporting inventory reserve requirements. The CFO
of Friesens then reviews and approves the analysis as part of her review of the related journal entries during the
month-end closing cycle.
Internal Use Only

Example: Obtaining Operating Information for Financial Reporting
Laccona Electronics, a manufacturer of electrical equipment and components, is responsible for complying with
environmental regulations associated with the company's manufacturing processes, including handling raw
materials and operating production plants. Laccona's customer contracts include provisions for monetary
damages in cases where products are determined to be unsatisfactory as a result of compliance audits
performed by environmental agencies. In addition, if the audits are unsatisfactory—that is, they indicate any non-
compliance with regulations—Laccona may incur significant fines.
Arlene Gomez, the company controller, obtains monthly reports on operational and compliance metrics from the
chief operating officer. In addition, she reviews periodic internal audit reports on the company's adherence to
policies and procedures related to environmental compliance. She uses this information to assess reserve
requirements or disclosures associated with damages provisions. Finally, she summarizes relevant information
and meets with the CFO quarterly to determine whether changes in accounting estimates and financial
statement disclosures are needed.
Approach: Creating and Maintaining Information Repositories
Senior management establishes a policy for handling information that is gathered, produced, and shared
throughout the company. The policy is designed to facilitate the efficient capture, use, and reuse of relevant
information supplied to management and personnel across the company.
Management and employees in external financial reporting roles follow procedures for identifying and
categorizing information. These procedures require that attributes about each piece of information be recorded
before the information is accepted into the repository. The attributes may include:
 Information owner
 Expected users
 Sources (including systems and people)
 Criticality
 Frequency
 Process supported
 Retention period
The information repositories are subject to control activities that help ensure the completeness, accuracy,
security, validity, and lack of redundancy of the information.
Example: Using a Data Warehouse to Facilitate Access to Information
International Food Distributors has recently completed an enterprise-reporting project to identify and inventory
information used across the company for external financial reporting and related internal control. The results of
Internal Use Only

the project were used by the chief information officer and chief financial officer to design a company-wide data
warehouse and reporting tools that would support a single source for financially relevant information.
 The first phase of the project involved creating an inventory of the existing reports identifying relevant sources
and eliminating non-critical and redundant reports.
 The second phase involved designing and implementing the functional and technical capabilities needed to
capture and store data used to generate relevant information. This includes the consideration of automated
control activities around completeness, accuracy, restricted access, and validity of the data and information
generated.
 The third phase involved training end users on techniques for effective input and extraction of information and
reports from the data warehouse using reporting tools.
 The final phase involved designing and implementing operating procedures and control activities over the data
warehouse and reporting tools to ensure the completeness, accuracy, restricted access, and validity of the data
and information input and reports generated.
As a result of the project, International Food Distributors has a well-defined inventory of reports, improved data,
and a more efficient process for capturing and using information for external financial reporting.
Approach: Using an Application to Process Data into Information
Management designs its computer applications to capture data from internal and external sources, transform the
data into information, and maintain the quality of the data and information throughout processing and reporting.
The activities relating to capturing and processing data about financial transactions (e.g., initiate/enter, authorize,
record, process, and report) are documented in company policies and procedures manuals. The application
design includes automated application controls such as input checks for existence and validity and output
checks for completeness and accuracy. It also is supported by technology general controls.
Example: Data Capture and Processing for the Purchasing and Payables Cycle
Insight Media, Inc., a publishing company, recently implemented the purchasing and payables module of its
existing ERP system. The key goals were to improve data quality, reduce manual handoffs through automation,
and improve information flow and visibility into purchasing transactions.
The implementation project team was led by the controller, who was supported by employees involved in the
purchase to payables process. Workshops were held to confirm the current end-to-end process and identify
important information about sources of transactions, key data requirements, risks to financial reporting, and
information required for accounting and reporting. The project team used the results from these workshops to
review the ERP module's capabilities for automating tasks and controls such as:
 Checking that data input was valid, complete, and accurate to electronic sources
Internal Use Only

 Passing data between the related transactions to minimize data entry and improve data consistency
 Automatically recording the accounting transaction upon data input
 Automatically reconciling the payables subsidiary ledger to the general ledger
 Generating exception and analytical reports
As a result of the implementation, management of Insight Media gained access to more accurate, complete, and
timely information to perform internal controls over the evaluation of accounting entries and disclosures for
accounts payable and accrued expense balances, purchasing commitments, and expected cash balances.
The following flowchart was created as a result of the above procedures and assisted management in identifying
the relevant information.
Internal Use Only

Approach: Enhancing Information Quality through a Data Governance Program
Senior management establishes a data governance program to support the company's objectives of ensuring
reliability of information used in support of internal controls and external financial reporting. Senior management
formalizes policies, procedures, and responsibilities for data and information management considering the
volume, complexity, and demand for rapid capture and dissemination from multiple sources. The data
governance program includes policies and procedures for:
 Assigning roles and responsibilities between a central data management group, business functions, and IT
 Validating sources of information
 Establishing data-quality requirements before accepting sources into the information system
 Accessing rights to underlying data and related information produced through processing
 Protecting data during transmission and storage
Example: Validating Data and Information
RightChoice Pharmacy, Inc., a national drugstore chain, obtains significant data underlying transactions
recorded in point-of-sale systems located at each retail store. Data underlying credit card transactions is sent
immediately to the credit card company and to RightChoice's internal data warehouse. Daily reports are
produced from the data warehouse and used to prepare reconciliations of payments due from the credit card
companies.
The chief information officer and the credit and collections manager have designed and implemented continuous
transaction monitoring software to support their data and information quality efforts. This software helps
Internal Use Only
management to verify accounts receivable balances each day and to avoid time-consuming month-end
reconciliations by quickly identifying data anomalies. Targeted data queries allow the software to identify
duplicate entries, unusual transactions, missing data, and incomplete data transfers. Additionally, continuous
monitoring software enables data analysis used to support control activities to detect potential indicators of
fraud.
Approach: Identifying, Securing, and Retaining Financial Data and Information
Senior IT management establishes policies to define categories of data and assign requirements for securing
and retaining the data. These policies support management and employee responsibilities for securing
information from unauthorized access or change and for adhering to retention and data destruction
requirements. The senior data administrator develops processes and repositories to carry out the data
classification policy. Data classification requirements are communicated to personnel responsible for transaction
processing through periodic reminders on important internal control responsibilities. Important to this process is
considering the benefits and costs to manage and store information and the relative value of the information to
the entity.
Example: Identifying and Protecting Financial Data and Information
Bio-Adaptive, Inc., a global life science and chemical manufacturer, has developed standard operating
procedures to identify, classify, and secure sensitive information, including financial information, throughout the
data and information life cycle (input, processing, output, storage). These procedures include, but are not limited
to:
Bio-Adaptive, Inc., a global life science and chemical manufacturer, has developed standard operating
procedures to identify, classify, and secure financial data and information across the entity and the stages of
information life cycle (input, processing, output, storage). As part of these procedures, personnel:
 Confirm adherence to standard operating procedures

 Identify financial data and information that requires restriction of access and retention in order to meet reporting
requirements
 Assign appropriate data security categories to sensitive financial data and information when input into the
information system
 Review automated application controls that support security, privacy, and storage of financial data and
information based on the data security category input
 Review periodically that sensitive financial data and information have been properly categorized22
Example: Identifying and Classifying Data for Financial Reporting
Internal Use Only

Freedom Corp., a financial services firm, has a process to tag financial data during transaction processing based
on criteria established in the company's data classification policy. Business and IT personnel who are involved in
detailed transaction processing are trained in data entry to support accurate and complete classification, tagging,
storage, retention, and disposal.
This process reduces the time required to format, organize, and report data. It also enables the company to tag
data through eXtensible Business Reporting Language (XBRL). XBRL enables Freedom Corp. to meet certain
external financial reporting requirements and to perform comparative analyses to historical, competitor, and
projected financial data.
Communicates Internally
Principle 14. The organization internally communicates information, including objectives and responsibilities for
Points of Focus
 Communicates Internal Control Information—A process is in place to communicate required information to

enable all personnel to understand and carry out their internal control responsibilities.
 Communicates with the Board of Directors—Communication exists between management and the board of
directors so that both have information needed to fulfill their roles with respect to the entity's objectives.
 Provides Separate Communication Lines—Separate communication channels, such as whistle-blower
 Selects Relevant Method of Communication—The method of communication considers the timing, audience,
and nature of the information.
Approach: Communicating Information Regarding External Financial Reporting Objectives and Internal
Control
Senior management communicates information about the company's financial reporting objectives, financial
control requirements, and internal control policies and procedures, and how they support individual
responsibilities through a variety of communication channels. The method of communication varies depending
on the audience; the nature of the information; time sensitivity, cost, legal, or regulatory requirements; and ability
to use technology solutions. Such mechanisms may include:
 Departmental vision and mission objective signposts in high-traffic areas or on the company's website
Internal Use Only

 Accounting and finance internal meetings or conferences to discuss internal control matters and accounting
policy changes
 Periodic employee surveys related to awareness and compliance to internal control policies and procedures
 An intranet site specific to internal control matters, including code of conduct, roles and responsibilities, policies,
procedures, and other relevant matters
 Regular organization-wide emails, newsletters, conference calls, webcasts, or meetings about updates on
internal control matters
 Senior finance and executive management visits to plants, sales offices, major customers, and other locations
Example: Using Communications Programs to Reinforce Internal Control
AtHome Corp. is a global home-building company. Both the CEO, Janis Wilcox, and the CFO, Terry Tomlinson,
use regular broadcast emails and personal visits to various company sites to communicate with finance,
accounting, and other personnel who impact internal control over external financial reporting.
Mr. Tomlinson uses these mechanisms to reinforce company expectations for adherence to internal control over
external financial reporting, laws, and regulations; the importance of the company's internal audit function; and
actions taken in response to internal audit findings and internal control recommendations from its external
auditors.
In turn, Ms. Wilcox finds the broadcast emails an effective means of sharing information about the company's
business objectives and goals, including a periodic update on progress toward those goals. She also visits the
various corporate sites and meets with employees and managers to ascertain how well they understand key
business and financial objectives relevant to their sites and to reinforce the messages about internal control from
Mr. Tomlinson. Presentation material and supporting information and intranet links are provided to the
participants to support these communications.
Example: Using an Internal Accounting and Finance Conference to Reinforce Policy Changes
NetComm, Inc., a broadband infrastructure company, holds a semi-annual meeting led by the CFO and
controller. The personnel from the finance department attend these meetings to obtain updated information on
significant new or changed matters that impact finance activities and financial results. Meeting topics routinely
include:
 Key objectives for the next six months

 Reinforcement of the company's policies related to ethics and integrity
 Expectations regarding recent findings from internal or external audits related to financial reporting and control
 Changes to the internal control structure
 Significant recent or anticipated events such as the sale of a business, acquisition of assets, restructuring of
operations, or introduction of a new product
Internal Use Only
 Changes to accounting policy and regulatory rules that would impact how the company processes its financial
transactions and produces its financial reports
Approach: Communicating Internal Control Responsibilities
Documentation on internal controls related to financially significant business processes and systems is stored in
a shared repository that is accessible to management and personnel who are responsible for external financial
reporting. This repository contains:
 Risk assessment documentation

 Business process documentation, including process flow diagrams and supporting narratives
 Internal controls identified by management based on risk assessments
 List of individual internal controls, including assignment responsibility for performance and review/approval to
specified employees and management
The internal audit department reviews the information in the repository as part of its ongoing and separate
evaluations. Updates to specific internal controls are communicated to both the control performer and reviewer
through email alerts with links to the repository.
Example: Using Governance, Risk, and Compliance Technology to Manage Internal Controls
A manufacturer of chemical and pharmaceutical products, Travis Pharma, has implemented a governance, risk,
and compliance technology solution. This provides the CFO, Frances VanWyck, with a reporting tool to support
her oversight of the system of internal control over external financial reporting. Information communicated
through the tool includes:
 External financial reporting objectives

 Related external financial reporting risks
 Internal controls
 Evaluation approaches for each control
 Responsibility for performance and review of each control
 Evaluation results and action plans to address deviations
The reporting tool also provides a personalized dashboard; workflow process (for performance or review, as
appropriate); reporting capabilities for more detailed status, issues, and trends; and other information to
understand and manage the individual's internal control responsibilities.
Approach: Developing Guidelines for Communication to the Board of Directors
Internal Use Only

The Board of Directors establishes a board charter that defines the guidelines for information to be shared with
the board of directors, responsibilities for communication, and the method of communication. The charter
specifies key guidelines, which may include:
 Frequency and number of board meetings, including committees of the board

 Objectives of each board or committee meeting (e.g., strategy reviews, annual budgets, and plan reviews)
 Nature and extent of information to be shared for each meeting
 Responsibility for preparing and approving minutes
Example: Facilitating Communication between Executive Management and the Board of Directors
Fred Cummins, the general counsel of a printing company, EasySigns, Inc., under the direction of the chair of
the board, is responsible for coordinating all meetings of the board of directors and board committees. He has
implemented a straightforward system to ensure timely and effective communication.
Mr. Cummins reviews the annual calendar of audit committee meetings and the general agenda for each
meeting. He develops specific topics for discussion for each meeting relevant to the company's external financial
reporting requirements and confirms the agenda details with the CFO, CAE, and audit committee chair. Based
on the detailed agenda, Mr. Cummins gathers relevant information to be included in the audit committee meeting
materials that are sent to members one week prior to the meeting. From time to time, he requests that members
of management attend meetings to present information in person and allow for active communication. For
example, the CIO presents on the company's security and privacy programs and new events that may impact
risks.
Mr. Cummins also meets with the chair of the audit committee on a periodic basis to communicate issues or
risks related to significant, time-sensitive transactions, or to update the audit committee chair on significant
issues, such as investigations of potential fraud.
Approach: Reviewing Financial and Internal Control Information with the Board of Directors
At designated board meetings the CFO and supporting personnel present financial information, provide an
analysis of the results compared with expectations, give updates on forecasts and major changes to original
budgets, and communicate other matters of significance to financial reporting.
On a regular basis, the CEO, CFO, and the chief audit executive (CAE) present the draft external financial
statements. Material events, changes in significant estimates, or assumptions and significant new disclosure
matters since the prior quarter are also presented and discussed. The external auditors attend these meetings to
present their point of view on the financial statements.
At each quarterly meeting, the CFO and the CAE present a summary of key changes in internal control, results
of evaluations, and actions in response to any deviations identified. Matters of significance are reported in
Internal Use Only

writing. The audit committee holds separate private sessions with management and the external auditors. These
sessions provide the audit committee and either management or the auditors with an opportunity to share
sensitive information and ask probing questions that facilitate each party's responsibilities related to internal
control.
Example: Preparing Financial and Internal Control Reporting Package for Discussion with the Board
The senior financial management at a privately held mining company, Precious Metals Corp., has developed a
financial and internal control reporting package for the board meeting. The package has been developed from
both quantitative and qualitative financial reporting and internal control information. It highlights financial and
internal control trends and internal control matters requiring the board's attention, such as significant, non-
recurring adjustments and internal control deficiencies by each financial statement line item for each of the last
four quarters. Other information in the package includes:
 Dollar impact of adjustments

 Estimated impact of deficiencies after considering compensating controls
 Brief description of severity of issues, business function, and processes impacted
 Management point of contact and action plan
 Changes in accounting policies
 New regulatory requirements
 Significant changes in financial statements and disclosures
The management team sends the package to the board in advance of the meeting to allow board members to
review and follow up with management in preparation of the meeting, if necessary.
Approach: Communicating a Whistle-Blower Program to Company Personnel
Management and the board establish a whistle-blower program for employees to use a hotline to communicate
concerns, instances of perceived misconduct, matters relating to external financial reporting, or other significant
matters that may impact internal control. To enhance employee awareness of the program, a number of
communication channels are used. These include postings in high-traffic areas in offices and periodic messages
from the director of human resources.
The program allows employees who report matters through the hotline to remain anonymous, and all
communication is completely confidential. Reported matters are evaluated by an objective party and
communicated to the board of directors or, where appropriate, a specified delegate (such as the audit committee
or internal audit).
Example: Employee Ethics Hotline
Internal Use Only

General Goods Packaging has established a toll-free hotline for employees to report misconduct. The hotline is
described in the employee handbook and on the company intranet. Information is also posted at various high-
traffic locations in the company's facilities, such as the cafeteria, coffee room, restrooms, and main entrance.
The hotline is administered by a third party. All matters received on the line are categorized, summarized, and
reported to a separate compliance department that reports to internal audit. The director of compliance then
reviews and prioritizes all reports.
Those matters of significance or heightened sensitivity are reported immediately to the chair of the audit
committee. Others are investigated based on their priority. The members of the executive management team
review the results of all investigations and recommend what actions should be taken.
Information about each reported matter, including evidence gathered, actions taken, and conclusions reached, is
documented in a separate, confidential section of the hotline system.
Approach: Communicating through Alternative Reporting Channels
Management provides an alternative to reporting to a line manager so that employees are confident that they will
be heard. Alternative reporting and communications channels may include:
 Mentoring programs to provide employees with a support structure beyond their direct line manager
 Town hall meetings where employees are encouraged to ask questions and discuss their concerns
 A staff council comprising employees from various departments and various levels below manager which meets
to discuss various issues and relays comments and observations to management
Example: Establishing a Mentoring Program to Encourage Communicating with Management
Odette Group, a designer and distributor of sports apparel, has established a sucessful mentoring program for
its employees. Every employee is assigned an individual "coach," who is selected from management of a
different department. The employee and coach meet quarterly, or as needed, to discuss topics such as the
employee's long-term goals, areas of interest for growth and development, and results of periodic performance
reviews. At these meetings, coaches encourage employees to provide feedback on any issues or concerns for
which they did not see a clear communication channel.
As an added measure, all staff involved in the financial reporting process is assigned a mentor with financial
reporting and internal control experience. This provides an alternative to the employee's line supervisor for
discussing and reporting concerns on matters such as compensation, operations, or internal controls.
Approach: Establishing Cross-Functional and Multidirectional Internal Control Communication

Processes and Forums
Internal Use Only

Management from all departments develop cross-functional and departmental communication processes and
forums that enable personnel to communicate internal control matters across the entity. Representatives from
each department have defined roles and responsibilities for communicating internal control matters using these
processes and forums. The group meets periodically to discuss issues, trends, and upcoming events that impact
internal controls. Control matters and issues noted by a shared service center, business unit, or department are
communicated to the other departments and business units. Management and personnel in the departments and
business units evaluate and respond to the impact of these matters and issues.
Example: Establishing a Cross-Functional Internal Control Committee
Sea to Sky Telecommunications has established an internal control council comprising functional and IT
business process owners from each business unit, corporate accounting, shared service center, and internal
audit. The council meets monthly to define information that should be shared among business units and that
may impact company processes. Topics raised at these meetings include:
 Incidents of fraud in one department that may impact other departments

 Changes to systems that have a cross-functional impact on processes and controls
 Changes to regulations that impact how different departments exchange information
 Internal and external audit findings
The representatives on the council review all matters raised to consider how they impact the various
departments of Sea to Sky. Council members take turns recording the meeting proceedings, which are reviewed
by all council members and then shared with the CFO.
Communicates Externally
Principle 15. The organization communicates with external parties regarding matters affecting the functioning of
internal control.
Points of Focus
 Communicates to External Parties—Processes are in place to communicate relevant and timely information to
external parties, including shareholders, partners, owners, regulators, customers, and financial analysts and
other external parties.
 Enables Inbound Communications—Open communication channels allow input from customers, consumers,
suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of
directors with relevant information.
 Communicates with the Board of Directors—Relevant information resulting from assessments conducted by
external parties is communicated to the board of directors.
Internal Use Only

 Provides Separate Communication Lines—Separate communications channels, such as whistle-blower
 Selects Relevant Method of Communication—The method of communication considers the timing, audience,
nature of the communication, and legal, regulatory, and fiduciary requirements and expectations.
Approaches for Applying the Principle
Approach: Communicating Information to Relevant External Parties
Management considers all relevant external parties who have an interest in or who would be reasonably
expected to obtain information about the company's internal control over external financial reporting. The
company's disclosure committee (or similar group responsible for external communications) has established a
process to evaluate ongoing company events, policies, activities, and other matters that impact external parties
that are important to the company's external financial reporting objectives. The disclosure committee determines
the information that should be reported to external parties, as needed. Such information may include:
 Internal controls over transactions and balances that represent significant payables, receivables, or
commitments to external stakeholders
 Results of procedures for monitoring compliance with contractual commitments and related loss or damages
provisions
 Policies for protecting information received from external parties during normal business transactions
 Customer responsibilities for managing their employees' access to the company's web-based ordering system to
prevent unauthorized orders
 Policies related to performing background checks and credit checks, or using collection agencies
Example: Communicating Internal Control Information to a Federal Agency
A federal agency is responsible for managing and overseeing the distribution of approved funds to not-for-profit
organizations that provide community outreach programs for underprivileged children. In connection with its
oversight responsibilities, the federal agency requests information from each community organization about its
program's controls over the allocation and use of funds received.
Management of each community organization summarizes their control activities over the allocation and use of
funds and provides a statement that control activities were designed, implemented, and operating for the
quarter. Any changes to or deterioration in the controls, such as changes in ability to segregate duties due to
loss of personnel, are communicated along with management's actions to mitigate risks. This summary is
provided quarterly to the federal agency.
Example: Establishing Periodic Communications with Contractors and Outsourced Service Providers
Internal Use Only
ConFab Group, a large, privately held telecommunications equipment provider, outsources all its manufacturing
activities to third parties, which are located around the world. Under the contractual arrangements, ConFab is
responsible for damage or loss of inventory from the receipt of raw materials at the third-party contract
manufacturer until the completed products are delivered to the freight forwarder for shipment. This means
management retains significant risk to inventory that is not within its physical control.
ConFab's management team has specific policies and procedures for the purchasing, manufacture, and
preparation of shipments to mitigate its economic exposure and that support its estimates for inventory reserves.
Management communicates these policies to the manufacturers, along with specific contract clauses that
require adherence to the policies and the right to audit by the company.
To ensure that policies and procedures are carried out as intended, ConFab has implemented several methods
of communicating with the contract manufacturers:
 A website is built specifically for communications between the company and the contract manufacturers.
 A link is provided on the company's website to policies and procedures, which contractors are required to
acknowledge they have read and understood, and that they will adhere to it.
 A variety of periodic reports from the contract manufacturers are provided, which are used in company control
activities to ensure that inventory balances and related estimates are properly reported.
 Periodic on-site audits at contract manufacturers are performed to validate the inventory quantities on hand,
stage of production, and quality. The audits include random interviews of personnel to confirm their
understanding and adherence to policies and procedures and inspection of inventory transactions, documents,
and reports.
ConFab also performs annual reviews of the contract manufacturers' controls that support the completeness and
accuracy of reports provided throughout the year.
Approach: Obtaining Information from Outside Sources
Management and other personnel stay abreast of new matters relevant to their area of responsibility in order to
identify and respond to changes that may impact, directly or indirectly, external financial reporting objectives or
the related internal control. Management of each business unit or functional group identifies relevant means to
receive information from outside the company, and assigns responsibility to themselves and other personnel to
be responsible for obtaining, reviewing, and sharing relevant information within the company, as appropriate.
Sources of information may include:
 Publications that provide updates to financial accounting, reporting, and disclosure standards or regulations
 Technical journals that analyze the impact of financial accounting and reporting matters
 Competitor or peer regulatory filings
 Information gathered at industry or trade association meetings
Internal Use Only
 Industry, market, economic, or competitor data relevant to key metrics or accounting estimates
 Alerts from outside counsel on regulatory or legal changes
 Periodic meetings with external auditors and advisors to understand new accounting and disclosure
requirements
 Meetings with outside advisors or subject matter specialists with the expertise to assess complex accounting
and disclosures for major transactions or events
 Standard-setter and regulator projects and publications
 Postings on organization-sponsored or supported social media websites or communication tools
Example: Communications from Regulatory Bodies
As a result of a regulator's examination, Norgaard-Kellogg Financial, a registered investment advisor, was

informed that the firm was not in compliance with rules requiring documentation of certain compliance policies
and procedures for trading activities and the related accounting and disclosure requirements. Eileen Nachbar,
the company CFO, met with outside counsel and external auditors to review the matters and obtain their views.
She also engaged other external advisors with expertise on risks and best practice procedures related to trading
activities.
After these discussions, Ms. Nachbar met with the senior management of Norgaard-Kellogg responsible for
trading activities to discuss the regulator's findings and her own evaluation of the issue and recommendations for
enhancements. The information was shared with the disclosure committee, a group responsible for assessing
the requirements for disclosures in external filings. After approval of the proposed actions by the disclosure
committee, Ms. Nachbar developed an action plan for updating internal control policies, procedures, and related
documentation to address the compliance requirements.
Example: Obtaining Information from External Sources to Assist with Accounting Estimates
Nevio Group regularly sells its products in highly unstable economic environments where currency values
fluctuate significantly. These fluctuations significantly affect the accounting treatment of transactions and
balances recorded in the financial statements.
Clint Bell, the assistant treasurer, is responsible for obtaining and analyzing information from an outside advisory
firm related to the past, present, and future expectations of currency fluctuations. One of his sources is a
subscription service that provides reporting on currency values, changes in values, and trends over periods of
time. It also provides alerts if currency fluctuations exceed certain thresholds.
Mr. Bell sets up the relevant currencies, time periods, and alerts appropriate for Nevio Group. The treasurer
reviews the settings and approves changes, if needed, each quarter. On a monthly basis, or more frequently
based on alerts received, Mr. Bell evaluates the currency rates used for financial accounting associated with
significant estimates impacted by currency values.
Internal Use Only
Based on the information gathered and corroborated from various external sources, he updates his analysis
estimates. The analysis is given to the treasurer, director of financial reporting, and controller to help them
ensure that the basis for their estimates and communications in external reports is current and appropriate.
Approach: Surveying External Parties
Management surveys customers, vendors, and others on their perception of the integrity and ethical values of
company personnel. This survey process is controlled by company personnel independent of the main
customer/vendor contacts. These surveys not only provide a sounding board for the company's customers, but
also enable management to gain important information about the commitments made to customers and ensure
that such commitments are consistent with the understanding of formal arrangements between parties.
Management carries out surveys of external parties in a variety of ways, which may include:
 Sending to all customers periodic surveys with standard questions regarding the company and its products or
services
 Providing a feedback mechanism on the company's website or through a feedback box on documents that are
sent regularly to external parties
 Periodically meeting with external parties, in person or by video or teleconference
Example: Conducting Discussions with Customers
Fitness Four, a manufacturer of strength and cardiovascular fitness equipment, has developed a policy requiring
a member of management to contact each customer at least annually. The management team member must not
be the customer's primary contact or in any senior line of reporting of the customer's primary contact at the
company.
During these discussions with customers, the manager is expected to address a number of areas relevant to the
customer-company relationship that impact external financial reporting, including:
 Customers' adherence to acceptable use provisions based on licensing rights that may impact royalty costs
 Confirmation of continued use of products or services that may impact the estimated life of assets or term of
contracts used for accounting judgments
 Issues, concerns, or return activity of company products that may indicate that recorded sales transactions were
not valid
 Feedback on company individuals that the customer interacts with during the sales, delivery, support, customer
service, or billing process
 Any regulatory, compliance, or internal customer policy requirements that should be considered in the
manufacture of products or provision of services
Internal Use Only

 Expectations of the customer for additional products, services, or support that may indicate commitments made
outside of the contracts or other written arrangements
The information gathered through these conversations is shared with finance and other relevant company
personnel. Any issues that indicate a potential financial reporting issue, such as incomplete delivery of products
or services, or billing and payment, are further investigated. Where changes in the accounting for transactions
are needed, additional reviews are performed to ensure that the issues are fully resolved. Also, an evaluation of
internal controls for deficiencies is conducted to prevent or detect issues from recurring.
Approach: Communicating the Whistle-Blower Program to Outside Parties
Management provides a whistle-blower phone number or email address to customers, suppliers, outsourcing
companies, and other external parties to facilitate feedback on potential improprieties or improper or unreliable
financial reporting. The contact information is disseminated through various means, such as the company's
website and on invoices sent to customers.
Example: Facilitating Communication with External Parties
Shoreup Nutrients is a manufacturer and retailer of branded and private label vitamins and nutritional
supplements. It provides a section on its website for anyone who wants to respond with questions, concerns,
complaints, or other information.
The internal audit department of Shoreup Nutrients is responsible for maintaining a process to ensure that all
reported matters are collected, documented, evaluated, and addressed appropriately. On a weekly basis,
internal audit monitors the website and summarizes any new information collected by using a collaboration
software tool accessible only to the audit department.
The director of internal audit, Naseema Bahair, evaluates each matter and develops an action plan, which
includes:
 Conducting interviews of company personnel

 Obtaining and reviewing relevant documentation
 Contacting the reporting party for additional information, if necessary
Upon review of complaints received through whistle-blower hotlines, a decision is made by the CFO or the audit
committee chair about the information that will be shared to the reporting party.
Approach: Reviewing External Audit Communications
Following the external auditor's review of financial information and independent evaluation of internal control
effectiveness, management receives a written summary of significant matters identified during the course of the
Internal Use Only

work. The board of directors discusses these at a subsequent meeting, where external audit personnel discuss
their findings and management discusses proposed resolutions.
Example: Managing and Assessing External Audit Communications
The management at Hessen's Assure, a healthcare insurance company, has established a process with the
external audit firm to coordinate the periodic assessments of internal controls and discuss and respond to
matters identified during the course of the external audit. The management team meets monthly with the
external auditor to discuss internal control testing plans, status, and issues.
Internal control issues or recommendations for improvement that are identified by the external audit firm are
assigned to an employee in the impacted business process area, and that person develops and presents a
recommended response at the monthly meeting, or more frequently if needed. The management team evaluates
each response, such as modifying internal control activities; reinforcing awareness; updating policy, procedure,
or control documentation; or performing additional evaluations, and assigns responsibility for carrying out the
response.
Results of the management meeting are communicated to the external audit firm. As well, a summary of
significant issues and observations are presented at the audit committee meeting at set intervals during the year
or as necessary.
Footnotes
22 This example is continued in Chapter 6, Monitoring Activities, to illustrate how monitoring activities
may assess whether controls to effect principles in information and communication are deployed as
intended (see page 147).
6. Monitoring Activities
Chapter Summary
Internal Use Only

Findings are evaluated against criteria established by regulators, standard-setting bodies, or management and
the board of directors, and deficiencies are communicated to management and the board of directors as
appropriate.
Principles relating to the Monitoring Activities Component
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether
the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those
parties responsible for taking corrective action, including senior management and the board of directors, as
appropriate.
16. The organization selects, develops, and performs  Periodically Reviewing the Mix of Monitoring
ongoing and/or separate evaluations to ascertain Activities
whether the components of internal control are present  Establishing a Baseline
and functioning.  Identifying and Using Metrics
 Designing and Implementing a Dashboard
 Using Technology to Support Monitoring Activities
 Conducting Separate Evaluations
 Using Internal Audit to Conduct Separate
Evaluations
 Understanding Controls at an Outsourced Service
Provider
17. The organization evaluates and communicates  Assessing and Reporting Deficiencies
internal control deficiencies in a timely manner to those  Monitoring Corrective Action
parties responsible for taking corrective action, including  Developing Guidelines for Reporting Deficiencies
senior management and the board of directors, as
appropriate.
Conducts Ongoing and/or Separate Evaluations
Principle 16. The organization selects, develops, and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.
Internal Use Only

Points of Focus
 Considers a Mix of Ongoing and Separate Evaluations—Management includes a balance of ongoing and
 Considers Rate of Change—Management considers the rate of change in business and business processes
when selecting and developing ongoing and separate evaluations.
 Establishes Baseline Understanding—The design and current state of an internal control system are used to
establish a baseline for ongoing and separate evaluations.
 Uses Knowledgeable Personnel—Evaluators who perform ongoing and separate evaluations have sufficient
knowledge to understand what is being evaluated.
 Integrates with Business Processes—Ongoing evaluations are built into the business processes and adjust to
changing conditions.
 Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations
depending on risk.
 Objectively Evaluates—Separate evaluations are performed periodically to provide objective feedback.
Approach: Periodically Reviewing the Mix of Monitoring Activities
Senior management meets periodically to review the allocation of effort between ongoing evaluations and
separate evaluations used to conduct monitoring activities. The mix of planned monitoring activities over internal
control of external financial reporting may depend on senior management's assessment of:
 The entity's regulatory requirements and financial reporting objectives

 How quickly the entity's industry and/or regulatory environment is changing or anticipated to change
 The results of historical evaluations of control effectiveness
 The extent of ongoing monitoring within the associated processes
 Changes that have occurred in the current year that impact other components of internal control
Senior management may also increase the frequency of separate evaluations from the initial plan in processes
where:
 Existing monitoring activities raise potential deficiencies in the system of internal control
 Key performance indicators, which correlate to surfacing potential deficiencies in internal control, have exceeded
a prescribed threshold
Example: Changes in Business Operations
Internal Use Only

Hunter Manufacturing has thirteen different plant locations, six of which are considered significant. The
management team of Hunter Manufacturing has been monitoring the internal control in the seven smaller, less
significant plants, primarily through ongoing evaluations. However, management has now determined that some
separate evaluations have become necessary. This decision has been made due to the increase in risk factors
at these plants, including frequent errors in monthly and quarterly reconciliation activities and turnover among
plant-level controllers and supervisory personnel. Accordingly, management now has both ongoing and separate
evaluations in place as they have implemented random plant audits to periodically evaluate controls.
Example: Changing the Internal Audit Plan
Viliam Financial Services is a publicly held global company. Recently the industry has experienced a significant
rate of change because of increasing regulatory focus and complexity of the company's financial products. In
response to these changes, Viliam's management and board of directors have reprioritized the activities
conducted by its internal audit department, including:
 More active oversight of Viliam's recently enhanced risk management and governance processes
 An iterative risk assessment process that performs a risk review annually and more often if the business
changes
 Reviews of financial and operational data to identify risks and adverse trends, and to respond to them
accordingly by conducting targeted audits
Approach: Establishing a Baseline
Senior management develops a baseline understanding of the design and current state of the entity's system of
internal control by:
 Determining the starting point of the system

 Reviewing if controls within each of the five components of internal control are operating as intended to achieve
an entity's objectives
Management then leverages the established baseline to:
 Identify necessary changes in design and conduct of internal controls that result from monitoring activities
 Evaluate changes in people, processes, and technology that may impact the design and implementation of
controls
 Establish a new baseline that incorporates any changes that impact the previous baseline
Senior management may use the baseline information to establish which ongoing and separate evaluations are
most appropriate.
Example: Establishing a Baseline

Internal Use Only
The senior management of Judd Co., a beverage manufacturer and distributor, focuses the organization's
monitoring efforts by risk priority. In areas of high risk the entity conducts and documents a thorough review of
the design and operation of controls to establish a baseline. The documentation includes a written description,
flowchart, and walkthrough narrative of how each control within the high-risk area operates. Past and current
control performance must also be documented with any anomalies or significant variations noted and evaluated.
With risks prioritized and the baseline established, management identifies monitoring activities that can evaluate
changes to the system of internal control in a reasonable period of time. The baseline aids Judd Co. in selecting
more efficient monitoring activities, such as self-assessments coupled with supervisory review. Then, at intervals
appropriate to the level of risk, internal audit performs periodic separate evaluations to reconfirm the system of
internal control against the baseline and the effectiveness of the ongoing monitoring procedures.
Approach: Identifying and Using Metrics23
Management identifies metrics that correlate to the completeness and accuracy of financial transactions to
provide ongoing evaluations of established control activities. When identifying metrics, management considers
the processes and sub-processes that should be monitored, and develops the appropriate measure and
frequency for the evaluation.
The metrics may use the following information:
 Historical performance data, which may be useful for comparisons to current performance data
 Expected performance targets, which may be used to benchmark current performance against expected
performance
Some metrics have clearly defined allowable tolerances that have been calculated for current performance data,
which may be used to highlight anomalies. Other metrics have less defined thresholds and are reviewed by
knowledgeable employees for reasonableness and unusual items.
Example: Using Metrics to Monitor Payroll
Approximately 90% of Mynarski Manufacturing employees are located at company plant sites. To monitor
whether the payroll processing control activities are working, Henrik Saunders, the corporate payroll manager,
reviews the plant payroll metrics. Payroll metrics include:
 Current head count compared with expected and historical head count for the month, quarter, and year
 Current payroll compared with expected and historical payroll for the month, quarter, and year
 Current overtime in hours and dollars compared with expected and historical overtime in hours and dollars for
the month, quarter, and year
In his review, Mr. Saunders looks for any unusual fluctuations, such as increases and decreases in the number
of employees and excessive overtime. His review is done in the context of current plant productivity and target
Internal Use Only
thresholds based on historical data and planned productivity, which varies by season. If Mr. Saunders identifies
any fluctuations, he investigates the underlying reasons and adjusts the process or control activities as needed.
Example: Using Built-In Operating Measures and Key Control Indicators
Tony Rosco is the controller of Still Craft Foods. He uses operating measures and key performance indicators
(KPIs) for major accounting and financial processes, including accounts receivable, payroll, accounts payable,
and financial statement preparation. Accounts payable KPIs, for example, focus on the accuracy, timeliness,
completeness, and compliance of documents received for vouching and checks prepared, with performance
tracked to established targets.
Mr. Rosco leverages his knowledge of changes in the business when developing his expectations on how
performance is likely to be consistent with, or vary from, established targets. In the case of accounts payable
KPIs, those variances from the established targets could result from known factors, such as significant new
vendors, changes in payment terms, and cash flow goals. Where results do not meet expectations, Mr. Rosco
evaluates them for potential underlying issues in established control activities. Additionally he uses the KPIs to
identify trends that could indicate some fraudulent activity (e.g., he sees a concentration of payments to a vendor
that is new or for which he would not expect that volume).
He shares his findings with the management team, which uses the information in performance appraisals and
related development programs.
Approach: Designing and Implementing a Dashboard24
As part of its ongoing evaluations, management develops and implements dashboards for reviewers to use in
the ordinary course of business. Reviewers are usually supervisors of those employees with first-level
knowledge and who are accountable for processes, activities, and their controls. Dashboards may include:
 Detailed and/or summarized information about control performance

 Metrics being measured and/or information being highlighted for evaluation and investigative follow-up
 Visual depictions of the status of control operation
 Details of status including frequency of assessment and last assessment
 Known current deficiencies and their remediation status
 Key personnel and contact details for those responsible for processes and sub-processes
Example: Using Dashboards to Relate Operating Information
Langdale Manufacturing, a manufacturer of industrial machinery parts, uses a set of operating dashboards by
business process, with each dashboard containing a series of tasks assigned to the appropriate managers for
action. The dashboard for the production inventory process, for example, includes costs associated with tooling:
Internal Use Only

where the warehouse manager checks the usage of tools during production noting how often they are needed,
who requested them, and where they are purchased from.
Management then considers this information when reviewing tooling costs included in inventory. In the monthly
management meetings, these dashboards are reviewed. Each of the managers responsible for specific tasks
discusses recent progress and expected changes over the coming month. To the extent that an increase in tool
usage was noted, management would expect that costs related to tooling would be up for the period.
Approach: Using Technology to Support Monitoring Activities25
Management uses technology to support the monitoring of the system of internal controls in the ordinary course
of business through automated monitoring applications. Management uses the automated monitoring application
to efficiently and continuously review large volumes of data at a low cost with a high standard of objectivity (once
programmed and tested). Automated monitoring activities may include:
 Checking transactions against predefined thresholds for anomalies

 Monitoring transactions for trends or patterns
 Assessing automated performance indicators, metrics, and measures that may lead to improvements in process
and business
Example: Using Continuous Monitoring
Gentoo Financial Services employs a continuous monitoring tool to perform a simple regression analysis of
nonperforming loans by branch and by loan officers as one form of monitoring control over loan origination. The
output from the tool allows Gentoo to look for outliers across multiple dimensions (e.g., policy, industry
standards, and statistical standard deviations) and provides input for Gentoo's allowance for loan losses.
Further, the report can be repopulated in either real-time or batch mode. This analysis helps Gentoo identify loan
officers and/or branches that may not be following loan origination policies.
Example: Using Technology to Identify Trends
Penguin Ice, a manufacturer of ice cream, uses an automated computer application as part of its ongoing
monitoring activities. One of the application's activities identifies any trends in the processing of journal entries of
personnel who consistently approve entries just below their authorization limit. Management then considers this
information in monthly meetings to determine if any fraud is occurring or if journal entry control activities for
authorization limits need to be changed.
Approach: Conducting Separate Evaluations
Management may conduct separate evaluations of internal controls over external financial reporting by:
 Conducting ad hoc supervisory management visits and reviews
Internal Use Only

 Conducting cross-operating unit reviews using management from similar operating units within the company
 Comparing components of internal control with another similar entity by benchmarking or using a peer
evaluation
 Developing a self-assessment questionnaire for a business process for use by personnel responsible for the
controls within a particular business unit or function
 Hiring an independent third party to perform specific evaluation
Example: Investigating and Reporting Whistle-Blower Allegations26
Annually, the board of Generation Now engages an independent third party to evaluate the effectiveness of its
whistle-blower program. The purpose of the evaluation is to ascertain that (1) the general counsel has reviewed
the logs of all calls received and reported all calls in the quarterly progress reports to the board; (2) the internal
auditor (or other independent individual) carried out the investigations into allegations, as necessary, and made
recommendations to address any shortcomings in the whistle-blower program; and, (3) all parties complied with
the company's policies and procedures in resolving all whistle-blower calls on a timely basis.
Example: Identifying and Protecting Sensitive Financial Data and Information27
Annually, Bio-Adaptive's chief data officer reviews a system generated report that identifies employees who have
access to sensitive financial data and information. For these employees, the chief data officer evaluates the
suitability of assigned restricted access and their adherence to the standard operating policies and procedures.
Based on the assessment, the chief data officer recommends modifications to existing restricted access,
standard operating policies and procedures, and control activities relating to identifying and protecting sensitive
financial data and information.
Example: Conducting Senior Financial Officer Visits
Gregson Grenville is a publicly held consumer products company with multiple manufacturing facilities
throughout the world. Every year, the company's senior financial officers for each division visit each subsidiary's
headquarters, manufacturing site, and/or sales office to gain an understanding of significant business processes
at those locations. During these visits, the senior financial officer discusses procedures and controls for all
relevant processes impacting financial reporting with those performing the control activities and their
supervisors. In addition, a mini-audit of select control activities is conducted, the findings are documented, and
the local team develops management action plans for all pertinent recommendations. In addition, findings are
shared broadly throughout the organization to facilitate control enhancements at other locations, and areas of
concern impact the focus of future senior officer visits at this and other locations.
Example: Using Self-Assessments
Internal Use Only

Jaron and Associates provides Internet-based securities brokerage and financial services. Recently the
company instituted a formal internal control assessment program (ICAP). Under this program, managers of each
business unit perform a quarterly control self-assessment and certify the effectiveness of certain controls for
which they are responsible.
The senior management of Jaron recognizes that self-assessment, while not completely objective, is an effective
first line of defense against internal control failure. Internal audit helps compensate for the lack of objectivity in
the control self-assessments by performing periodic audits and comparing the results to the self-assessments.
ICAP allows management to concentrate its ongoing evaluation efforts on several issues:
 Areas of higher risk

 Areas where ICAP has identified potential problems
 Areas where separate evaluations have identified control deficiencies that were not reported through the self-
assessments
Now Jaron and Associates is better able to focus its separate evaluation efforts on a prioritized risk basis and
modify ongoing evaluations where necessary.
Approach: Using Internal Audit to Conduct Separate Evaluations
Management uses an appropriately staffed and adequately trained internal audit function to provide an objective
perspective on key elements of the internal control over external financial reporting. Internal audit reports are
distributed to senior management, the board of directors, and others who are positioned to act on the report's
recommendations. Internal audit's separate evaluations may be influenced by:
 The entity's regulatory environment and management's methodology and plans for achieving compliance with its
financial reporting objective
 An understanding, independent of management, of how the internal control system addresses meaningful risks
 Approval for the planned separate evaluation activities by the board of directors or one of its committees
Example: Identifying and Analyzing Risk of Material Omission and Misstatement due to Fraud28
Maxwell's internal audit considers management's assessments of the likelihood of the risks of material omission
and misstatement due to fraud, its planned responses, and the control activities to mitigate these risks when
planning its audit projects. Internal audit selects and develops its monitoring activities including the scope,
nature, and timing of its evaluations based on its views of the assessed fraud risks and management's planned
responses. Internal audit reports these identified fraud risks, along with management's responses and its
planned approach, to the chief audit executive and audit committee. Internal audit also discusses the results of
its fraud procedures with the external auditor. As part of its approach, internal audit compares any noted fraud
Internal Use Only

incidents to business unit management's fraud risk assessment to identify and evaluate any shortcomings within
management's risk assessment process.
Example: Conducting Separate Evaluations
Lee-Basker Parts designs, manufacturers, and distributes precision components and assemblies for aerospace
applications. From time to time the board directs the company's internal audit department to perform separate
evaluations of specified highrisk business processes that impact the entity's financial statements. The scope and
frequency of these evaluations depend primarily on the significance of the related risks and importance of the
controls in reducing risks to an acceptable level.
Subsequent to management's input, it is up to the chief audit executive, Maria Geide, to determine whether the
internal audit department adequately understands the process, the overall internal control structure, and the
objectives of the review.
Once the review is complete, Ms. Geide submits a report on the process controls to senior management and the
board covering the scope of the work (including identification of the controls evaluated), a description of the
major risks and the appropriateness of the controls, a list of identified deficiencies, and management's response
and proposed remediation.
Approach: Understanding Controls at an Outsourced Service Provider29
Management obtains and reviews periodic information from outsourced service providers to detect any changes
in activities that impact the entity's system of internal control over external financial reporting. Information
obtained may include:
 The outsourced service provider's applicable control objectives

 Details about which of the outsourced service provider's internal control have been examined and included in
any report
 The details and results from any independent audit testing performed
 Special considerations for the outsourced service provider that impacts the report
To determine what impact any identified changes may have on the entity's system of internal control over
external financial reporting, the following may also be assessed:
 Whether management appropriately considered known changes in business processes and their impact on
internal control, and whether they were communicated to the outsourced service provider, since such changes
could impact the entity's control objectives and design
 Whether exceptions were noted that may trigger further review by senior management
 Whether management is satisfied with the independence and objectivity of the report
Internal Use Only

Based on management's review and findings, it may be necessary to reassess the separate evaluation activities
over the outsourced service provider.
Example: Reviewing the Service Auditor's Report for Changes in Controls
Finlayson Home Works supplies materials used in residential construction. This public entity has outsourced its
payroll activities for a number of years to a reputable payroll services provider. The chief audit executive, Rolf
Brunner, obtains an annual service auditor's report detailing the internal controls at the service provider. Mr.
Brunner then compares the current report to past reports to determine whether there have been any changes in
relevant controls that could impact the judgments made on planned monitoring activities over the payroll
process. The current report indicates some key changes in the payroll service provider's software and several
negative test results in priority risk areas. As a result, Mr. Brunner has the internal audit department of Finlayson
Home Works perform a reconciliation of the payroll service provider's processing results to evaluate if additional
separate evaluations of the payroll service provider may be necessary.
Evaluates and Communicates Deficiencies
Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to
those parties responsible for taking corrective action, including senior management and the board of directors,
as appropriate.30
Points of Focus
 Assesses Results—Management and the board of directors, as appropriate, assess results of ongoing and
 Communicates Deficiencies—Deficiencies are communicated to parties responsible for taking corrective
action, and to senior management and the board of directors, as appropriate.
 Monitors Corrective Actions—Management tracks whether deficiencies are remediated on a timely basis.
Approach: Assessing and Reporting Deficiencies
Management develops policies and practices to periodically assess and communicate deficiencies that result
from the entity's monitoring activities and other sources. Management establishes a practice where all
deficiencies in internal control over external financial reporting, regardless of materiality, are reported to the
responsible manager and at least one level of management above, both of whom are positioned to take or
oversee corrective action. Management also classifies deficiencies for the further reporting to senior
management or the board based on criteria established by standard setters or regulators.31 The criteria could
include the following:
Internal Use Only
 Nature of the deficiency
 Source of the deficiency
 Known magnitude of a misstatement caused by the deficiency to the entity's financial statements
 The likelihood and potential magnitude of a misstatement caused by the deficiency to the entity's financial
statements
 An aggregation of deficiencies affecting similar areas that could indicate a more serious deficiency
Example: Identifying Sources of Deficiencies
The senior management of Adelie Telecom receives a quarterly report of deficiencies prepared by its internal
audit department. On the third-quarter report this year, deficiencies were reported from several sources,
including the following:
 External Source—Customer complaints about overbilling were brought to management's attention and
investigated. The subsequent investigation exposed that the billing system was using the wrong tariff rate, which
had been incorrectly coded in the system. The problem was traced to an input error that was neither prevented
nor detected by control activities.
 Separate Evaluations—Management directed internal audit to conduct a special evaluation of the sources and
quality of information used for Adelie Telecom's payroll reconciliation. The evaluation identified that some of the
information used was not appropriate. Specifically, an outdated report with inaccurate information was being
used for the reconciliation. Consequently, the payroll reconciliation control activity was updated to use the
correct report.
 Ongoing Evaluations—Adelie Telecom allows a 10% variance in paying installation contractors, and so
management developed an automated monitoring control to review the trends in variance activity approvals by
payables clerks. One such report identified that Arnie Chinstrap, a payables clerk, was routinely approving
variances of 10% for a particular vendor, Bosque & Sons Installers. An investigation confirmed that Mr.
Chinstrap had an arrangement with Bosque & Sons for a financial kickback and that Adelie Telecom was
overpaying the contractor. To address the deficiency in internal control, management implemented a
supervisory review for all payments within the 10% variance.
Example: Reporting Protocols for Identified Deficiencies
The management of Skea and Associates, an international insurance services organization, classifies financial
reporting control deficiencies identified from its monitoring activities as deficiencies, significant deficiencies, or
material weaknesses. The communication structure for reporting deficiencies is based on their potential impact
on the organization.
For each level of deficiency,32 the company's internal reporting structure calls for certain reporting procedures:
Internal Use Only

 Deficiencies are reported in detail to the manager responsible for the control.
 Significant deficiencies are reported in detail to the manager responsible for the control and to the senior
management team, and on a quarterly basis, in summary, to the audit committee.
 Material weaknesses are reported in detail to the manager responsible for the control and the senior
management team, and on a quarterly basis to the audit committee.
Approach: Monitoring Corrective Action
Management establishes a practice to review the status of corrective actions taken to verify that reported
deficiencies are remediated in a timely manner. The corrective action practice may include:
 Regularly scheduled meetings to review the status of corrective actions

 An established electronic or hard-copy report in which corrective actions are summarized and collated
 Delegated oversight to a responsible party, such as an internal audit function
Example: Establishing Reporting Protocols for Identified Deficiencies
The senior management of Lwiski Manufacturing tracks all control deficiencies identified during monitoring
activities and assesses their impact on the organization. These control deficiencies are reported to the
management team responsible for the relevant business unit. If necessary, the management team works with
internal audit to develop the remediation plan, and internal audit provides oversight to verify deficiencies are
remediated in a timely manner.
Specifically, the plan calls for one individual within the business unit to be assigned responsibility for remediating
specific control deficiencies. A time frame for remediation is assigned to each control deficiency, based on its
ranking. Working together, management and internal audit verify that deficiencies are remediated within the
specified time frame.
Example: Follow-Up Reporting on Internal Audit Issues
Mr. James, the chief audit executive of Puna Incorporated, has established a database that tracks management
action plans related to issues coming from internal audit reports. Mr. James receives timely updates on the
status of actions from business process owners, and also periodically reports to the audit committee summaries
of the status of action plans. The reporting includes the percent of action plans implemented on time by business
unit.
When sufficient action has not been able to be taken by the business on important internal audit issues by the
original reported implementation date, the process owner for the area is invited to attend the audit committee
and explain the issues associated with implementation of appropriate actions.
Approach: Developing Guidelines for Reporting Deficiencies
Internal Use Only

The board of directors develops a shared expectation with senior management on the types of control
deficiencies that get reported to the board. The board of directors understands the facts and circumstances
regarding internal control deficiencies that impact external financial reporting and provides oversight on
management's conclusions and remediation plans.
Example: Reporting Deficiencies to the Board
Klemmens and Waters provide air transportation services. The management of the company periodically
develops a report of significant deficiencies and material weaknesses, a summary of minor deficiencies, and a
summary of past deficiencies. The purpose is to track whether deficiencies are being remediated in a timely
manner. The reports are presented to the board for review.
Management has also developed with the audit committee a shared expectation, which states that regardless of
the previous categorization, management will report all deficiencies resulting from:
 Illegal or otherwise improper acts

 A significant loss of assets
 Intentional errors and omissions in the conduct of external financial reporting
The audit committee is briefed on the cause of the reported deficiencies and provides oversight of
management's assessment of the deficiencies and the actions and status of remediation plans.
Footnotes
23 Metrics, often operational in nature, may use information that indirectly signals a failure or anomaly,
but there may be other information available more directly linked to changes or failures. The value of
metrics should be considered when an entity evaluates what mix of ongoing and separate evaluations is
appropriate for that entity.
24 A dashboard, a management tool or report that presents in a summarized manner data on the
relevant business performance areas, is often operational in nature and may use information that
indirectly signals a failure or anomaly, but there may be other information available more directly linked
to changes or failures. The value of metrics should be considered when an entity evaluates what mix of
ongoing and separate evaluations is appropriate for that entity.
25 Note that many automated activities used to prevent or detect unintended events or results would be
Internal Use Only

considered control activities.
26 This example is a continuation of the example in Chapter 2, Control Environment (see page 30).
27 This example is a continuation of the example in Chapter 5, Information and Communication (see
page123).
28 This example is a continuation of the example in Chapter 3, Risk Assessment (see page 73).
29 The review of controls at the outsourced service provider is covered in Chapter 4, Control Activities.
30 In many cases the board of directors will appoint a committee to oversee the system of internal control
depending on the objective. For example the board may appoint an audit committee to oversee system
of internal controls for financial reporting.
31 For example, in the United States, the SEC issued "Commission Guidance Regarding Management's
Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities
Exchange Act of 1934." Section B.1. covers the evaluation of control deficiencies that provides
management with guidance on the assessment and reporting of deficiencies.
32 For purposes of this example the deficiency classifications used are those related to external financial
reporting in the US as promulgated by the SEC.
Appendices
A: Examples by Topic
Expectations for Governance Oversight
Assessing and Disclosing Director Qualifications 28
Assessing the Potential of Management Override 30

Internal Use Only
Changing the Board Composition of a Closely Held Company 28
Facilitating Communication between Executive Management and the Board of Directors 127
Maintaining Oversight 72
Reviewing and Documenting Key Activities of the Audit Committee 23
Reviewing Financial Statement Estimates 29
Reviewing Governmental Agency Financial Results and Underlying Internal Control 24
Globalization of Markets and Operations
Automating Balance Sheet Reconciliations 90
Changes in Business Operations 142
Conducting Senior Financial Officer Visits 147
Reorganizing to Support Control Structure 32
Changes and Greater Complexity in the Business
Aligning Roles and Responsibilities with Objectives 34
Establishing Periodic Communications with Contractors and Outsourced Service Providers 133
Evaluating Business Activities to Identify Information Requirements 115
Implementing or Assessing Control Activities when a Report on Controls at a Service Organization is Not
Available 87
Maintaining Control while Engaging Outside Service Providers 34
Obtaining a Report on Controls at a Service Organization from a Cloud-Based Service Provider 96
Obtaining a Report on Controls at a Service Organization from a Service Payroll Provider 86
Obtaining Information from External Sources to Assist with Accounting Estimates 135
Reorganizing to Support Control Structure 32
Responding to Significant Change from an Acquisition 77
Retaining External Tax Assistance 39
Reviewing the Service Auditor's Report for Changes in Controls 150
Demands and Complexities of Laws, Rules, Regulations, and Standards
Analyzing Risks from External Factors 68
Internal Use Only

Assessing the Suitability of Specified Objectives 54
Controlling Significant Accounting Estimates 89
Establishing Policies and Procedures 104
Establishing Responsibilities for Reviewing Financial Statements 105
Implementing Complex Accounting Standards 39
Obtaining Information from External Sources to Assist with Accounting Estimates 135
Reviewing and Updating Statutory Reporting Requirements 56
Reviewing and Updating Understanding of Applicable Standards 56
Using Templates to Document Policies 103
Expectations for Competencies and Accountabilities
Ad Hoc Assessing of Control Activities 109
Aligning Competencies with Key Financial Reporting Positions 41
Assessing and Disclosing Director Qualifications 28
Assessing the Adequacy of Staffing Levels for Financial Reporting 41
Audit Committee Review of Managers' Roles 40
Planning for Executive Transition 77
Recruiting and Retaining Key Financial Reporting Positions 38
Use of, and Reliance on, Evolving Technologies
Analyzing Risk for Information Technology 66
Analyzing Risks from External Factors 68
Automating Balance Sheet Reconciliations 90
Capturing Information through Electronic Data Interchange 117
Data Capture and Processing for the Purchasing and Payables Cycle 120
Establishing Logical Security 98
Evaluating Business Activities to Identify Information Requirements 115
Evaluating Financial Close End-User Spreadsheet Control Activities 95
Identifying and Classifying Data for Financial Reporting 123

Internal Use Only
Managing Changes to Custom Software 100
Managing Changes to Packaged Software 99
Obtaining a Report on Controls at a Service Organization from a Cloud-Based Service Provider 96
Using a Data Warehouse to Facilitate Access to Information 119
Using Automated Tools to Enforce the Segregation of Incompatible Functions 92
Using Governance, Risk, and Compliance Technology to Manage Internal Controls 126
Using Technology to Identify Trends 146
Validating Data and Information 122
Varying Control Activities in an SDLC Based on Risk 101
Expectations Relating to Preventing or Detecting Fraud
Assessing Fraud Risk 71
Assessing the Potential of Management Override 30
Cascading Responsibilities throughout the Organization and Measuring Results 44
Conducting Ethics Audits 19
Conducting Senior Financial Officer Visits 147
Employee Ethics Hotline 129
Evaluating Misconduct Reported through an Anonymous Hotline 20
Identifying and Analyzing Risk of Material Omission and Misstatement Due to Fraud 73
Reporting Deficiencies to the Board 154
Taking Action when Deviations Occur 21
B: Public Comment Letters

A draft of the Compendium was issued for public comment from September 18, 2012, through December 4,
2012. There were twenty-three public comment letters and twenty-five responses to COSO's online survey. Each
comment letter was considered by PwC and the COSO Board in finalizing this publication. This appendix
summarizes the more significant issues that arose from these comment letters and the related revisions made to
the Compendium.
Internal Use Only

Some respondents concurred with COSO that the Compendium provides useful illustrations of applying the
Framework in an external financial reporting context. Some respondents expressed a view that the Compendium
would not set a higher threshold for attaining effective internal control over external reporting or impose
additional burdens on entities that report on internal control over external financial reporting.
Some agreed that the Compendium applies to both larger and smaller entities; however some requested
additional examples specifically focused on smaller entities. PwC and the COSO Board note that many
examples were obtained and updated from the COSO Guidance for Smaller Public Companies issued in 2006
and believe that most examples included in the Compendium apply to both larger and smaller entities.
Some respondents provided suggestions to clarify specific examples and requested additional examples. PwC
and the COSO Board balanced these requests with comments provided by others that the Compendium is too
large and included too many examples. Accordingly, a limited number of examples relevant to the application of
principles in an ICEFR context were added, including:
 Reviewing Governmental Agency Financial Results and Underlying Internal Control

 Manually Assessing Incompatible Functions Across an Entity
 Reviewing Financial Statement Estimates
 Investigating and Reporting Whistle-Blower Allegations
 Identifying and Protecting Financial Data and Information
 Identifying and Analyzing Risk of Material Omission and Misstatement Due to Fraud
Additionally, the Introduction has been updated to include further discussions about:
 Limitations of Illustrations
 Objectives Established for External Financial Reporting
 Suitable Objectives of Financial Statements for External Purposes
 Risks to Achieving Suitable Objectives
 Risk Response
Illustrative Tools for Assessing the

Effectiveness of a System of Internal
Control
Illustrative_Tools_final_may20_e.pdf
Internal Use Only

.
May 2013

Board Members
American Institute of Certified Public Financial Executives International Jeffrey C.Thomson

Accountants
Accountants
PwC—Author
Miles E.A. Everson Stephen E. Soske Jay A. Posklensky
Internal Use Only

New York, USA Boston, USA Florham Park, USA
Subhojit Goswami Keith Handler Catherine I. Jourdan
Director Director Director
New York, USA Florham Park, USA Paris, France
Frank J. Martens Sallie Jo Perraglia
Director Manager
Vancouver, Canada New York, USA
Internal Use Only

Additional Contributors
Junya Hakoda Alan Martin Eric M.Bloesch
Partner (Retired) Partner Managing Director
Tokyo, Japan Frankfurt, Germany Philadelphia, USA
James M.Downs Christopher Michaelson
Director Director
Minneapolis, USA
San Francisco, USA
(Through January 2012)
Advisory Council
Bellarmine University Community Trust Bank Campbell Soup Company
Fr. Raymond J. Treece Executive Vice President and Chief Finance Director/Controller
Internal Use Only

Pfizer AT&T
Members at Large

Partner Partner
Chief Risk Officer
Chair Emeritus COSO
Internal Use Only

ISACA
2011-2012
Government Accountability Office Federal Deposit Insurance Securities and Exchange

Director in the Financial Commission
Corporation
Management and Assurance Team
Assistant Chief Accountant
(Through June 2012)

Commission Accountants
Oversight Board
Associate Chief Accountant Senior Technical Manager
Deputy Chief Auditor
Internal Use Only

Introduction
This publication, Internal Control—Integrated Framework: Illustrative Tools for Assessing Effectiveness of a
System of Internal Control (Illustrative Tools), is intended to assist management when using the updated COSO
Internal Control—Integrated Framework (Framework) to assess the effectiveness of its system of internal control
based on the requirements set forth therein. An effective system of internal control provides reasonable
assurance of achievement of an entity's objectives, relating to operations, reporting, and compliance. An
effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating
to one, two, or all three categories of objectives. Accordingly, Illustrative Tools can help management to assess
whether a system of internal control meets the following requirements:
 Each of the five components and relevant principles is present and functioning; and
 The five components are operating together in an integrated manner.
Please refer to the Framework when using Illustrative Tools. In particular, Chapter 2, Objectives, Components,
and Principles, sets out the direct relationships that exist between the objectives, which are what an entity strives
to achieve, and the components, which represent what is required to achieve the objectives, and relevant
principles that represent fundamental concepts associated with components. Also, Chapter 3, Effective Internal
Control, sets out the requirements for effective internal control and the criteria, relevant for the objective
category, for classifying the severity of any internal control deficiencies.
This publication is organized into two fundamental sections: Templates and Scenarios.
 The templates can support an assessment of the effectiveness of a system of internal control and help to
document such an assessment.
 The scenarios illustrate several practical examples of how the templates can be used to support an assessment
of effectiveness of a system of internal control.
The templates and scenarios focus on evaluating components and relevant principles, not the underlying
controls (e.g., transaction-level control activities) that affect the relevant principles. These tools are not designed
to satisfy any criteria established through laws, rules, regulations, or external standards for evaluating the
severity of internal control deficiencies associated with a particular entity objective, such as external financial
reporting. As noted in the Framework, when regulators, standard-setting bodies, and other relevant third parties
establish criteria for defining the severity of, evaluating, and reporting internal control deficiencies, management
should use only those criteria.
Internal Use Only

Templates
The templates are designed to present only a summary of assessment results. They are not an integral part of
the Framework, and they may not address all matters that need to be considered when assessing a system of
internal control. Further, they do not represent a preferred method of conducting and documenting an
assessment. Their purpose is limited to illustrating one possible assessment process based on the requirements
for effective internal control, as set forth in the Framework.
The templates do not illustrate management's selection and deployment of controls to effect principles or its
determination of scope, nature, timing, and extent of evaluating such controls embedded within the components.
The facts and circumstances relevant to an assessment vary among different categories of objectives and
among different entities and industries; therefore, the practical use of these tools also varies.
Form and Use
As the Framework applies to any type of entity — large and small public, private, governmental, and not-for-
profit — so do the templates. Management can modify the templates to reflect unique facts and circumstances
(e.g., specified objectives and sub-objectives, scope of application, organizational structure) and assessment
processes for the entity. For example:
 An entity with a complex organizational structure can modify or supplement the templates appropriately, as
illustrated in Scenario E: How are the assessments of multiple locations combined?
 A smaller entity can simplify the templates to reflect a less complex organizational structure and to acknowledge
a less formal, less structured system of internal control; for instance a system that reflects more direct
supervision and continuous communication about internal control among the CEO, senior managers, and other
personnel.
 An entity may use technology to maintain a summary of internal control deficiencies that is referenced by all the
templates rather than having summaries included in each template.
Organizations may leverage the templates to develop or configure technology-based solutions to support
separate and/or ongoing evaluations and assessment processes. Technology-based solutions, ranging from a
simple spreadsheet to sophisticated, enterprise-wide application software, can help the organization document
and monitor the entity's controls and management's effectiveness assessment. Technology-based solutions can
provide relevant information through system-generated reports and dashboards, which in turn may be used by
stakeholders such as owners, a board of directors,1 senior management, operating unit and functional
managers, control and compliance personnel, and auditors. Management considers the outputs of the
technology-based solutions to support its assessment of a system of internal control, but management would
generally exercise judgment about its overall assessment outside of its technology-based solution.
Internal Use Only

Organizations can customize the level and amount of detail included in the templates, as they deem necessary.
For example, consider Principle 2, Exercises Oversight Responsibility. Controls that effect this principle likely
occur at the entity level, and management may determine that documentation relating to these controls may not
need to be extensive to support the evaluation. Accordingly, in this example, the templates can be used to fully
document and assess whether this relevant principle is present and functioning. In contrast, controls to effect
Principle 10, Selects and Develops Control Activities are likely deployed in many business processes throughout
the organization and, accordingly, documentation relating to these controls would be expected to be more
extensive and detailed. Documentation of management's evaluation of whether this principle is present and
functioning would likely require additional templates, such as detailed risk and control matrices, which are not set
forth in Illustrative Tools.
In summary, management may use these templates in several important ways:
 To help determine whether all five components of a system of internal control are operating together in an
integrated manner
 To help determine whether components and relevant principles are present and functioning
 To help assess whether the system of internal control is effective relating to one category of objectives, such as
reporting, or more than one category
 To document management's assessment relating to the effectiveness of a system of internal control at the entity
and subunit levels, considering components and relevant principles
 To document internal control deficiencies identified during the assessment process
If the templates are used as suggested, they:
 Provide a logical structure for management to analyze and document the organization's assessment of
effectiveness of internal control, including the presence and functioning of components and relevant principles
as set forth in the Framework
 Assist management in developing a process for identifying and evaluating internal control deficiencies within
components and relevant principles relating to its assessment of effectiveness of internal control
Organization
To assist management in assessing whether a system of internal control reduces to an acceptable level the risk
of not achieving an objective, the templates are organized to support a risk-based assessment approach. Four
different templates are included:2
 Overall Assessment of a System of Internal Control — Summarizes management's determination of whether

each of the components and relevant principles is present and functioning and components are operating
Internal Use Only

together in an integrated manner, including the severity of internal control deficiencies or combination of
deficiencies when aggregated across the components.
 Component Evaluation — Summarizes management's determination of whether each component and relevant
principles are present and functioning. Internal control deficiencies relating to a principle are listed and the
severity of each deficiency is assessed considering compensating controls3 (whether or not associated with that
particular component or principle).
 Principle Evaluation — Summarizes management's determination of whether each relevant principle is present
and functioning.4 Management considers controls in conjunction with its assessment of components and
relevant principles. The Framework does not prescribe specific controls that must be selected, developed, and
deployed for an effective system of internal control. That determination is a function of management judgment
based on factors unique to each entity. The absence of controls necessary to effect relevant principles would
represent an internal control deficiency.
The Framework allows for judgment in assessing the potential impact of a deficiency on the presence and
functioning of a relevant principle. Management may consider other controls (whether or not associated with that
particular component or principle) that compensate for an internal control deficiency. These templates also
summarize any identified internal control deficiencies along with a preliminary determination of the severity of the
internal control deficiencies. The determination of severity is preliminary pending the consideration of whether
there are any compensating controls.
The Framework describes points of focus that are important characteristics of principles. The points of focus
may assist management in assessing whether relevant principles are, in fact, present and functioning. The
Framework does not require that management assess separately whether points of focus are in place. Points of
focus are provided in Illustrative Tools as useful references.
 Summary of Internal Control Deficiencies — A log of all identified internal control deficiencies that can be
leveraged in the evaluation of components and principles, and can enable the internal control deficiencies
to be aggregated.
Internal Use Only

The diagram above shows the relationship between each of the templates and the expected flow of key
information (i.e., evaluation summaries and internal control deficiencies). An assessment process, as reflected in
the templates, would likely proceed as follows:
1. Principle evaluation — Considering the controls to effect the principle. Internal control deficiencies
would be identified along with an initial severity determination.
Internal Use Only

2. Component evaluation — Considering the roll up of the results of the component's principle
evaluations. The severity of internal control deficiencies is re-evaluated considering whether controls to
effect other principles within and across components compensate for the deficiency.
3. Assessment of the effectiveness of internal control — Considering the roll up of the results of the
component evaluations and assessing whether the components are operating together in an integrated
manner by evaluating whether any internal control deficiencies aggregate to a major deficiency.
As economic, industry, and regulatory environments change, the scope and nature of an entity's leadership,
priorities, business model, organization, business processes, and activities need to adapt and evolve. Internal
control effective within one set of conditions may not necessarily be effective when those conditions change
significantly. As part of risk assessment, management identifies changes that could significantly impact the
entity's system of internal control and takes action as necessary. Accordingly, after an initial assessment,
management continually assesses the effectiveness of the system of internal control, and while the process is
depicted here as serial, in practice it is likely to be iterative.
Scenarios
The scenarios present several practical examples of how the templates can be used to support an assessment
of effectiveness of a system of internal control based on the requirements set forth in the Framework. Each
scenario is designed to illustrate a particular aspect, or set of related aspects, of the assessment process, and
consists of two parts:
 Background material to provide context for the scenario (e.g., company background, relevant paragraphs of the
Framework, summary of key points)
 Completed templates
The scenarios highlight important considerations in performing an assessment. They do not present a
comprehensive view of how an organization would perform the assessment of internal control and they do not
present all possible aspects of the assessment process. The templates that accompany the scenarios are
intended to serve as examples and should not be viewed as comprehensive documentation depicting all relevant
controls to effect principles and assessments. Management should consider the Framework only for designing
and implementing a system of internal control.
The content in the templates is meant to enable readers to focus on the concepts illustrated in the scenarios. It
does not necessarily show an acceptable level of documentation set by management or established by laws,
rules, regulations, and standards. For example, the summary of controls may not be a complete list. Also, only
those templates relevant to the purpose of the scenario are included.
Internal Use Only

Each scenario is pertinent to any type of entity, although specific facts and circumstances may not apply. Each
scenario is accompanied by a brief summary of any differences that are likely to exist between the scenario and
other types of entities.
Deficiencies
The severity of internal control deficiencies contained in the scenarios is included to illustrate considerations in
performing an assessment. Except for Scenario C (How does a material weakness impact relevant principles,
components, and system of internal control?), the scenarios use the terms "internal control deficiency" and
"major deficiency," as defined in the Framework in Chapter 3, Effective Internal Control. The term "internal
control deficiency" refers to a shortcoming in a component or components and relevant principle(s) that reduces
the likelihood of an entity achieving its objectives. An internal control deficiency or combination of deficiencies
that severely reduces the likelihood that the entity can achieve its objectives is referred to as a "major
deficiency."
Regulators, standard-setting bodies, and other relevant third parties may establish criteria for defining the
standards.
In those instances where an entity is applying a law, rule, regulation, or external standard, management should
use only the relevant criteria contained in those documents to classify the severity of internal control deficiencies
rather than relying on the classifications set forth in the Framework. The Framework recognizes that any internal
control deficiency that results in a system of internal control not being effective pursuant to such criteria would
also preclude management from concluding that the entity has met the requirements for effective internal control
in accordance with the Framework (e.g., a major non-conformity relating to operations or compliance objectives,
or a material weakness relating to compliance or external reporting objectives).
For example, a company that must comply with the classification criteria established by the United States
Securities Exchange Commission (SEC) would use only the definitions and guidance set out for classifying
internal control deficiencies as a material weakness, significant deficiency, or control deficiency. If an internal
control deficiency is determined to rise to the level of a material weakness, the organization would not be able to
determine that a component and relevant principles are present and functioning and, therefore, conclude that the
entity's system of internal control over financial reporting has met the requirements for effective internal control
as set out in the Framework. If an internal control deficiency does not rise to the level of material weakness the
entity could achieve effective internal control over financial reporting. Scenario C uses the SEC classification
criteria because the example entity is a US public company subject to SEC rules and regulations.
Internal Use Only

For internal reporting and other operations objectives, senior management, with board of director oversight, may
establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported
to those responsible for achieving these objectives.
Within the boundaries established by laws, rules, regulations, and standards, management exercises judgment
to assess the severity of an internal control deficiency, or combination of deficiencies, in determining whether
each of the components and relevant principles is present and functioning and components are operating
together, and ultimately in concluding on the effectiveness of the entity's system of internal control.
Footnotes
1 As in the Framework, the term "board of directors" is used in this publication to encompass the
governing body, including board, board of trustees, general partners, owner, or supervisory board.
2 For illustrative purposes the templates are shown as separate documents. In practice, an organization
would likely use technology to link these templates to reduce redundant information; information
common to more than one template would then automatically be populated across the templates. For
example, an organization will likely use technology to maintain a summary of internal control
deficiencies that is referenced by all the templates rather than having summaries included in each
template.
3 This publication broadly uses the term "compensating controls" as defined by the Securities Exchange
Commission in the United States: "Compensating controls are controls that serve to accomplish the
objective of another control that did not function properly, helping to reduce risk to an acceptable level."
4 All principles set forth in the Framework are included in the templates. There may be a rare industry,
operating, or regulatory situation in which management has determined that a particular principle is not
relevant to a component.
Templates
Internal Use Only

1. Overall Assessment of a System of
Internal Control
An electronic version of this template can be downloaded from www.cpa2biz.com/COSOEvalTools.
2. Component Evaluation
Internal Use Only

Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
3. Principle Evaluation
Internal Use Only

Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
4. Summary of Deficiencies
Internal Use Only

Scenarios
5. Scenario A: Is a Relevant Principle and

Component Present and Functioning?
Purpose
 Illustrate how principles within a component roll up into the determination of whether the component is present
and functioning.
 Illustrate the need to apply judgment in determining whether principles are present and functioning, including the
possibility of having a principle present and functioning despite internal control deficiencies.
 Illustrate the impact of internal control deficiencies at both the principle and component levels.
 Illustrate the customization of relevant points of focus, as appropriate, for the entity.
 Illustrate that the existence of a major deficiency results in a determination that a principle is not present and
functioning and, therefore, the associated component is not present and functioning. (Although not specifically
shown in this scenario, the system of internal control would not be effective.)
Internal Use Only

Company Background
 Privately held retail furniture company; family owned.

 $200 million in annual revenue, exclusively in the western United States.
 Board consists of family members and a number of business professionals with significant experience. The
managing director has considerable experience in running large businesses. The internal audit director has over
fifteen years of auditing experience.
Objective Category
 Objective category of assessment is internal financial reporting. Specific focus is on generating reliable,
complete, and accurate divisional financial reports used to run the business and make strategic decisions.
Relevant Framework References
 An effective system of internal control reduces, to an acceptable level, the risk of not achieving an
objective relating to one, two, or all three categories. It requires that:
 Each of the five components of internal control and related relevant principles is present and functioning
 The phrase "present and functioning" applies to components and principles.
 "Present" refers to the determination that components and relevant principles exist in the design and
implementation of the system of internal control to achieve specified objectives.
 "Functioning" refers to the determination that components and relevant principles continue to exist in the
conduct of the system of internal control to achieve specified objectives.
 In determining whether a component is present and functioning, senior management with board of director
oversight needs to determine to what extent relevant principles are present and functioning. However, a
principle being present and functioning does not imply that the organization strives for the highest level of
performance in applying that particular principle. Rather, management exercises judgment in balancing the cost
and benefit of designing, implementing, and conducting internal control.
 The term "internal control deficiency" refers to a shortcoming in a component or components and relevant
referred to as a "major deficiency." A major deficiency is a subset of internal control deficiencies. As such, a
major deficiency is by definition also an internal control deficiency.
 When a major deficiency exists the organization cannot conclude that it has met the requirements for an
effective system of internal control. A major deficiency exists in the system of internal control when management
Internal Use Only
determines that a component and relevant principle are not present or functioning or that components are not
operating together. A major deficiency in one component cannot be mitigated to an acceptable level by the
presence and functioning of another component. Similarly, a major deficiency in a relevant principle cannot be
mitigated to an acceptable level by the presence and functioning of other principles.
 In determining whether components and relevant principles are present and functioning, management can
consider controls to effect principles. For instance, in assessing whether Principle 8, Assesses Fraud Risk, may
not be present and functioning, the organization can consider controls to effect other principles, such as those
relating to Principle 3, Establishes Structure, Authority and Responsibility, and Principle 5, Enforces
Accountability.By considering controls initially considered in the context of other principles, management may be
able to determine that Principle 8, Assesses Fraud Risk, is present and functioning.
 Management exercises judgment to assess the severity of an internal control deficiency or combination of
 The Framework describes points of focus that are important characteristics of principles. Management may
determine that some of these points of focus are not suitable or relevant and may identify and consider others
based on specific circumstances of the entity. Points of focus may assist management in designing,
implementing, and conducting internal control and in assessing whether the relevant principles are, in fact,
present and functioning. The Framework does not require that management assess separately whether points of
focus are in place.
Facts and Circumstances
The Control Environment component is used as an example.
Control Environment Evaluation
 Principle 1 (Demonstrates Commitment to Integrity and Ethical Values)
 Internal control deficiencies noted after evaluating the principle:
 There is no formal training program to help make employees aware of the importance of adherence
to the standards of conduct.
 The company does not have processes in place to evaluate individuals against the published
integrity and ethics policy.
 Processes to identify and address deviations are ad hoc in the organization.
Internal Use Only

 Management determined that the combination of internal control deficiencies (as noted above) resulted in
the deficiencies being classified as major deficiencies and, therefore, concluded that Principle 1 is not
 Principle 2 (Exercises Oversight Responsibility)
 Internal control deficiency noted because even though risk assessments are performed and reviewed by
management, the board of director's review is not formally documented.
 Internal control deficiency noted because the board does not formally document its review of remediation
plans and monitoring activities.
 In its preliminary analysis, management determined that the internal control deficiencies are not significant
and/or are compensated for by other controls. These deficiencies do not represent a major deficiency.
 Management concludes that the principle is present and functioning, despite internal control deficiencies,
based on an evaluation of the severity of the deficiencies or that there are compensating controls in place.
 Principle 3 (Establishes Structure, Authority, and Responsibility)
 Internal control deficiency noted because oversight and control structures have not evolved to keep up with
changes in the business.
 In its preliminary analysis,management determined that the internal control deficiency, though important,
did not rise to the level of a major deficiency. Currently, the business structure changes only affect a small
portion of the entity.
 Management concludes that Principle 3 is present and functioning as the deficiencies affect only a small
portion of the entity.
 Principle 4 (Demonstrates Commitment to Competence)
 No internal control deficiencies noted.

 Management concludes that Principle 4 is present and functioning.
 Note that as part of Principle 4, management removed the point of focus Plans and Prepares for
Succession, as the aspects of this point of focus are now included in the point of focus Evaluates
Competence and Addresses Shortcomings.
 Principle 5 (Enforces Accountability)
 Internal control deficiency noted because bonuses for senior management and division and operating unit
leaders are tied directly to sales performance, these bonuses are a large portion of management's
Internal Use Only

compensation, and there is no evidence that any consideration has been given to the pressures that may
result or mitigating controls in place.
 Management determines that the internal control deficiency noted was a major deficiency and, therefore,
concludes that Principle 5 is not present and functioning.
 Note that under Principle 5, management had previously customized the point of focus Enforces
Accountability through Structures, Authorities, and Responsibilities from the version documented in the
Framework. The new point of focus reads (changes in bold): "How does management and the board of
directors establish the mechanisms to communicate and hold individuals accountable for performance of
internal control responsibilities across the organization and implement corrective action as necessary? As
part of this process, how does management develop alternative/backup owners for all aspects of
internal control?"
Component Evaluation
 Management concludes that the component is not present and functioning, since two principles are not
present and functioning due to the identified major deficiencies. This is a rollup of the principle evaluations.
 Principle 1—Major deficiency—not present and functioning

 Principle 2—Internal control deficiencies (compensating controls noted)—present and functioning
 Principle 3—Internal control deficiency (compensating controls noted)—present and functioning
 Principle 4—No internal control deficiencies—present and functioning
 Principle 5—Major deficiency—not present and functioning
Note: since management concluded that Control Environment is not present and functioning it would also need
to conclude that the overall system of internal control was not effective, although this is not explicitly shown in
the scenario.
Summary of Key Points
 The preliminary results of assessing whether a principle is present and functioning supports the assessment at
the component level.
 Management exercises judgment when determining whether principles are present and functioning, including
the possibility of having a principle present and functioning despite internal control deficiencies.
 Internal control deficiencies are evaluated for severity at both the principle and component levels.
 Points of focus may be added or customized to fit the unique facts and circumstances of the entity.
 If a major deficiency is detected in a principle, then the principle and its associated component are not present
and functioning and the system of internal control is not effective.
Notes on Different Entity Types

Internal Use Only
The scenario is equally applicable to all types of entities. However, due to the nature of some entities, certain
principles, such as Principle 2, Exercises Oversight Responsibility, may be different in, for example, a
governmental entity.
Internal Use Only

Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
6. Scenario B: Is Each of the
Components Present and Functioning
and Operating Together in an Integrated
Manner?
Purpose
Internal Use Only

 Illustrate how the assessment of internal control is performed by determining whether each of the components is
 Illustrate how to assess whether the components are operating together in an integrated manner.
Company Background
 Publicly held midsized manufacturing company with 1,000-plus employees. The organization specializes in
manufacturing parts for aerospace applications. Unit A has been supplying parts to an airline manufacturer
customer for thirty years. These parts are specialized, requiring precision processes to manufacture, and they
are expected to be extremely high quality. Last year, the customer asked for a new part which is a component of
a new product. The manufacturing process for this part uses newer technology and involves changes in the
manufacturing process.
Objective Category
 Management is assessing effectiveness over the operations objective.
 An effective system of internal control reduces, to an acceptable level, the risk of not achieving an
objective relating to one, two, or all three categories. It requires that:
 Each of the five components of internal control and relevant principles is present and functioning
 The Framework views all components of internal control as suitable and relevant to all entities.
 The Framework requires that all components operate together in an integrated manner. "Operating together"
refers to the determination that the five components collectively reduce, to an acceptable level, the risk of not
achieving an objective.
 Components are interdependent with a multitude of interrelationships and linkages among them, particularly the
manner in which principles interact within and across components. Components that are present and functioning
capture the inherent interdependencies and linkages among them.
 Accordingly, management can demonstrate that components operate together when:
 Components are present and functioning

 Internal control deficiencies aggregated across components do not result in the determination that one or
more major deficiencies exist
 The term "internal control deficiency" refers to a shortcoming in a component or components and relevant
Internal Use Only
referred to as a "major deficiency." A major deficiency is a subset of internal control deficiencies and not a
separate deficiency category. As such, a major deficiency is by definition also an internal control deficiency.
 Management exercises judgment to assess the severity of an internal control deficiency, or combination of
In this scenario, deficiencies exist in some of the components that are then aggregated during the overall
assessment of a system of internal control. The following points summarize the deficiencies by component and
the overall assessment. An internal control deficiency is noted relating to the lack of an effective learning and
development program.
Control Environment Evaluation
 Principle 4 (Demonstrates Commitment to Competence)
 Internal control deficiency noted relating to the lack of an effective learning and development program.
Management judgmentally makes a preliminary determination that Control Environment is present and
functioning.
Risk Assessment Evaluation
 Principle 9 (Identifies and Analyzes Significant Change)
 Internal control deficiency noted relating to some operations personnel not possessing the skills and
competency to identify risks associated with the new technology. Based on its judgment, and considering
the strength of the other principles in the component, management makes a preliminary determination that
Risk Assessment is present and functioning.
Control Activities Evaluation
 Principle 12 (Deploys through Policies and Procedures)
 Internal control deficiency noted relating to individuals who are not well trained. Based on its judgment, and
considering the strength of the other principles in the component, management makes a preliminary
determination that Control Activities is present and functioning.
Information and Communication Evaluation
Internal Use Only

 Based on its judgment, management makes a preliminary determination that Information and Communication is
present and functioning with no internal control deficiencies.
Monitoring Activities Evaluation
 Principle 16 (Conducts Ongoing and/or Separate Evaluations)
 Internal control deficiency noted relating to individuals who may not be knowledgeable in the new
technology and underlying business processes. Based on its judgment, and considering the strength of
the other principles in the component, management makes a preliminary determination that Monitoring
Activities is present and functioning.
Overall Assessment of a System of Internal Control
 Management reviewed the internal control deficiencies across the entity to determine if the components were
operating together in an integrated manner. Management noted several internal control deficiencies where
competency was a contributing factor. The requirement for maintenance of the highest quality standards and the
resulting low-risk tolerance for defective manufacture reveal a concern about the lack of a commensurate
training and competency framework that pervades the organization. The reviewers noted that the individuals are
experienced and knowledgeable, but the new manufacturing requirements requiring them to quickly adapt to
changes have become difficult due to the lack of a "competency training culture." This situation has the potential
of affecting the business objective of providing quality within the tolerance levels prescribed by the customer.
 In this scenario, based on considerations when evaluating the components together, management concludes
that a major deficiency exists and thus the system of internal controls is not effective. (Note that the templates
presented show management's preliminary determination of the severity of the deficiencies. With the updated
determination, management would likely change the templates to reflect that the root cause internal control
deficiency that was initially not deemed major has been reclassified as major and the associated principle and
component are not present and functioning.)
To assess whether the system of internal control is effective, management must consider whether each of the
components is present and functioning and whether the components are operating together in an integrated
manner. Management needs to determine, using judgment, whether any internal control deficiencies or
combination of deficiencies, when considered collectively across the components, represent a major deficiency
to determine if the components are operating together in an integrated manner.
Internal Use Only

The scenario is equally applicable to all types of entities. However, due to the nature of some of these entities,
certain principles, such as Principle 2 (Exercises Oversight Responsibility) may be somewhat different. For
example, a private entity may not have an independent board of directors, but it may have an advisory board
that exhibits independence from the day-to-day management of the company.
Internal Use Only

Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
7. Scenario C: How Does a Material
Weakness Impact Relevant Principles,
Components, and the System of Internal
Control?
Purpose
 Illustrate how a material weakness identified at the transaction control activity level is considered in the
evaluation of principles and components, and in the assessment of the effectiveness of the system of internal
control.
Company Background
 Public financial services company

 Three divisions: A, B and C
Objective Category
 External financial reporting objective7
Internal Use Only

 Management exercises judgment to assess the severity of an internal control deficiency, or combination of
components are operating together, and ultimately in determining on the effectiveness of the entity's system of
 Regulators, standard-setting bodies, and other relevant third parties may establish criteria for defining the
standards.
 In those instances where an entity is applying a law, rule, regulation, or external standard, management should
use only the relevant criteria contained in those documents to classify the severity of internal control
deficiencies, rather than relying on the classifications set forth in the Framework. The Framework recognizes
that any internal control deficiency that results in a system of internal control not being effective pursuant to such
criteria would also preclude management from concluding that the entity has met the requirements for effective
internal control in accordance with the Framework (e.g., a major non-conformity relating to operations or
compliance objectives or a material weakness relating to compliance or external reporting objectives).
 A material weakness was identified by management in the company's revenue process. One of the revenue
streams for the company did not have sufficient controls, which meant that there is a reasonable possibility that
a material misstatement of the entity's financial statements will not be prevented, detected, or corrected on a
timely basis. There were no known material misstatements in the company's financial statements during the
current period.
 A root cause analysis determined that management failed to establish control activities over a significant
revenue process in Division C. This division was small but growing and had not implemented extensive financial
controls to help foster the entrepreneurial nature of the division. Division C grew to a significant portion of the
overall organization's revenue during the year, but sufficient controls were never implemented.
 A related material weakness was noted in Principle 9, Identifies and Analyzes Significant Change. Management
determined there was a deficiency in the system of internal control that led to the material weakness.
 Due to the material weaknesses management concluded that:
 Principle 10 (Selects and Develops Control Activities) is not present and functioning.
 The Control Activities component is not present and functioning.
 Principle 9 (Identifies and Analyzes Significant Change) is not present and functioning.
 The Risk Assessment component is not present and functioning. Note: the Risk Assessment
component template is not included in this scenario, nor is the principle template for Principle 9.
Internal Use Only
 There is a reasonable possibility that a material misstatement of the organization's financial statements
would not be prevented, detected, or corrected on a timely basis.
 The system of internal control is not effective.
 The material weaknesses identified related to transaction-level control activities leads management to determine
that the Control Activities and Risk Assessment components are not present and functioning and the system of
internal control is ineffective. Material weaknesses were identified, though there were no known actual material
misstatements of the financial statements.
 Management should determine the root cause of the material weaknesses by considering which control activity
principles were not present and functioning. The points of focus can assist in this determination. For example, in
this scenario, adequate control activities were never selected and deployed within the process in the first place
because the risk assessment process did not identify the material change in Division C and the process to
determine the relevant business processes under Principle 10 did not work appropriately.
 As COSO is an integrated Framework, there are likely contributing factors to a material weakness in a particular
component. In this scenario at least one of the contributing factors was a breakdown in the risk assessment
process that missed that the revenue in Division C had become material in the current fiscal year. This is
reflected in the related material weakness identified in Principle 9.
 To have an effective system of internal control under the Framework, management needs to correct the specific
material weaknesses by selecting and developing adequate control activities for the revenue process at this
division, and remediate any of the internal control deficiencies that led or contributed to the material weakness,
namely the issues of identifying relevant business processes in Principle 10 and the risk assessment issues in
Principle 9.
The scenario applies equally to all types of entities. However, management of a smaller entity would likely be
more aware of any significant changes in its revenue processes and may address a lack of controls quicker.
* Note: Record deficiencies in Summary of Deficiencies Template.
Internal Use Only

Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
8. Scenario D: Are Relevant Principles
and Components Present and
Functioning in a Division, Operating Unit,
or Function?
Purpose
 Illustrate how the Framework can be applied to a division, operating unit, or function.
Company Background
 Midsized computer manufacturer and software retailer with an operating unit manufacturing and selling
computers and associated equipment (operating unit A) and another operating unit selling and distributing third-
party software (operating unit B).
Internal Use Only

Objective Category
 The objective category of the assessment is compliance to environmental laws for operating unit A.
 Management at operating unit A has a low-risk tolerance associated with achieving this objective.
(Note: All evaluations in the templates are focused on the objective as it relates to operating unit A.)
 Because internal control is relevant both to the entity and its subunits, an effective system of internal control may
relate to a specific part of the organizational structure.
Approach
 While the effectiveness of internal controls is assessed at the operating unit level, management may need
to evaluate the components and principles at the "parent" level, the entity level in this scenario, since
controls at the parent level can affect the system of internal control at the operating unit level.
 Management will have to plan the evaluation of the seventeen principles at the relevant levels.
Management may evaluate the principles at the operating unit level, the entity level, or at both levels.
 In some cases, the operating unit level may be more relevant than the entity level, and in other cases the
reverse may be true.
 This example illustrates management's approach to assessing the effectiveness of internal control through the
evaluation of the components and selected principles at relevant levels for the declared objective at the
operating unit A level.
Evaluation
Control Environment Component
 Management evaluated Principle 1 (Demonstrates Commitment to Integrity and Ethical Values) at both the
operating unit and the entity levels since the policies, procedures, and actions at the entity level have at
least some effect on the operating unit. Internal control deficiencies were identified at the entity level.
 Management determined that while the principle was present and functioning at the operating unit level,
the internal control deficiencies at the entity level could jeopardize the objective of ensuring environmental
compliance at this business in the longer term. A lack of commitment to integrity and ethical values at the
entity level may, over time, cause the commitment at the operating unit level to deteriorate.
 The principle was found to be present and functioning at the operating unit level despite deficiencies.
Internal Use Only

 Management evaluated Principle 2 (Exercises Oversight Responsibility). Given the specificity of this
principle to the board, this principle needs to be evaluated in the context of the entity's commitment as it
relates to the objective at the operating unit level.
 The principle was found to be present and functioning at the entity level with no deficiencies.
 Management evaluated Principle 3 (Establishes Structure, Authority, and Responsibility) at both the
business and the entity levels.
 The principle was found to be present and functioning at the entity and operating unit level with no
deficiencies.
 Management evaluated Principle 4 (Demonstrates Commitment to Competence) at both the business and
the entity levels.
 The principle was found to be present and functioning at the entity and operating unit level with no
deficiencies.
 Management evaluated Principle 5 (Enforces Accountability) at the operating unit level. Management felt
that it should evaluate the presence and functioning of the principle at the operating unit level as that was
most relevant to the operating unit's objective.
 The principle was found to be present and functioning at the operating unit level with no deficiencies.
 Evaluation of Control Environment component:
 The five control environment principles were evaluated as being present and functioning at operating unit
A. Management will need to determine whether the entity-level internal control deficiencies in Principle 1
are severe enough to preclude concluding that the component is present and functioning.
Risk Assessment Component
 Management evaluated all the principles in Risk Assessment at the operating unit level only as the risk
assessment process for the objective being assessed is specific to this operating unit.
 The principles were found to be present and functioning at the operating unit level.
 Evaluation of the Risk Assessment Component:
 Management evaluated the four principles relating to the Risk Assessment component and concluded that
the component was present and functioning.
Internal Use Only

Control Activities Component
 Management evaluated Principles 10 and 12 at the operating unit level only as the business process
control activities for this objective reside at the operating unit.
 The principles were found to be present and functioning at the operating unit level.
 Management evaluated Principle 11 (Selects and Develops General Controls over Technology) at both the
entity level (because of the centralized data center) and the operating unit level. At the centralized data
center it was determined that there was an internal control deficiency in the network-level access security
control activities. However, the transaction-level access control activities at the operating unit were
considered strong enough to compensate for this deficiency.
 The principle was found to be present and functioning.
 Evaluation of the Control Activities component:
 Management evaluated the three principles relating to the Control Activities component and concluded that
the component was present and functioning.
Information and Communication Component
 Management evaluated Principle 13 (Uses Relevant Information) at both the entity and operating unit level
as information relevant to the objective originated and was used at both levels.
 Management evaluated Principle 14 (Communicates Internally) at both the operating unit and entity levels
as information was communicated internally between both levels.
 At the operating unit level, management determined the principle was present and functioning. However, at
the entity level, management identified an internal control deficiency. Poor communication of internal
control responsibilities at the entity level could impact the operating unit.
 Management evaluated Principle 15 (Communicates Externally) at the entity level as externally

communicated information relevant to the objective was performed at the entity level.
 The principle was found to be present and functioning with no deficiencies.
 Evaluation of Information and Communication component:
Internal Use Only

 The three Information and Communication principles were evaluated as being present and functioning at
the operating unit level. Management will need to determine whether the entity-level internal control
deficiency in Principle 14 is severe enough to preclude concluding that the component is present and
functioning. In making this determination, management may use the points of focus supporting the
principles to determine if there are compensating controls either in this component or another component
at the appropriate level (operating unit or entity level) that mitigates that risk that the deficiency identified
could result in a failure of the stated objective.
Monitoring Activities Component
 Management evaluated Principles 16 (Conducts Ongoing and/or Separate Evaluations) and 17 (Evaluates
and Communicates Deficiencies) at the entity and operating unit levels. Ongoing evaluations are
conducted at the operating unit and separate evaluations are done at both the operating unit by its
management and the entity by the entity's internal audit group. Deficiencies are evaluated at both levels.
 The principles were found to be present and functioning with no deficiencies.

 In the evaluation of Monitoring Activities, the component was found to be present and functioning.
Overall Assessment of a System of Internal Control
 This template is not included for this scenario. The concepts related to completing an overall assessment
template are illustrated in the Scenario B, Are All Components Present, Functioning, and Operating Together in
an Integrated Manner?
When performing an assessment specific to a division, operating unit, or function:
 Some principles need to be evaluated at the entity level, some at the operating unit level, and some at both
levels. Management needs to make this determination based on the objective and the way the company is
organized.
 Internal control deficiencies noted at the entity level may or may not impact the assessment of whether internal
control is effective at a lower level of the entity. Management should understand whether an entity level control
is predominant or works in conjunction with the controls "at a level below the entity level" and evaluate any
internal control deficiencies accordingly.
The scenario applies equally to all types of entities. However, in a smaller entity or single location entity there
likely will be less or no difference between the entity level and operating unit level controls.
Internal Use Only

Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
9. Scenario E: How are the Assessments
of Multiple Locations Combined?
Purpose
 Illustrate how a large company doing an overall effectiveness assessment would roll up and combine
assessments from multiple divisions.
 Illustrate that there are multiple ways to do an assessment depending on organizational structure.
Internal Use Only

 Illustrate that there is judgment involved in doing the overall effectiveness assessment depending on risk
tolerance.
Company Background
 Publicly held producer of paint and coatings with ten divisions.

 Headquartered in Europe with manufacturing and retail locations in Europe and Latin America.
 $7 billion in net sales; $400 million net income.
Objective Category
 Objective category of assessment is operations — specifically ensuring that internal controls around quality are
effective.
 The company's risk tolerance for quality issues is that less than 1% (plus or minus 0.25%) of shipped products
will have a measurable defect.
 An effective system of internal control provides reasonable assurance regarding achievement of an entity's
objectives. Because internal control is relevant both to the entity and its subunits, an effective system of
internal control may relate to a specific part of the organizational structure. An effective system of internal
control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all
three categories. It requires that:
 Each of the five components of internal control and relevant principles is present and functioning
 Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives.
Operating within risk tolerance provides management with greater confidence that the entity will achieve its
objectives. The concept of risk tolerance is included in the Framework, as a precondition to internal control, but
not as a part of internal control.
 There are multiple ways to approach this assessment, for example:
 Evaluate each component across the entire company.

 Evaluate all components for each division and roll them up.
 Evaluate all components for each major geography and roll them up.
Internal Use Only

 There is no one right way to do this; it depends on the way the organization is set up. In this scenario, processes
and controls are similar across geographies, but differ between divisions as the company is decentralized and
each division acts like its own company. Because of this decentralization, management determines that the
most logical approach is to evaluate all the components for each division and roll them up to do an overall
assessment at the entity level. The scenario illustrates how this rollup occurs for each division in the component
summary template, an overall component conclusion, and a list of the deficiencies.
 Only the Risk Assessment component is provided to illustrate the scenario.
 For this example, management finds that Division 4 has a major deficiency within the Risk Assessment
component and determines that this component is not present and functioning for that division.
 The major deficiency is that the process to analyze risks to determine how they should be managed is not
functioning. It is determined that the major deficiency is isolated to this division.
 The scenario illustrates that there is judgment involved in how an internal control deficiency at a division
would need to be considered at the overall entity level.
 The affected division is relatively small, making up 20% of overall product sales (by number of units) for the
company. However, management estimates that the major deficiency has the potential to have 10% of the
newly produced products in this division to be outside of specification, so there is a high likelihood that
more than 1% of the entity's shipped products would be outside of specification if the deficiency is not
remediated. Management concludes that the system of internal control for this objective is not effective.
 A major deficiency noted at the division level (or any level below the level at which controls are being evaluated)
needs to be evaluated in the context of the entity to determine if a major deficiency exists at the level at which
internal controls are being assessed.
 Internal control deficiencies need to be evaluated in the context of the stated objective and the company's risk
tolerance when consolidated at the entity level.
 Management may choose to customize the templates to suit their specific needs depending on the organization
and objective.
The process to combine multiple assessments is likely to be simpler when a less complex organizational
structure exists.
Internal Use Only

Internal Use Only
Footnotes
Internal Use Only
7 7. Because the objective is external financial reporting and this is a US-based Securities Exchange
Commission (SEC) registered company, this scenario uses terms as defined by SEC in the United
States (Rule 12b-2 2 [17 CFR 240.12b-2] under the Securities and Exchange Act of 1934), "significant
deficiency" and "material weakness." Therefore, in this scenario management has customized the
templates to reflect this classification. "Material weakness" means a deficiency, or a combination of
deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a
material misstatement of the registrant's annual or interim financial statements will not be prevented or
detected on a timely basis.
Internal Control - Integrated Framework
Framework-final.pdf
.
Copyright © 1992, 1994 by the committee of Sponsoring Organizations of the Treadway Commission
Two-Volume edition 1994
Additional copies of the two-volume Internal Control - Integrated Framework
(Product code #990012) may be obtained from the Order Department,
American Institute of Certified Public Accountants, Harborside Financial Center,
201 Plaza Three, Jersey City, NJ 07311-3881.
Reprint information for this publication may be obtained by writing to the AICPA's
Publications Division (att: Permissions Editor) also at the Harborside address.
Page references to the original four-volume COSO report (issued September 1992) and the addendum
(issued May 1994) have been changed throughout to conform to pagination in this July 1994 two-volume
edition. Also, the original four-color illustrations in the Framework volume have been recreated in black
and white in this edition.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Internal Use Only

Oversight
Representative
American Institute of Certified Public Accountants Robert L. May, Chairman
American Accounting Association Alvin A. Arens
The Institute of Internal Auditors William G. Bishop, III
Institute of Management Accountants Thomas M. O'Toole
Financial Executives Institute P. Norman Roy
Project Advisory Council to COSO
Guidance
Gaylen N. Larson, Chairman C. Perry Colwell John H. Stewart
Group Vice President, Chief Senior Vice President- Assistant Treasurer

Accounting Officer
Financial Management IBM Corporation
Household International
AT&T (retired)
Andrew D. Bailey William J. Ihlanfeldt Howard L. Siers, Consultant
Professor, Department of Accounting Assistant Controller General Auditor

College of Business and Public
Shell Oil Company E.I. Du Pontde Nemours and
Administration
Company, Inc. (retired)
The University of Arizona
Roger N. Carolus David L. Landsittel
Senior Vice President NationsBank Managing Director-Auditing

(retired)
Arthur Anderson & Co.
Coopers & Lybrand
Author
Vincent M. O'Reilly R Malcolm Schwartz Richard M. Steinberg
Internal Use Only

Deputy Chairman, Accounting and Principal Partner
Auditing
New York Office National Office
Frank J. Tanki Robert J. Spear
Director, Accounting Partner
and SEC Technical Services Boston Office
Executive Summary
Senior executives have long sought ways to better control the enterprises they run. Internal controls are put in
place to keep the company on course toward profitability goals and achievement of its mission, and to minimize
surprises along the way. They enable management to deal with rapidly changing economic and competitive
environments, shifting customer demands and priorities, and restructuring for future growth. Internal controls
promote efficiency, reduce risk of asset loss, and help ensure the reliability of financial statements and
compliance with laws and regulations.
Because internal control serves many important purposes, there are increasing calls for better internal control
systems and report cards on them. Internal control is looked upon more and more as a solution to a variety of
potential problems.
What Internal Control Is
Internal control means different things to different people. This causes confusion among businesspeople,
legislators, regulators and others. Resulting miscommunication and different expectations cause problems within
an enterprise. Problems are compounded when the term, if not clearly defined, is written into law, regulation or
rule.
This report deals with the needs and expectations of management and others. It defines and describes internal
control to:
 Establish a common definition serving the needs of different parties.

 Provide a standard against which business and other entities — large or small, in the public or private sector, for
profit or not — can assess their control systems and determine how to improve them.
Internal control is broadly defined as a process, effected by an entity's board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following
categories:
Internal Use Only

 Effectiveness and efficiency of operations.
 Reliability of financial reporting.
 Compliance with applicable laws and regulations.
The first category addresses an entity's basic business objectives, including performance and profitability goals
and safeguarding of resources. The second relates to the preparation of reliable published financial statements,
including interim and condensed financial statements and selected financial data derived from such statements,
such as earnings releases, reported publicly. The third deals with complying with those laws and regulations to
which the entity is subject. These distinct but overlapping categories address different needs and allow a
directed focus to meet the separate needs.
Internal control systems operate at different levels of effectiveness. Internal control can be judged effective in
each of the three categories, respectively, if the board of directors and management have reasonable assurance
that:
 They understand the extent to which the entity's operations objectives are being achieved.
 Published financial statements are being prepared reliably.
 Applicable laws and regulations are being complied with.
While internal control is a process, its effectiveness is a state or condition of the process at one or more points in
time.
Internal control consists of five interrelated components. These are derived from the way management runs a
business, and are integrated with the management process. Although the components apply to all entities, small
and mid-size companies may implement them differently than large ones. Its controls may be less formal and
less structured, yet a small company can still have effective internal control. The components are:
 Control Environment — The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal control, providing discipline
and structure. Control environment factors include the integrity, ethical values and competence of the entity's
people; management's philosophy and operating style; the way management assigns authority and
responsibility, and organizes and develops its people; and the attention and direction provided by the board of
directors.
 Risk Assessment — Every entity faces a variety of risks from external and internal sources that must be
assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and
internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the
objectives, forming a basis for determining how the risks should be managed. Because economic, industry,
regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with
the special risks associated with change.
Internal Use Only
 Control Activities — Control activities are the policies and procedures that help ensure management directives
are carried out. They help ensure that necessary actions are taken to address risks to achievement of the
entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They
include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and segregation of duties.
 Information and Communication — Pertinent information must be identified, captured and communicated in a
form and timeframe that enable people to carry out their responsibilities. Information systems produce reports,
containing operational, financial and compliance-related information, that make it possible to run and control the
business. They deal not only with internally generated data, but also information about external events, activities
and conditions necessary to informed business decision-making and external reporting. Effective communication
also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a
clear message from top management that control responsibilities must be taken seriously. They must
understand their own role in the internal control system, as well as how individual activities relate to the work of
others. They must have a means of communicating significant information upstream. There also needs to be
effective communication with external parties, such as customers, suppliers, regulators and shareholders.
 Monitoring — Internal control systems need to be monitored-a process that assesses the quality of the system's
performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a
combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management
and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency
of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing
monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported
to top management and the board.
There is synergy and linkage among these components, forming an integrated system that reacts dynamically to
changing conditions. The internal control system is intertwined with the entity's operating activities and exists for
fundamental business reasons. Internal control is most effective when controls are built into the entity's
infrastructure and are a part of the essence of the enterprise. "Built in" controls support quality and
empowerment initiatives, avoid unnecessary costs and enable quick response to changing conditions.
There is a direct relationship between the three categories of objectives, which are what an entity strives to
achieve, and components, which represent what is needed to achieve the objectives. All components are
relevant to each objectives category. When looking at any one category — the effectiveness and efficiency of
operations, for instance — all five components must be present and functioning effectively to conclude that
internal control over operations is effective.
Internal Use Only

The internal control definition — with its underlying fundamental concepts of a process, effected by people,
providing reasonable assurance — together with the categorization of objectives and the components and
criteria for effectiveness, and the associated discussions, constitute this internal control framework.
What Internal Control Can Do
Internal control can help an entity achieve its performance and profitability targets, and prevent loss of
resources. It can help ensure reliable financial reporting. And it can help ensure that the enterprise complies with
laws and regulations, avoiding damage to its reputation and other consequences. In sum, it can help an entity
get to where it wants to go, and avoid pitfalls and surprises along the way.
What Internal Control Cannot Do
Unfortunately, some people have greater, and unrealistic, expectations. They look for absolutes, believing that:
 Internal control can ensure an entity's success — that is, it will ensure achievement of basic business
objectives or will, at the least, ensure survival.
Even effective internal control can only help an entity achieve these objectives. It can provide management
information about the entity's progress, or lack of it, toward their achievement. But internal control cannot
change an inherently poor manager into a good one. And, shifts in government policy or programs,
competitors' actions or economic conditions can be beyond management's control. Internal control cannot
ensure success, or even survival.
 Internal control can ensure the reliability of financial reporting and compliance with laws and regulations.
This belief is also unwarranted. An internal control system, no matter how well conceived and operated,
can provide only reasonable — not absolute — assurance to management and the board regarding
achievement of an entity's objectives. The likelihood of achievement is affected by limitations inherent in all
internal control systems. These include the realities that judgments in decision-making can be faulty, and
that breakdowns can occur because of simple error or mistake. Additionally, controls can be circumvented
by the collusion of two or more people, and management has the ability to override the system. Another
limiting factor is that the design of an internal control system must reflect the fact that there are resource
constraints, and the benefits of controls must be considered relative to their costs.
Thus, while internal control can help an entity achieve its objectives, it is not a panacea.
Roles and Responsibilities
Everyone in an organization has responsibility for internal control.
 Management — The chief executive officer is ultimately responsible and should assume "ownership" of the
system. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and
Internal Use Only

ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this
duty by providing leadership and direction to senior managers and reviewing the way they're controlling the
business. Senior managers, in turn, assign responsibility for establishment of more specific internal control
policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the
chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a
manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are
financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and
other units of an enterprise.
 Board of Directors — Management is accountable to the board of directors, which provides governance,
guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a
knowledge of the entity's activities and environment, and commit the time necessary to fulfill their board
responsibilities. Management may be in a position to override controls and ignore or stifle communications from
subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A
strong, active board, particularly when coupled with effective upward communications channels and capable
financial, legal and internal audit functions, is often best able to identify and correct such a problem.
 Internal Auditors — Internal auditors play an important role in evaluating the effectiveness of control systems,
and contribute to ongoing effectiveness. Because of organizational position and authority in an entity, an internal
audit function often plays a significant monitoring role.
 Other Personnel — Internal control is, to some degree, the responsibility of everyone in an organization and
therefore should be an explicit or implicit part of everyone's job description. Virtually all employees produce
information used in the internal control system or take other actions needed to effect control. Also, all personnel
should be responsible for communicating upward problems in operations, noncompliance with the code of
conduct, or other policy violations or illegal actions.
A number of external parties often contribute to achievement of an entity's objectives. External auditors, bringing
an independent and objective view, contribute directly through the financial statement audit and indirectly by
providing information useful to management and the board in carrying out their responsibilities. Others providing
information to the entity useful in effecting internal control are legislators and regulators, customers and others
transacting business with .the enterprise, financial analysts, bond raters and the news media. External parties,
however, are not responsible for, nor are they a part of, the entity's internal control system.
Organization of this Report
This report is in four volumes.‡ The first is this Executive Summary, a high-level overview of the internal control
framework directed to the chief executive and other senior executives, board members, legislators and
regulators.
Internal Use Only

The second volume, the Framework, defines internal control, describes its components and provides criteria
against which managements, boards or others can assess their control systems.
The third volume, Reporting to External Parties, is a supplemental document providing guidance to those entities
that report publicly on internal control over preparation of their published financial statements, or are
contemplating doing so.
The fourth volume, Evaluation Tools, provides materials that may be useful in conducting an evaluation of an
What to Do
Actions that might be taken as a result of this report depend on the position and role of the parties involved:
 Senior Management — Most senior executives who contributed to this study believe they are basically "in
control" of their organizations. Many said, however, that there are areas of their company — a division, a
department or a control component that cuts across activities — where controls are in early stages of
development or otherwise need to be strengthened. They do not like surprises. This study suggests that the
chief executive initiate a self-assessment of the control system. Using this framework, a CEO, together with key
operating and financial executives, can focus attention where needed. Under one approach, the chief executive
could proceed by bringing together business unit heads and key functional staff to discuss an initial assessment
of control. Directives would be provided for those individuals to discuss this report's concepts with their lead
personnel, provide oversight of the initial assessment process in their areas of responsibility and report back
findings. Another approach might involve an initial review of corporate and business unit policies and internal
audit programs. Whatever its form, an initial self-assessment should determine whether there is a need for, and
how to proceed with, a broader, more in-depth evaluation. It should also ensure that ongoing monitoring
processes are in place. Time spent in evaluating internal control represents an investment, but one with a high
return.
 Board Members — Members of the board of directors should discuss with senior management the state of the
entity's internal control system and provide oversight as needed. They should seek input from the internal and
external auditors.
 Other Personnel — Managers and other personnel should consider how their control responsibilities are being
conducted in light of this framework, and discuss with more senior personnel ideas for strengthening control.
Internal auditors should consider the breadth of their focus on the internal control system, and may wish to
compare their evaluation materials to the evaluation tools.
 Legislators and Regulators — Government officials who write or enforce laws recognize that there can be
misconceptions and different expectations about virtually any issue. Expectations for internal control vary
widely in two respects. First, they differ regarding what control systems can accomplish. As noted, some
observers believe internal control systems will, or should, prevent economic loss, or at least prevent
Internal Use Only
companies from going out of business. Second, even when there is agreement about what internal control
systems can and can't do, and about the validity of the "reasonable assurance" concept, there can be
disparate views of what that concept means and how it will be applied. Corporate executives have
expressed concern regarding how regulators might construe public reports asserting "reasonable
assurance" in hindsight after an alleged control failure has occurred. Before legislation or regulation
dealing with management reporting on internal control is acted upon, there should be agreement on a
common internal control
framework, including limitations of internal control. This framework should be helpful in reaching such
agreement.
 Professional Organizations — Rule-making and other professional organizations providing guidance on financial
management, auditing and related topics should consider their standards and guidance in light of this
framework. To the extent diversity in concept and terminology is eliminated, all parties will benefit.
 Educators — This framework should be the subject of academic research and analysis, to see where future
enhancements can be made. With the presumption that this report becomes accepted as a common ground for
understanding, its concepts and terms should find their way into university curricula.
We believe this report offers a number of benefits. With this foundation for mutual understanding, all parties will
be able to speak a common language and communicate more effectively. Business executives will be positioned
to assess control systems against a standard, and strengthen the systems and move their enterprises toward
established goals. Future research can be leveraged off an established base. Legislators and regulators will be
able to gain an increased understanding of internal control, its benefits and limitations. With all parties utilizing a
common internal control framework, these benefits will be realized.
Footnotes
‡ The COSO report was issued in September 1992 as a four-volume set. An addendum to Reporting to
External Parties was issued in May 1994. In this 1994 edition, the first three volumes and the addendum
are combined and printed in one volume and Evaluation Tools in a second one.
Framework
Internal Use Only

Chapter 1 — Definition
Chapter Summary: Internal control is defined as a process, effected by an entity's people, designed to
accomplish specified objectives. The definition is broad, encompassing all aspects of controlling a business, yet
facilitates a directed focus on specific objectives. Internal control consists of five interrelated components, which
are inherent in the way management runs the enterprise. The components are linked, and serve as criteria for
determining whether the system is effective.
A key objective of this study is to help management of businesses and other entities better control their
organizations' activities. But internal control means different things to different people. And the wide variety of
labels and meanings prevents a common understanding of internal control. An important goal, then, is to
integrate various internal control concepts into a framework in which a common definition is established and
control components are identified. This framework is designed to accommodate most viewpoints and provide a
starting point for individual entities' assessments of internal control, for future initiatives of rule-making bodies
and for education.
Internal Control
Internal control is a process, effected by an entity's board of directors, management and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

This definition reflects certain fundamental concepts:
 Internal control is a process. It's a means to an end, not an end in itself.

 Internal control is effected by people. It's not merely policy manuals and forms, but people at every level of an
organization.
 Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's
management and board.
 Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
This definition of internal control is broad for two reasons. First, it is the way most senior executives interviewed
view internal control in managing their businesses‡. In fact, they often speak in terms of "control" and being "in
control."
Internal Use Only

Second, it accommodates subsets of internal control. Those who want to can focus separately, for example, on
controls over financial reporting or controls related to compliance with laws and regulations. Similarly, a directed
focus on controls in particular units or activities of an entity can be accommodated.
The definition also provides a basis for defining internal control effectiveness, discussed later in this chapter. The
fundamental concepts outlined above are discussed in the following paragraphs.
A Process‡
Internal control is not one event or circumstance, but a series of actions that permeate an entity's activities.
These actions are pervasive, and are inherent in the way management runs the business.
Business processes, which are conducted within or across organization units or functions, are managed through
the basic management processes of planning, executing and monitoring. Internal control is a part of these
processes and is integrated with them. It enables them to function and monitors their conduct and continued
relevancy. It is a tool used by management, not a substitute for management.
This conceptualization of internal control is very different from the perspective of some observers who view
internal control as something added on to an entity's activities, or as a necessary burden, imposed by regulators
or by the dictates of overzealous bureaucrats. The internal control system is intertwined with an entity's
operating activities and exists for fundamental business reasons. Internal controls are most effective when they
are built into the entity's infrastructure and are part of the essence of the enterprise. They should be "built in"
rather than "built on."
"Building in" controls can directly affect an entity's ability to reach its goals, and supports businesses' quality
initiatives. The quest for quality is directly linked to how businesses are run, and how they are controlled. Quality
initiatives become part of the operating fabric of an enterprise, as evidenced by:
 Senior executive leadership ensuring that quality values are built into the way a company does business.
 Establishing quality objectives linked to the entity's information collection and analysis and other processes.
 Using the knowledge of competitive practices and customer expectations to drive continuous quality
improvement.
These quality factors parallel those in effective internal control systems. In fact, internal control not only is
integrated with quality programs, it usually is critical to their success.
Building in controls also has important implications to cost containment and response time:
 Most enterprises are faced with highly competitive marketplaces and a need to contain costs. Adding new
procedures separate from existing ones adds costs. By focusing on existing operations and their contribution to
effective internal control, and building controls into basic operating activities, an enterprise often can avoid
unnecessary procedures and costs.
Internal Use Only
 A practice of building controls into the fabric of operations helps trigger development of new controls necessary
to new business activities. Such automatic reaction makes entities more nimble and competitive.
People
Internal control is effected by a board of directors, management and other personnel in an entity. It is
accomplished by the people of an organization, by what they do and say. People establish the entity's objectives
and put control mechanisms in place.
Similarly, internal control affects people's actions. Internal control recognizes that people do not always
understand, communicate or perform consistently. Each individual brings to the workplace a unique background
and technical ability, and has different needs and priorities.
These realities affect, and are affected by, internal control. People must know their responsibilities and limits of
authority. Accordingly, a clear and close linkage needs to exist between people's duties and the way in which
they are carried out, as well as with the entity's objectives.
The organization's people include the board of directors, as well as management and other personnel. Although
directors might be viewed as primarily providing oversight, they also provide direction and approve certain
transactions and policies. As such, boards of directors are an important element of internal control.
Reasonable Assurance
Internal control, no matter how well designed and operated, can provide only reasonable assurance to
management and the board of directors regarding achievement of an entity's objectives. The likelihood of
achievement is affected by limitations inherent in all internal control systems. These include the realities that
human judgment in decision-making can be faulty, persons responsible for establishing controls need to
consider their relative costs and benefits, and breakdowns can occur because of human failures such as simple
error or mistake. Additionally, controls can be circumvented by collusion of two or more people. Finally,
management has the ability to override the internal control system.
Objectives
Every entity sets out on a mission, establishing objectives it wants to achieve and strategies for achieving them.
Objectives may be set for an entity as a whole, or be targeted to specific activities within the entity. Though
many objectives are specific to a particular entity, some are widely shared. For example, objectives common to
virtually all entities are achieving and maintaining a positive reputation within the business and consumer
communities, providing reliable financial statements to stakeholders, and operating in compliance with laws and
regulations.
For this study, objectives fall into three categories:
Internal Use Only

 Operations — relating to effective and efficient use of the entity's resources.
 Financial reporting — relating to preparation of reliable published financial statements.
 Compliance — relating to the entity's compliance with applicable laws and regulations.
This categorization allows focusing on separate aspects of internal control. These distinct but overlapping
categories (a particular objective can fall under more than one category) address different needs and may be the
direct responsibility of different executives. This categorization also allows distinguishing between what can be
expected from each category of internal control.
An internal control system can be expected to provide reasonable assurance of achieving objectives relating to
the reliability of financial reporting and compliance with laws and regulations. Achievement of those objectives,
which are based largely on standards imposed by external parties, depends on how activities within the entity's
control are performed.
However, achievement of operations objectives — such as a particular return on investment, market share or
entry into new product lines — is not always within the entity's control. Internal control cannot prevent bad
judgments or decisions, or external events that can cause a business to fail to achieve operations goals. For
these objectives, the internal control system can provide reasonable assurance only that management and, in its
oversight role, the board are made aware, in a timely manner, of the extent to which the entity is moving toward
those objectives.
Components
Internal control consists of five interrelated components. These are derived from the way management runs a
business, and are integrated with the management process. The components are:
 Control Environment — The core of any business is its people - their individual attributes, including integrity,
ethical values and competence - and the environment in which they operate. They are the engine that drives the
entity and the foundation on which everything rests.
 Risk Assessment — The entity must be aware of and deal with the risks it faces. It must set objectives,
integrated with the sales, production, marketing, financial and other activities so that the organization is
operating in concert. It also must establish mechanisms to identify, analyze and manage the related risks.
Exhibit 1
Internal Control Components
Internal Use Only

The control environment provides an atmosphere in which people conduct their activities and carry out
their control responsibilities. It serves as the foundation for the other components. Within this
environment, management assesses risks to the achievement of specified objectives. Control activities
are implemented to help ensure that management directives to address the risks are carried out.
Meanwhile, relevant information is captured and communicated throughout the organization. The entire
process is monitored and modified as conditions warrant.
 Control Activities — Control policies and procedures must be established and executed to help ensure that the
actions identified by management as necessary to address risks to achievement of the entity's objectives are
effectively carried out.
 Information and Communication — Surrounding these activities are information and communication systems.
These enable the entity's people to capture and exchange the information needed to conduct, manage and
control its operations.
 Monitoring — The entire process must be monitored, and modifications made as necessary. In this way, the
system can react dynamically, changing as conditions warrant.
These internal control components and their linkages are depicted in a model, presented in Exhibit 1. The model
depicts the dynamism of internal control systems. For example, the assessment of risks not only influences the
control activities, but also may highlight a need to reconsider information and communication needs, or the
entity's monitoring activities. Thus, internal control is not a serial process, where one component affects only the
next. It is a multidirectional iterative process in which almost any component can and will influence another.
Internal Use Only

No two entities will, or should, have the same internal control system. Companies and their internal control
needs differ dramatically by industry and size, and by culture and management philosophy. Thus, while all
entities need each of the components to maintain control over their activities, one company's internal control
system often will look very different from another's.
There is a direct relationship between objectives, which are what an entity strives to achieve, and the
components, which represent what is needed to achieve the objectives. The relationship can be depicted by a
three-dimensional matrix, shown in Exhibit 2 :
 The three objectives categories — operations, financial reporting and compliance — are represented by the
vertical columns.
 The five components are represented by rows.
 The units or activities of an entity, to which internal control relates, are depicted by the third dimension of the
matrix.
Each component row "cuts across" and applies to all three objectives categories. An example is depicted
separately at the bottom right of the exhibit, as a "pull out" section: Financial and nonfinancial data generated
from internal and external sources, which is part of the information and communication component, is needed to
effectively manage business operations, develop reliable financial statements and determine that the entity is
complying with applicable laws. Another example (not depicted separately), the establishment and execution of
control policies and procedures to ensure that management plans, programs and other directives are carried out
— representing the control activities component — is also relevant to all three objectives categories.
Exhibit 2
Internal Use Only

Similarly, looking at the objectives categories, all five components are relevant to each. Taking one category,
effectiveness and efficiency of operations, for example, all five components are applicable and important to its
achievement. This is illustrated separately at the bottom right of the exhibit.
Internal control is relevant to an entire enterprise, or to one of its parts. This relationship is depicted by the third
dimension, which represents subsidiaries, divisions or other business units, or functional or other activities such
as purchasing, production and marketing. Accordingly, one could focus on any one of the matrix's cells. For
Internal Use Only
instance, one could consider the bottom-left-front cell, representing the control environment as it relates to the
operations objectives of a particular company division.
Effectiveness
Different entities' internal control systems operate at different levels of effectiveness. Similarly, a particular
system may operate differently at different times. When an internal control system meets the following standard,
it can be deemed "effective."
Internal control can be judged effective in each of the three categories, respectively, if the board of directors and
management have reasonable assurance that:
While internal control is a process, its effectiveness is a state or condition of the process at a point in time.
Determining whether a particular internal control system is "effective" is a subjective judgment resulting from an
assessment of whether the five components are present and functioning effectively. Their effective functioning
provides the reasonable assurance regarding achievement of one or more of the stated categories of objectives.
Thus, these components are also criteria for effective internal control.
Although all five criteria must be satisfied, this does not mean that each component should function identically,
or even at the same level, in different entities. Some trade-offs may exist between components. Because
controls can serve a variety of purposes, controls in one component can serve the purpose of controls that might
normally be present in another component. Additionally, controls can differ in the degree to which they address a
particular risk, so that complementary controls, each with limited effect, together can be satisfactory.
These components and criteria apply to an entire internal control system, or to one or more objectives
categories. When considering any one category — controls over financial reporting, for example — all five
criteria must be satisfied in order to conclude that internal control over financial reporting is effective.
The following chapters should be considered when determining whether an internal control system is effective. It
should be recognized:
 Because internal control is a part of the management process, the components are discussed in the context of
what management does in running a business. Not everything management does, however, is an element of
internal control. Establishment of objectives, for example, while an important management responsibility, is a
precondition to internal control. Similarly, many decisions and actions by management do not represent internal
control. Exhibit 3 lists common management actions and indicates which ones are considered components of
Internal Use Only

internal control. (This listing purports neither to be all-inclusive nor to depict the only way to describe
management activities.)
 The principles discussed apply to all entities, regardless of size. While some small and mid-size entities may
implement component factors differently than large ones, they still can have effective internal control. Each
component chapter has a section illustrating such circumstances.
 Each component chapter contains an "evaluation" section with factors one might consider in evaluating the
component. Those factors are not intended to be all-inclusive, nor are all of them relevant to every
circumstance. They are offered as illustrations for developing a more comprehensive or tailored evaluation
program.
Exhibit 3
Chapter 2 — Control Environment
Internal Use Only

Chapter Summary: The control environment sets the
tone of an organization, influencing the control
consciousness of its people. It is the foundation for all
other components of internal control, providing discipline
and structure. Control environment factors include the
integrity, ethical values and competence of the entity's
people; management's philosophy and operating style;
the way management assigns authority and
responsibility, and organizes and develops its people;
and the attention and direction provided by the board of
directors.
The control environment has a pervasive influence on the way business activities are structured, objectives
established and risks assessed. It also influences control activities, information and communication systems,
and monitoring activities. This is true not only of their design, but also the way they work day to day. The control
environment is influenced by the entity's history and culture. It influences the control consciousness of its people.
Effectively controlled entities strive to have competent people, instill an enterprise-wide attitude of integrity and
control consciousness, and set a positive "tone at the top." They establish appropriate policies and procedures,
often including a written code of conduct, which foster shared values and teamwork in pursuit of the entity's
objectives.
Control Environment Factors
The control environment encompasses factors discussed below. Although all are important, the extent to which
each is addressed will vary with the entity. For example, the chief executive of an entity with a small workforce
and centralized operations may not establish formal lines of responsibility and detailed operating policies, but
could nevertheless have an appropriate control environment.
Integrity and Ethical Values
An entity's objectives and the way they are achieved are based on preferences, value judgments and
management styles. Those preferences and value judgments, which are translated into standards of behavior,
reflect management's integrity and its commitment to ethical values.
Because an entity's good reputation is so valuable, the standard of behavior must go beyond mere compliance
with law. In awarding reputation to the best companies, society expects more than that.
Internal Use Only

The effectiveness of internal controls cannot rise above the integrity and ethical values of the people who create,
administer and monitor them. Integrity and ethical values are essential elements of the control environment,
affecting the design, administration and monitoring of other internal control components.
Integrity is a prerequisite for ethical behavior in all aspects of an enterprise's activities. As the Treadway
Commission reported, "A strong corporate ethical climate at all levels is vital to the well-being of the corporation,
all of its constituencies, and the public at large. Such a climate contributes importantly to the effectiveness of
company policies and control systems, and helps influence behavior that is not subject to even the most
elaborate system of controls."‡
Establishing ethical values often is difficult because of the need to consider the concerns of several parties. Top
management's values must balance the concerns of the enterprise, its employees, suppliers, customers,
competitors and the public. Balancing these concerns can be a complex and frustrating effort because interests
often are at odds. For example, providing an essential product (petroleum, lumber or food) may cause some
environmental concerns.
Managers of well-run enterprises have increasingly accepted the view that "ethics pays" — that ethical behavior
is good business. Positive and negative examples abound. The well-publicized handling by a pharmaceutical
company of a crisis involving tampering with one of its major products was both sound ethics and sound
business. The impact on customer relations or stock prices of slowly leaked bad news, such as profit shortfalls
or illegal acts, generally is worse than if full disclosures are made as quickly as possible.
Focusing solely on short-term results can hurt even in the short term. Concentration on the bottom line — sales
or profit at any cost — often evokes unsought actions and reactions. High-pressure sales tactics, ruthlessness in
negotiations or implicit offers of kickbacks, for instance, may evoke reactions that can have immediate (as well
as lasting) effects.
Ethical behavior and management integrity are a product of the "corporate culture." Corporate culture includes
ethical and behavioral standards, how they are communicated and how they are reinforced in practice. Official
policies specify what management wants to happen. Corporate culture determines what actually happens, and
which rules are obeyed, bent or ignored. Top management — starting with the CEO — plays a key role in
determining the corporate culture. The CEO usually is the dominant personality in an organization, and
individually often sets its ethical tone.
Incentives and Temptations. A study‡ several years ago suggested that certain organizational factors can
influence the likelihood of fraudulent and questionable financial reporting practices. Those same factors also are
likely to influence ethical behavior.
Internal Use Only

Individuals may engage in dishonest, illegal or unethical acts simply because their organizations give them
strong incentives or temptations to do so. Emphasis on "results," particularly in the short term, fosters an
environment in which the price of failure becomes very high.
Incentives cited for engaging in fraudulent or questionable financial reporting practices and, by extension, other
forms of unethical behavior are:
 Pressure to meet unrealistic performance targets, particularly for short-term results,

 High performance-dependent rewards, and
 Upper and lower cutoffs on bonus plans.
The study also cites "temptations" for employees to engage in improper acts:
 Nonexistent or ineffective controls, such as poor segregation of duties in sensitive areas, that offer temptations
to steal or to conceal poor performance.
 High decentralization that leaves top management unaware of actions taken at lower organizational levels and
thereby reduces the chances of getting caught.
 A weak internal audit function that does not have the ability to detect and report improper behavior.
 An ineffective board of directors that does not provide objective oversight of top management.
 Penalties for improper behavior that are insignificant or unpublicized and thus lose their value as deterrents.
Removing or reducing these incentives and temptations can go a long way toward diminishing undesirable
behavior. As suggested, this can be achieved following sound and profitable business practices. For example,
performance incentives — accompanied by appropriate controls — can be a useful management technique as
long as the performance targets are realistic. Setting realistic performance targets is a sound motivational
practice; it reduces counterproductive stress as well as the incentive for fraudulent financial reporting that
unrealistic targets create. Similarly, a well-controlled reporting system can serve as a safeguard against
temptation to misstate performance.
Providing and Communicating Moral Guidance. In addition to the incentives and temptations just discussed,
the aforementioned study found a third cause of fraudulent and questionable financial reporting practices:
ignorance. The study found that "in many of the companies that have suffered instances of deceptive financial
reporting, the people involved either did not know what they were doing was wrong or erroneously believed they
were acting in the organization's best interest." This ignorance is often caused by poor moral background or
guidance, rather than by an intent to deceive. Thus, not only must ethical values be communicated, but explicit
guidance must be given regarding what is right and wrong.
The most effective way of transmitting a message of ethical behavior throughout the organization is by example.
People imitate their leaders. Employees are likely to develop the same attitudes about what's right and wrong —
Internal Use Only

and about internal control — as those shown by top management. Knowledge that the CEO has "done the right
thing" ethically when faced with a tough business decision sends a strong message to all levels of the
organization.
Setting a good example is not enough. Top management should verbally communicate the entity's values and
behavioral standards to employees. A study‡ some years ago noted that a formal code of corporate conduct is
"a widely used method of communicating to employees the company's expectations about duty and integrity."
Codes address a variety of behavioral issues, such as integrity and ethics, conflicts of interest, illegal or
otherwise improper payments, and anti-competitive arrangements. Spurred in part by revelations of scandals in
the defense industry, many companies have adopted such codes in recent years, along with necessary
communications channels and monitoring. While codes of conduct can be helpful, they are not the only way to
transmit an organization's ethical values to employees, suppliers and customers.
Existence of a written code of conduct, and even documentation that employees received and understand it,
does not ensure that it is being followed. Compliance with ethical standards, whether or not embodied in a
written code of conduct, is best ensured by top management's actions and examples. Of particular importance
are resulting penalties to employees who violate such codes, mechanisms that exist to encourage employee
reporting of suspected violations, and disciplinary actions against employees who fail to report violations.
Messages sent by management's actions in these situations quickly become embodied in the corporate culture.
Commitment to Competence
Competence should reflect the knowledge and skills needed to accomplish tasks that define the individual's job.
How well these tasks need to be accomplished generally is a management decision which should be made
considering the entity's objectives and management's strategies and plans for achievement of the objectives.
There often is a trade-off between competence and cost — it is not necessary, for instance, to hire an electrical
engineer to change a light bulb.
Management needs to specify the competence levels for particular jobs and to translate those levels into
requisite knowledge and skills. The necessary knowledge and skills may in turn depend on individuals'
intelligence, training and experience. Among the many factors considered in developing knowledge and skill
levels are the nature and degree of judgment to be applied to a specific job. There often can be a trade-off
between the extent of supervision and the requisite competence level of the individual.
Board of Directors or Audit Committee
The control environment and "tone at the top" are influenced significantly by the entity's board of directors and
audit committee. Factors include the board or audit committee's independence from management, experience
and stature of its members, extent of its involvement and scrutiny of activities, and the appropriateness of its
actions. Another factor is the degree to which difficult questions are raised and pursued with management
Internal Use Only

regarding plans or performance. Interaction of the board or audit committee with internal and external auditors is
another factor affecting the control environment.
Because of its importance, an active and involved board of directors, board of trustees or comparable body —
possessing an appropriate degree of management, technical and other expertise coupled with the necessary
stature and mind set so that it can adequately perform the necessary governance, guidance and oversight
responsibilities — is critical to effective internal control. And, because a board must be prepared to question and
scrutinize management's activities, present alternative views and have the courage to act in the face of obvious
wrongdoing, it is necessary that the board contain outside directors. Certainly, officers and employees often are
highly effective and important board members, bringing knowledge of the company to the table. But there must
be a balance. Although small and even mid-size companies may find it difficult to attract or incur the cost of
having a majority of outside directors — usually not the case with large organizations — it is important that the
board contain at least a critical mass of outside directors. The number should suit the entity's circumstances, but
more than one outside director normally would be needed for a board to have the requisite balance.
The need for and responsibilities of boards of directors and audit committees are discussed further below under
"Application to Small and Mid-Size Entities," and in Chapter 8.
Management's Philosophy and Operating Style
Management's philosophy and operating style affect the way the enterprise is managed, including the kinds of
business risks accepted. An entity that has been successful taking significant risks may have a different outlook
on internal control than one that has faced harsh economic or regulatory consequences as a result of venturing
into dangerous territory. An informally managed company may control operations largely by face-to-face contact
with key managers. A more formally managed one may rely more on written policies, performance indicators and
exception reports.
Other elements of management's philosophy and operating style include attitudes toward financial reporting,
conservative or aggressive selection from available alternative accounting principles, conscientiousness and
conservatism with which accounting estimates are developed, and attitudes toward data processing and
accounting functions and personnel. How management meets its responsibilities is discussed further in Chapter
8.
Organizational Structure
An entity's organizational structure provides the framework within which its activities for achieving entity-wide
objectives are planned, executed, controlled and monitored. Activities may relate to what is sometimes referred
to as the value chain: inbound (receiving) activities, operations or production, outbound (shipping), marketing,
sales and service. There may be support functions, relating to administration, human resources or technology
development.‡
Internal Use Only

Significant aspects of establishing a relevant organizational structure include defining key areas of authority and
responsibility and establishing appropriate lines of reporting. For example, the internal audit department should
have unrestricted access to a senior officer who is not directly responsible for preparing the company's financial
statements and has sufficient authority to ensure appropriate audit coverage and to follow up on findings and
recommendations.
An entity develops an organizational structure suited to its needs. Some are centralized, others decentralized.
Some have direct reporting relationships, others are more of a matrix organization. Some entities are organized
by industry or product line, by geographical location or by a particular distribution or marketing network. Other
entities, including many state and local governmental units and not-for-profit institutions, are organized on a
functional basis.
The appropriateness of an entity's organizational structure depends, in part, on its size and the nature of its
activities. A highly structured organization, including formal reporting lines and responsibilities, may be
appropriate for a large entity with numerous operating divisions, including foreign operations. However, it could
impede the necessary flow of information in a small entity. Whatever the structure, an entity's activities will be
organized to carry out the strategies designed to achieve particular objectives.
Assignment of Authority and Responsibility
This includes assignment of authority and responsibility for operating activities, and establishment of reporting
relationships and authorization protocols. It involves the degree to which individuals and teams are encouraged
to use initiative in addressing issues and solving problems, as well as limits of their authority. It also deals with
policies describing appropriate business practices, knowledge and experience of key personnel, and resources
provided for carrying out duties.
There is a growing tendency to push authority downward to bring decision-making closer to frontline personnel.
An entity may take this tack to become more market-driven or quality focused - perhaps to eliminate defects,
reduce cycle time or increase customer satisfaction. To do so, the enterprise needs to recognize and respond to
changing priorities in market opportunities, business relationships and public expectations. Alignment of
authority and accountability often is designed to encourage individual initiatives, within limits. Delegation of
authority, or "empowerment," means surrendering central control of certain business decisions to lower echelons
- to the individuals who are closest to everyday business transactions. This may involve empowerment to sell
products at discount prices; negotiate long-term supply contracts, licenses or patents; or enter alliances or joint
ventures.
A critical challenge is to delegate only to the extent required to achieve objectives. This requires ensuring that
risk acceptance is based on sound practices for identification and minimization of risk, including sizing risks and
weighing potential losses versus gains in arriving at good business decisions.
Internal Use Only

Another challenge is ensuring that all personnel understand the entity's objectives. It is essential that each
individual knows how his or her actions interrelate and contribute to achievement of the objectives.
Increased delegation sometimes is accompanied by or the result of streamlining or "flattening" of an entity's

organizational structure, and is intentional. Purposeful structural change to encourage creativity, initiative and
the capability to react quickly can enhance competitiveness and customer satisfaction. Such increased
delegation may carry an implicit requirement for a higher level of employee competence, as well as greater
accountability. It also requires effective procedures for management to monitor results. Along with better,
market-driven decisions, empowerment may increase the number of undesirable or unanticipated decisions. If a
district sales manager decides that authorization to sell at 35% off list justifies a temporary 45% discount to gain
market share, management may need to know so that it can overrule or accept such decisions going forward.
The control environment is greatly influenced by the extent to which individuals recognize that they will be held
accountable. This holds true all the way to the chief executive, who has ultimate responsibility for all activities
within an entity, including the internal control system.
Human Resource Policies and Practices
Human resource practices send messages to employees regarding expected levels of integrity, ethical behavior
and competence. Such practices relate to hiring, orientation, training, evaluating, counseling, promoting,
compensating and remedial actions. For example, standards for hiring the most qualified individuals, with
emphasis on educational background, prior work experience, past accomplishments and evidence of integrity
and ethical behavior, demonstrate an entity's commitment to competent and trustworthy people. Recruiting
practices that include formal, in-depth employment interviews and informative and insightful presentations on the
entity's history, culture and operating style send a message that the entity is committed to its people. Training
policies that communicate prospective roles and responsibilities and include practices such as training schools
and seminars, simulated case studies and role-play exercises, illustrate expected levels of performance and
behavior. Rotation of personnel and promotions driven by periodic performance appraisals demonstrate the
entity's commitment to the advancement of qualified personnel to higher levels of responsibility. Competitive
compensation programs that include bonus incentives serve to motivate and reinforce outstanding performance.
Disciplinary actions send a message that violations of expected behavior will not be tolerated.
It is essential that personnel be equipped for new challenges as issues that enterprises face change and
become more complex — driven in part by rapidly changing technologies and increasing competition. Education
and training, whether classroom instruction, self-study or on-the-job training, must prepare an entity's people to
keep pace and deal effectively with the evolving environment. They will also strengthen the entity's ability to
effect quality initiatives. Hiring of competent people and one-time training are not enough. The education
process must be ongoing.
Differences and Implications

Internal Use Only
The control environment of an entity's autonomous operating divisions and foreign and domestic subsidiaries
can vary widely due to differences in senior operating management's preferences, value judgments and
management styles. These control environments may vary for any number of reasons. Since no two operating
divisions or foreign or domestic subsidiaries are managed in the same way, it is unlikely that control
environments will be the same. It is important, therefore, to recognize the effect that varying control
environments can have on the other components of a system of internal control.
The impact of an ineffective control environment could be far reaching, possibly resulting in a financial loss, a
tarnished public image or a business failure. Consider, for example, the case of a defense contractor generally
considered to have effective internal control. The company had well-designed information systems and control
activities, extensive policy manuals prescribing control functions, and extensive reconciling and supervisory
routines. It underwent frequent government audits. The control environment, however, was significantly flawed.
Senior management did not want to know if wrongdoing occurred. Even when signs of fraudulent activities
became strong, senior management officials practiced denial. The defense contractor was found to have
engaged in fraudulent activities at the Pentagon, was assessed a significant fine and suffered public
embarrassment from extensive media coverage.
The attitude and concern of top management for effective internal control must permeate the organization. It is
not sufficient to say the right words. An attitude of "do as I say, not as I do" surely will bring about an unhealthy
environment.
Application to Small and Mid-Size Entities
While every entity should embrace the concepts underlying the discussion in this chapter, small and mid-size
entities may implement the control environment factors differently than larger entities. For example, a small
company might not have a written code of conduct, but that does not necessarily mean the company could not
have a culture that emphasizes the importance of integrity and ethical behavior. Through the visibility and direct
involvement of the CEO or owner-manager and top managers, their commitment to integrity and ethical behavior
can be communicated orally — in staff meetings, one-on-one meetings and dealings with vendors and
customers. Their own integrity and behavior, however, is critical and must be consistent with the oral message
because of the first-hand contact that employees have with them. Usually, the fewer the levels of management,
the faster the message is carried through an organization of what conduct is acceptable.
Similarly, human resource policies may not be formalized, as one would expect in a larger entity. Policies and
practices can nevertheless exist and be communicated. The CEO can orally make explicit his or her
expectations about the type of person to be hired to fill a particular job, and may even be active in the hiring
process. Formal documentation is not always necessary for a policy to be in place and operating effectively.
Because of the critical importance of a board of directors or comparable body, even small entities generally need
the benefit of such a body for effective internal control. As noted, often it is more difficult and costly for a small
Internal Use Only
company to maintain a majority of outside directors — and it may be unnecessary to do so. The needed
independence often can be gained with a smaller number of outside directors. The overriding factor is that there
exist what can be termed a "critical mass," which, simply, is enough outside directors to see that the board
raises the tough issues and takes the difficult actions when necessary. There is one exception to the general
need for such a board. Where an entity is owner-managed, and does not go outside for capital, a board, though
perhaps still useful, usually is not essential to effective internal control.
Evaluation
An evaluator should consider each control environment factor in determining whether a positive control
environment exists. Listed below are issues on which one might focus. This list is not all-inclusive, nor will every
item apply to every entity; it can, however, serve as a starting point. Although some of the items are highly
subjective and require considerable judgment, they generally are relevant to control environment effectiveness.
 Existence and implementation of codes of conduct and other policies regarding acceptable business practice,
conflicts of interest, or expected standards of ethical and moral behavior.
 Dealings with employees, suppliers, customers, investors, creditors, insurers, competitors, and auditors, etc.
(e.g., whether management conducts business on a high ethical plane, and insists that others do so, or pays
little attention to ethical issues).
 Pressure to meet unrealistic performance targets — particularly for short-term results — and extent to which
compensation is based on achieving those performance targets.
 Formal or informal job descriptions or other means of defining tasks that comprise particular jobs.
 Analyses of the knowledge and skills needed to perform jobs adequately.
 Independence from management, such that necessary, even if difficult and probing, questions are raised.
 Frequency and timeliness with which meetings are held with chief financial and/or accounting officers, internal
auditors and external auditors.
 Sufficiency and timeliness with which information is provided to board or committee members, to allow
monitoring of management's objectives and strategies, the entity's financial position and operating results, and
terms of significant agreements.
 Sufficiency and timeliness with which the board or audit committee is apprised of sensitive information,
investigations and improper acts (e.g., travel expenses of senior officers, significant litigation, investigations of
Internal Use Only

regulatory agencies, defalcations, embezzlement or misuse of corporate assets, violations of insider trading
rules, political payments, illegal payments).
 Nature of business risks accepted, e.g., whether management often enters into particularly high-risk ventures, or
is extremely conservative in accepting risks.
 Frequency of interaction between senior management and operating management, particularly when operating
from geographically removed locations.
 Attitudes and actions toward financial reporting, including disputes over application of accounting treatments
(e.g., selection of conservative versus liberal accounting policies; whether accounting principles have been
misapplied, important financial information not disclosed, or records manipulated or falsified).
 Appropriateness of the entity's organizational structure, and its ability to provide the necessary information flow
to manage its activities.
 Adequacy of definition of key managers' responsibilities, and their understanding of these responsibilities.
 Adequacy of knowledge and experience of key managers in light of responsibilities.
 Assignment of responsibility and delegation of authority to deal with organizational goals and objectives,
operating functions and regulatory requirements, including responsibility for information systems and
authorizations for changes.
 Appropriateness of control-related standards and procedures, including employee job descriptions.
 Appropriate numbers of people, particularly with respect to data processing and accounting functions, with the
requisite skill levels relative to the size of the entity and nature and complexity of activities and systems.
 Extent to which policies and procedures for hiring, training, promoting and compensating employees are in
place.
 Appropriateness of remedial action taken in response to departures from approved policies and procedures.
 Adequacy of employee candidate background checks, particularly with regard to prior actions or activities
considered to be unacceptable by the entity.
 Adequacy of employee retention and promotion criteria and information-gathering techniques (e.g., performance
evaluations) and relation to the code of conduct or other behavioral guidelines.
Internal Use Only

Chapter 3 — Risk Assessment
Chapter Summary: Every entity faces a variety of risks
from external and internal sources that must be
assessed. A precondition to risk assessment is
establishment of objectives, linked at different levels and
internally consistent. Risk assessment is the
identification and analysis of relevant risks to
achievement of the objectives, forming a basis for
determining how the risks should be managed. Because
economic, industry, regulatory and operating conditions
will continue to change, mechanisms are needed to
identify and deal with the special risks associated with
change.
All entities, regardless of size, structure, nature or industry, encounter risks at all levels within their
organizations. Risks affect each entity's ability to survive; successfully compete within its industry; maintain its
financial strength and positive public image; and maintain the overall quality of its products, services and people.
There is no practical way to reduce risk to zero. Indeed, the decision to be in business creates risk. Management
must determine how much risk is to be prudently accepted, and strive to maintain risk within these levels.
Objective setting is a precondition to risk assessment. There must first be objectives before management can
identify risks to their achievement and take necessary actions to manage the risks. Objective setting, then, is a
key part of the management process. While not an internal control component, it is a prerequisite to and enabler
of internal control. This chapter first discusses objectives, followed by the discussion of risks.
Objectives
Objective setting can be a highly structured or an informal process. Objectives may be explicitly stated, or be
implicit, such as to continue a past level of performance. At the entity level, objectives often are represented by
the entity's mission and value statements. Along with assessments of the entity's strengths and weaknesses,
and of opportunities and threats, they lead to an overall strategy. Generally, the strategic plan is broadly stated,
dealing with high-level resource allocations and priorities.
More-specific objectives flow from the entity's broad strategy. Entity-level objectives are linked and integrated
with more-specific objectives established for various "activities", such as sales, production and engineering,
Internal Use Only

making sure they are consistent. These subobjectives, or activity-level objectives, include establishing goals and
may deal with product line, market, financing and profit objectives.
By setting objectives at the entity and activity levels, an entity can identify critical success factors. These are key
things that must go right if goals are to be attained. Critical success factors exist for the entity, a business unit, a
function, a department or an individual. Objective setting enables management to identify measurement criteria
for performance, with focus on critical success factors.
Despite the diversity of objectives, certain broad categories can be established:
performance and profitability goals and safeguarding resources against loss. They vary based on management's
choices about structure and performance.
 Financial Reporting Objectives — These pertain to the preparation of reliable published financial statements,
including prevention of fraudulent public financial reporting. They are driven primarily by external requirements.
 Compliance Objectives — These objectives pertain to adherence to laws and regulations to which the entity is
subject. They are dependent on external factors, such as environmental regulation, and tend to be similar
across all entities in some cases and across an industry in others.
Certain objectives follow from the business an entity is in. A mutual fund must value its holdings daily, whereas
another business might do this quarterly. All publicly traded businesses must make certain filings with the SEC.
These externally imposed objectives are established by law or regulation, and fall in the category of compliance,
and perhaps financial reporting.
Conversely, operations objectives are based more on preferences, judgments and management style. They vary
widely among entities simply because informed, competent and honest people may select different objectives.
Regarding product development, for example, one entity might choose to be an early adapter, another a quick
follower, and yet another a slow lagger. These choices will affect the structure, skills, staffing and controls of the
research and development function. Consequently, no one formulation of objectives can be optimal for all
entities.
Operations Objectives. Operations objectives relate to achievement of an entity's basic mission — the
fundamental reason for its existence. They include related subobjectives for operations, directed at enhancing
effectiveness and efficiency in moving the enterprise toward its ultimate goal.
Operations objectives need to reflect the particular business, industry and economic environments in which the
entity functions. The objectives need, for example, to be relevant to competitive pressures for quality, reduced
cycle times to bring product to market, or changes in technology. Management must see to it that objectives are
Internal Use Only

based on the reality and demands of the marketplace and are expressed in terms that allow meaningful
performance measurements.
A clear set of operations objectives and strategies, linked to subobjectives, is fundamental to success. They
provide a focal point toward which the entity will commit substantial resources. If an entity's operations objectives
are not clear or well conceived, its resources may be misdirected.
Financial Reporting Objectives. Financial reporting objectives address the preparation of reliable published
financial statements, including interim and condensed financial statements and selected financial data derived
from such statements, such as earnings releases, reported publicly. Entities need to achieve financial reporting
objectives to meet external obligations. Reliable financial statements are a prerequisite to obtaining investor or
creditor capital, and may be critical to the award of certain contracts or to dealing with certain suppliers.
Investors, creditors, customers and suppliers often rely on financial statements to assess management's
performance and to compare it with peers and alternative investments.
The term "reliability" as used with financial reporting objectives involves the preparation of financial statements
that are fairly presented in conformity with generally accepted or other relevant and appropriate accounting
principles and regulatory requirements for external purposes. Fair presentation is defined‡ as:
 The accounting principles selected and applied have general acceptance,

 The accounting principles are appropriate in the circumstances,
 The financial statements are informative of matters that may affect their use, understanding and interpretation,
 The information presented is classified and summarized in a reasonable manner, that is, it is neither too detailed
nor too condensed, and
 The financial statements reflect the underlying transactions and events‡ in a manner that presents the financial
position, results of operations and cash flows stated within a range of acceptable limits, that is, limits that are
reasonable and practical to attain in financial statements.
Also inherent in fair presentation is the concept of financial statement materiality.
Supporting these objectives is a series of assertions that underlie an entity's financial statements‡:
 Existence or Occurrence — Assets, liabilities and ownership interests exist at a specific date, and recorded
transactions represent events that actually occurred during a certain period.
 Completeness — All transactions and other events and circumstances that occurred during a specific period,
and should have been recognized in that period, have, in fact, been recorded.
 Rights and Obligations — Assets are the rights, and liabilities are the obligations, of the entity at a given date.
 Valuation or Allocation — Asset, liability, revenue and expense components are recorded at appropriate
amounts in conformity with relevant and appropriate accounting principles. Transactions are mathematically
correct and appropriately summarized, and recorded in the entity's books and records.
Internal Use Only
 Presentation and Disclosure — Items in the statements are properly described, sorted and classified.
As with the other objectives categories, a series of objectives and related subobjectives exists. The factors
representing fair presentation can be viewed as basic financial reporting objectives. These would be supported
by subobjectives represented by the financial statement assertions, which in turn are supported by related
objectives identified with respect to an entity's various activities.
While these definitions of fair presentation and assertions were set forth for financial statements, they also, at
least conceptually, underlie the development of other published financial reports derived from financial
statements, such as interim financial information and press releases of earnings reports. Certain of these
factors, however, would not be applicable to other published financial reports. For example, the presentation and
disclosure assertion generally would not be applicable to an earnings release.
Compliance Objectives. Entities must conduct their activities, and often take specific actions, in accordance
with applicable laws and regulations. These requirements may relate, for example, to markets, pricing, taxes, the
environment, employee welfare and international trade. These laws and regulations establish minimum
standards of behavior which the entity integrates into its compliance objectives. For example, occupational
safety and health regulations might cause a company to define its objective as, "Package and label all chemicals
in accordance with regulations." In this case, policies and procedures would deal with communications
programs, site inspections and training.
An entity's compliance record with laws and regulations can significantly — either positively or negatively —
affect its reputation in the community.
Overlap of Objectives
An objective in one category may overlap or support an objective in another. For example, "Close quarterly
within 10 workdays" may be a goal supporting primarily an operations objective — to support management
meetings for reviewing business performance. But it also supports timely financial reporting as well as timely
filings with regulatory agencies. An objective, "Provide plant management pertinent data on raw material
production mix on a timely basis," might relate to all three categories of objectives. The data support decisions
on desired changes to the mix (operations), facilitate monitoring hazardous waste (compliance), and provide
input for cost accounting (financial reporting as well as operations).
Another set of objectives relates to safeguarding of resources." Although these are primarily operations
objectives, certain aspects of safeguarding can fall under the other categories. Under the operations category is
the efficient use of an entity's recorded assets and other resources, and prevention of their loss through theft,
waste, inefficiency or what turns out to be simply bad business decisions — such as selling product at too low a
price, extension of credit to bad risks, failing to retain key employees or prevent patent infringement, or incurring
unforeseen liabilities. Where legal or regulatory requirements apply, these become compliance issues. On the
Internal Use Only
other hand, the goal of ensuring that any such asset losses are properly reflected in the entity's financial
statements represents a financial reporting objective.
The category in which an objective falls can sometimes depend on circumstances. Continuing the discussion of
safeguarding of assets, controls to prevent theft of assets — such as maintaining a fence around inventory, and
a gatekeeper verifying proper authorization of requests for movement of goods — fall under the operations
category. These controls normally would not be relevant to the reliability of financial statement preparation,
because any inventory losses would be detected pursuant to periodic physical inspection and recorded in the
financial statements. However, if for financial reporting purposes management relies solely on perpetual
inventory records, as may be the case for interim reporting, the physical security controls would then also fall
within the financial reporting category. This is because these physical security controls, along with controls over
the perpetual inventory records, would be needed to ensure reliable financial reporting.
The distinction and interrelationship among the categories can further be illustrated in the context of a bank's
commercial lending activity. For purposes of illustration, assume that controls exist to ensure credit files contain
current customer credit histories and performance data. Further assume in this example that the bank's lending
officers do not use that information in making credit decisions. Instead, approvals of draw downs against existing
credit lines, and even increases in limits, are made intuitively. Financial management, however, periodically
conducts thorough reviews to determine appropriate levels of loan loss reserves. Under this scenario, controls
over operations have significant weaknesses, whereas controls over financial reporting do not. Practically
speaking, such lax control over operations likely would result in unacceptable profit performance. The first
evidence would show up in performance indicators and later in lower reported profits or even losses — signaling
to top management and, if sufficiently serious, to the board, a need for investigation and action. In this way,
financial reporting controls may help address the operations weakness, evidencing their interrelationship, but the
weakness is in the operations controls alone.
Linkage
Objectives should be complementary and linked. Not only must entity-wide objectives be consistent with the
entity's capabilities and prospects, they also must be consistent with the objectives of its business units and
functions. Entity-wide objectives must be broken down into subobjectives, consistent with the overall strategy,
and linked to activities throughout the organization.
Where entity-wide objectives are consistent with prior practice and performance, the linkage among activities is
known. Where, however, objectives depart from an entity's past practices, management must address the
linkages or run increased risks. Because they depart from past practice, the need for business-unit or functional
subobjectives that are consistent with the new direction is even more important.
An objective to "Fill more management roles internally through promotions" will depend heavily on linked
subobjectives for human resource processes dealing with succession planning, appraising, training and
Internal Use Only
development. The subobjectives might be substantially changed if past practice relied on heavy external
recruiting.
Activity objectives also need to be clear, that is, readily understood by the people taking the actions toward their
achievement. They must also be measurable. Personnel and management must have a mutual understanding of
what is to be accomplished, and a means of determining to what extent it is accomplished.
The scope and effort involved in an activity's objectives are also relevant. Most entities establish a number of
objectives for each activity, flowing both from the entity-wide objectives and from standards relating to the
compliance and financial reporting objectives. For procurement, for example, operations objectives may be
established to:
 Purchase goods that meet established engineering specifications;

 Negotiate acceptable prices and other terms;
 Review and re-certify all key vendors annually.
Achieving all of the objectives that could be set for an activity might tax the resources committed to it; so it is
useful to relate an activity's overall set of objectives to resources available. A way to relieve further resource
constraint is to question activity objectives that do not support entity-wide objectives and the entity's business
processes. Often, a function will have an irrelevant objective that is carried over from past practices (producing
routine but unutilized monthly reports, for example).
Another means of balancing objectives and resources is to identify activity objectives that are very important or
critical to achieving entity-wide objectives. Not all objectives are equal, so some entities prioritize objectives.
Entities may identify certain activity objectives as being critical, and closely monitor activities related to those
objectives. This notion reflects the concept of the "critical success factors" discussed earlier, where "things must
go right" to achieve the entity's objectives.
As noted, establishing objectives is a prerequisite to effective internal control. Objectives provide the measurable
targets toward which the entity moves in conducting its activities. However, although an entity should have
reasonable assurance that certain objectives are achieved, that may not be the case for all objectives.
As discussed in Chapter 1, an effective internal control system should provide reasonable assurance that an
entity's financial reporting objectives are being achieved. Similarly, there should be reasonable assurance that
compliance objectives are being achieved. Both of these categories are primarily based on external standards
established independently of the entity's purposes, and achieving them is largely within the entity's control.
But there is a difference when it comes to operations objectives. First, they are not based on external standards.
Second, an entity may perform as intended, yet be out-performed by a competitor. It could also be subject to
Internal Use Only

outside events — a change in government, poor weather and the like — that it cannot control. It may even have
considered some of these events in its objective-setting process and treated them as low probability, with a
contingency plan in case they occurred. However, such a plan only mitigates the impact of outside events. It
does not ensure that the objectives are achieved. Good operations consistent with the intent of objectives do not
ensure success.
The goal of internal control in this area focuses primarily on: developing consistency of objectives and goals
throughout the organization, identifying key success factors and timely reporting to management of performance
and expectations. Although success cannot be ensured, management should have reasonable assurance of
being alerted when objectives are in danger of not being achieved.
Risks
The process of identifying and analyzing risk is an ongoing iterative process and is a critical component of an
effective internal control system. Managements must focus carefully on risks at all levels of the entity and take
the necessary actions to manage them.
Risk Identification
An entity's performance can be at risk due to internal or external factors. These factors, in turn, can affect either
stated or implied objectives. Risk increases as objectives increasingly differ from past performance. In a number
of areas of performance, an entity often does not set explicit entity-wide objectives because it considers its
performance to be acceptable. Although there might not be an explicit or written objective in these
circumstances, there is an implied objective of "no change" or "as is." This does not mean that an implied
objective is without either internal or external risk. For example, an entity might view its service to customers as
acceptable, yet, due to a change in a competitor's practices, its service, as viewed by its customers, might
deteriorate.
Regardless of whether an objective is stated or implied, an entity's risk-assessment process should consider
risks that may occur. It is important that risk identification be comprehensive. It should consider all significant
interactions - of goods, services and information - between an entity and relevant external parties. These
external parties include potential and current suppliers, investors, creditors, shareholders, employees,
customers, buyers, intermediaries and competitors, as well as public bodies and news media.
Risk identification is an iterative process and often is integrated with the planning process. It also is useful to
consider risk from a "clean sheet of paper" approach, and not merely relate the risk to the previous review.
Entity Level. Risks at the entity-wide level can arise from external or internal factors. Examples include:
External Factors
Internal Use Only

 Technological developments can affect the nature and timing of research and development, or lead to changes
in procurement.
 Changing customer needs or expectations can affect product development, production process, customer
service, pricing or warranties.
 Competition can alter marketing or service activities.
 New legislation and regulation can force changes in operating policies and strategies.
 Natural catastrophes can lead to changes in operations or information systems and highlight the need for
contingency planning.
 Economic changes can have an impact on decisions related to financing, capital expenditures and expansion.
Internal Factors
 A disruption in information systems processing can adversely affect the entity's operations.
 The quality of personnel hired and methods of training and motivation can influence the level of control
consciousness within the entity.
 A change in management responsibilities can affect the way certain controls are effected.
 The nature of the entity's activities, and employee accessibility to assets, can contribute to misappropriation of
resources.
 An unassertive or ineffective board or audit committee can provide opportunities for indiscretions.
Many techniques have been developed to identify risks. The majority — particularly those developed by internal
and external auditors to determine the scope of their activities — involve qualitative or quantitative methods to
prioritize and identify higher-risk activities. Other practices include: periodic reviews of economic and industry
factors affecting the business, senior management business-planning conferences and meetings with industry
analysts. Risks may be identified in connection with short- and long-range forecasting and strategic planning.
Which methods an entity selects to identify risks is not particularly important. What is important is that
management considers carefully the factors that may contribute to or increase risk. Some factors to consider
include: past experiences of failure to meet objectives; quality of personnel; changes affecting the entity such as
competition, regulations, personnel, and the like; existence of geographically distributed, particularly foreign,
activities; significance of an activity to the entity; and complexity of an activity.
To illustrate, an importer of apparel and footwear established an entity-wide objective of becoming an industry
leader in high-quality fashion merchandise. Risks considered at the entity-wide level included: supply sources,
including the quality, number and stability of foreign manufacturers; exposures to fluctuations in the value of
foreign currencies; timeliness of receiving shipments and effect of delays in customs inspections; availability and
reliability of shipping companies and costs; likelihood of international hostilities and trade embargoes; and
pressures from customers and investors to boycott doing business in a foreign country whose government
Internal Use Only

adopts unacceptable policies. These were in addition to the more generic risks considered, such as the impact
of a deterioration in economic conditions, market acceptance of products, new competitors in the entity's market,
and changes in environmental or regulatory laws and regulations.
Identifying external and internal factors that contribute to risk at an entity-wide level is critical to effective risk
assessment. Once the major contributing factors have been identified, management can then consider their
significance and, where possible, link risk factors to business activities.
Activity Level. In addition to identifying risk at the entity level, risks should be identified at the activity level.
Dealing with risks at this level helps focus risk assessment on major business units or functions such as sales,
production, marketing, technology development, and research and development. Successfully assessing
activity-level risk also contributes to maintaining acceptable levels at the entity-wide level.
In most instances, for any stated or implied objective, many different risks can be identified. In a procurement
process, for example, an entity may have an objective related to maintaining adequate raw materials inventory.
The risks to not achieving the activity objective might include goods not meeting specifications, or not being
delivered in needed quantities, on time or at acceptable prices. These risks might affect the way specifications
for purchased goods are communicated to vendors, the use and appropriateness of production forecasts,
identification of alternative supply sources and negotiation practices.
Potential causes of failing to achieve an objective range from the obvious to the obscure, and from the significant
to the insignificant in potential effect. Certainly, readily apparent risks that significantly affect the entity should be
identified. To avoid overlooking relevant risks, this identification is best made apart from assessment of the
likelihood of the risk occurring. There are, however, practical limitations to the identification process, and often it
is difficult to determine where to draw the line. It doesn't make much sense to consider the risk of a meteor
falling from space onto a company's production facility, while it may be reasonable to consider the risk of an
airplane crash for a facility located near an airport runway.
Risk Analysis
After the entity has identified entity-wide and activity risks, a risk analysis needs to be performed. The
methodology for analyzing risks can vary, largely because many risks are difficult to quantify. Nonetheless, the
process — which may be more or less formal — usually includes:
 Estimating the significance of a risk;

 Assessing the likelihood (or frequency) of the risk occurring;
 Considering how the risk should be managed - that is, an assessment of what actions need to be taken.
A risk that does not have a significant effect on the entity and that has a low likelihood of occurrence generally
does not warrant serious concern. A significant risk with a high likelihood of occurrence, on the other hand,
Internal Use Only

usually demands considerable attention. Circumstances in between these extremes usually require difficult
judgments. It is important that the analysis be rational and careful.
There are numerous methods for estimating the cost of a loss from an identified risk. Management should be
aware of them and apply them as appropriate. However, many risks are indeterminate in size. At best they can
be described as "large," "moderate" or "small."
Once the significance and likelihood of risk have been assessed, management needs to consider how the risk
should be managed. This involves judgment based on assumptions about the risk, and reasonable analysis of
costs associated with reducing the level of risk. Actions that can be taken to reduce the significance or likelihood
of the risk occurring include a myriad of decisions management may make every day. These range from
identifying alternative supply sources or expanding product lines to obtaining more relevant operating reports or
improving training programs. Sometimes actions can virtually eliminate the risk, or offset its effect if it does
occur. Examples are vertical integration to reduce supplier risk, hedging financial exposures and obtaining
adequate insurance coverage.
Note that there is a distinction between risk assessment, which is part of internal control, and the resulting plans,
programs or other actions deemed necessary by management to address the risks. The actions undertaken, as
discussed in the prior paragraph, are a key part of the larger management process, but not an element of the
Along with actions for managing risk is the establishment of procedures to enable management to track the
implementation and effectiveness of the actions. For example, one action an organization might take to manage
the risk of loss of critical computer services is to formulate a disaster recovery plan. Procedures then would be
effected to ensure that the plan is appropriately designed and implemented. Those procedures represent
"control activities", discussed in Chapter 4.
Before installing additional procedures, management should consider carefully whether existing ones may be
suitable for addressing identified risks. Because procedures may satisfy multiple objectives, management may
discover that additional actions are not warranted; existing procedures may be sufficient or may need to be
performed better.
Management also should recognize that it is likely some level of residual risk will always exist not only because
resources are always limited, but also because of other limitations inherent in every internal control system.
These are discussed in Chapter 7.
Risk analysis is not a theoretical exercise. It is often critical to the entity's success. It is most effective when it
includes identification of all key business processes where potential exposures of some consequence exist. It
might involve process analysis, such as identification of key dependencies and significant control nodes, and
establishing clear responsibility and accountability. Effective process analysis directs special attention to cross-
Internal Use Only

organizational dependencies, identifying, for example: where data originate, where they are stored, how they are
converted to useful information and who uses the information. Large organizations usually need to be
particularly vigilant in addressing intracompany and intercompany transactions and key dependencies. These
processes can be positively affected by quality programs which, with a "buyin" by employees, can be an
important element in risk containment.
Unfortunately, the importance of risk analysis is sometimes recognized too late, as in the case of a major
financial services firm where a senior executive offered what amounted to a wistful epitaph: "We just didn't think
we faced so much risk."
Managing Change
Economic, industry and regulatory environments change, and entities' activities evolve. Internal control effective
under one set of conditions will not necessarily be effective under another. Fundamental to risk assessment is a
process to identify changed conditions and take actions as necessary.
Thus, every entity needs to have a process, formal or informal, to identify conditions that can significantly affect
its ability to achieve its objectives. As discussed further in Chapter 5, a key part of that process involves
information systems that capture, process and report information about events, activities and conditions that
indicate changes to which the entity needs to react. Such information may involve changes in customer
preferences or other factors affecting demand for the company's products or services. Or, it may involve new
technology affecting production processes or other business activities, or competitive or legislative or regulatory
developments. With the requisite information systems in place, the process to identify and respond to changing
conditions can be established.
This process will parallel, or be a part of, the entity's regular risk assessment process described above. It
involves identifying the changed condition — this requires having mechanisms in place to identify and
communicate events or activities that affect the entity's objectives — and analyzing the associated opportunities
or risks. Such analysis includes identifying potential causes of achieving or failing to achieve an objective,
assessing the likelihood that such causes will occur, evaluating the probable effect on achievement of the
objectives and considering the degree to which the risk can be controlled or the opportunity exploited.
Although the process by which an entity manages change is similar to, if not a part of, its regular risk-
assessment process, it is discussed separately. This is because of its critical importance to effective internal
control and because it can too easily be overlooked or given insufficient attention in the course of dealing with
everyday issues.
Circumstances Demanding Special Attention
This focus on managing change is founded on the premise that, because of their potential impact, certain
conditions should be the subject of special consideration. The extent to which such conditions require
Internal Use Only
management's attention, of course, depends on the effect they may have in the particular circumstances. Such
conditions are:
 Changed Operating Environment — A changed regulatory or economic environment can result in increased
competitive pressures and significantly different risks. "Divestiture" in the telecommunications industry, and
deregulation of commission rates in the brokerage industry, for example, thrust entities into a vastly changed
competitive environment.
 New Personnel — A senior executive new to an entity may not understand the entity's culture, or may focus
solely on performance to the exclusion of control-related activities. High turnover of personnel, in the absence of
effective training and supervision, can result in breakdowns.
 New or Revamped Information Systems — Normally effective controls can break down when new systems are
developed, particularly when done under unusually tight time constraints - for example, to gain competitive
advantage or make tactical moves.
 Rapid Growth — When operations expand significantly and quickly, existing systems may be strained to the
point where controls break down; where processing shifts or clerical personnel are added, existing supervisors
may be unable to maintain adequate control.
 New Technology — When new technologies are incorporated into production processes or information systems,
a high likelihood exists that internal controls will need to be modified. Just-in-time inventory manufacturing
technologies, for instance, commonly require changes in cost systems and related controls to ensure reporting
of meaningful information.
 New Lines, Products, Activities — When an entity enters new business lines or engages in transactions with
which it is unfamiliar, existing controls may not be adequate. Savings and loan organizations, for example,
ventured into investment and lending arenas in which they had little or no previous experience, without focusing
on how to control the risks involved.
 Corporate Restructurings — Restructurings — resulting, for example, from a leveraged buyout, or from
significant business declines or cost-reduction programs — may be accompanied by staff reductions and
inadequate supervision and segregation of duties. Or, a job performing a key control function may be eliminated
without a compensating control put in its place. A number of companies learned too late that they made rapid,
large-scale cutbacks in personnel without adequate consideration of serious control implications.
 Foreign Operations — The expansion or acquisition of foreign operations carries new and often unique risks that
management should address. For instance, the control environment is likely to be driven by the culture and
customs of local management. Also, business risks may result from factors unique to the local economy and
regulatory environment. Or, channels of communication and information systems may not be well established
and available to all individuals.
Mechanisms
Internal Use Only

Mechanisms should exist to identify changes that have taken place or will shortly occur, in any material
assumption or condition. These mechanisms need not be elaborate, and usually are rather informal in smaller
enterprises. The owner-manager of a small company that manufactures silk-screen machines meets monthly
with the heads of sales, finance, purchasing, manufacturing and engineering. During the course of a several-
hour meeting, they address technologies, competitor actions and new customer demands. Risks and
opportunities are analyzed, leading immediately to action plans for each activity. Implementation begins right
away, and the owner-manager follows up with visits over the weeks and months to each activity to see first-hand
the way in which implementation is proceeding, and whether the changes in the marketplace are being
adequately addressed.
Forward-Looking
To the extent practicable, mechanisms should be forward-looking, so an entity can anticipate and plan for
significant changes. Early warning systems should be in place to identify data signaling new risks. A commercial
bank, for instance, uses a multidisciplinary "risk council" to analyze new products being developed in terms of
their risks to the bank. Similarly, mechanisms are needed for early identification of opportunities arising from
changing conditions. Those banks that identified emerging customer needs for after-hours banking and
increasing customer receptivity to interactive computer systems were able to expand significantly their consumer
banking market shares through installation and effective marketing of user-friendly automatic teller machine
networks.
Naturally, the earlier that changes affecting risks and opportunities are recognized, the better the likelihood that
actions can be taken to deal effectively with them. However, as with other control mechanisms, the related costs
cannot be ignored. No entity has sufficient resources to obtain and analyze completely the information about all
the myriad evolving conditions that can affect it. Further, because no one possesses a crystal ball that accurately
predicts the future, even having the most relevant current information is no guarantee that future events or
implications can be accurately forecasted. It is often difficult to know whether seemingly significant information is
the beginning of an important trend, or merely an aberration.
Accordingly, reasonable mechanisms should be in place to anticipate changes that can affect the entity, helping
to avoid impending problems and take advantage of forthcoming opportunities. No one can foresee the future
with certainty, but the better an entity can anticipate changes and their effects, the fewer the unpleasant
surprises.
The risk-assessment process is likely to be less formal and less structured in smaller entities than in larger ones,
but the basic concepts of this internal control component should be present in every entity, regardless of size. A
smaller entity should have established objectives, though they may be implicitly rather than explicitly stated.
Since smaller entities usually are more centralized and have fewer levels of authority, the objectives can be
Internal Use Only
easily and effectively communicated to lower level managers more directly and on a continual basis. Similarly,
linkages of the entity-wide objectives with activity objectives are usually clear and direct.
The process of identifying and analyzing risks that may prevent achievement of objectives will often consist of
top management receiving information directly from employees and outsiders. An owner-manager can learn
about risks arising from external factors through direct contact with customers, suppliers, the entity's banker,
lawyer, independent auditor and other "outsiders." The CEO can also be attuned to risks arising from internal
factors through direct hands-on involvement with all levels of personnel. Risk assessment in a smaller entity can
be particularly effective because the in-depth involvement of the CEO and other key managers often means that
risks are assessed by people with both access to the appropriate information and a good understanding of its
implications.
The mechanisms in a smaller company for managing normal, everyday risks, as well as those resulting from the
less common circumstances of substantially changed conditions (such as new regulations, an economic
downturn or expansion of product line), can be highly informal yet effective. The same informal meetings
between the CEO and department heads and outside parties that provide information helpful in identifying the
risks can also provide the forum for analyzing them and making decisions on how they should be managed.
Action plans can be devised quickly with limited numbers of people. Similarly, implementation can be effected
immediately as the CEO or key managers visit the departments affected or talk with the customers or suppliers
whose needs are being responded to. They can then follow up as needed to ensure that the necessary actions
are being taken.
Evaluation
An evaluator will focus on management's process for objective setting, risk analysis and managing change,
including its linkages and relevance to business activities. Listed below are issues an evaluator might consider.
The list is not all-inclusive, nor will every item apply to every entity; it can, however, serve as a starting point.
Entity-Wide Objectives
 Extent to which the entity-wide objectives provide sufficiently broad statements and guidance on what the entity
desires to achieve, yet which are specific enough to relate directly to this entity.
 Effectiveness with which the entity-wide objectives are communicated to employees and board of Directors.
 Relation and consistency of strategies with entity-wide objectives.
 Consistency of business plans and budgets with entity-wide objectives, strategic plans and current conditions.
Activity-Level Objectives
 Linkage of activity-level objectives with entity-wide objectives and strategic plans.

 Consistency of activity-level objectives with each other.
Internal Use Only

 Relevance of activity-level objectives to all significant business processes.
 Specificity of activity-level objectives.
 Adequacy of resources relative to objectives.
 Identification of objectives that are important (critical success factors) to achievement of entity-wide objectives.
 Involvement of all levels of management in objective setting and extent to which they are committed to the
objectives.
Risks
 Adequacy of mechanisms to identify risks arising from external sources.

 Adequacy of mechanisms to identify risks arising from internal sources.
 Identification of significant risks for each significant activity-level objective.
 Thoroughness and relevance of the risk analysis process, including estimating the significance of risks,
assessing the likelihood of their occurring and determining needed actions.
Managing Change
 Existence of mechanisms to anticipate, identify and react to routine events or activities that affect achievement
of entity or activity-level objectives (usually implemented by managers responsible for the activities that would
be most affected by the changes).
 Existence of mechanisms to identify and react to changes that can have a more dramatic and pervasive effect
on the entity, and may demand the attention of top management.
Chapter 4 — Control Activities

Chapter Summary: Control activities are the policies and
procedures that help ensure management directives are
carried out. They help ensure that necessary actions are
taken to address risks to achievement of the entity's
objectives. Control activities occur throughout the
organization, at all levels and in all functions. They
include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and
segregation of duties.
Internal Use Only

Control activities are policies and procedures, which are the actions of people to implement the policies, to help
ensure that management directives identified as necessary to address risks are carried out. Control activities
can be divided into three categories, based on the nature of the entity's objectives to which they relate:
operations, financial reporting, or compliance.
Although some controls relate solely to one area, there is often overlap. Depending on circumstances, a
particular control activity could help satisfy entity objectives in more than one of the three categories. Thus,
operations controls also can help ensure reliable financial reporting, financial reporting controls can serve to
effect compliance, and so on.
For example, a parts distributorship's sales manager, to keep abreast of sales of certain products and
geographical locations, obtains daily "flash" reports from district heads. Because the sales manager relates that
information to recorded sales and salespersons' commissions reported by the accounting system, that control
activity addresses objectives relating to both operations and financial reporting. In a retail chain, credits issued
for merchandise returned by customers are controlled by the numerical sequence of documents and
summarized for financial reporting purposes. This summarization also provides an analysis by product for
merchandise managers' use in future buying decisions and for inventory control. In this case, control activities
established primarily for financial reporting also serve operations.
Although these categories are helpful in discussing internal control, the particular category in which a control
happens to be placed is not as important as the role it plays in achieving a particular activity's objectives.
Types of Control Activities
Many different descriptions of types of control activities have been put forth, including preventive controls,
detective controls, manual controls, computer controls and management controls. Control activities can be typed
by specified control objectives, such as ensuring completeness and accuracy of data processing. Following are
certain control activities commonly performed by personnel at various levels in organizations. These are
presented to illustrate the range and variety of control activities, not to suggest any particular categorization.
 Top Level Reviews — Reviews are made of actual performance versus budgets, forecasts, prior periods and
competitors. Major initiatives are tracked - such as marketing thrusts, improved production processes, and cost
containment or reduction programs - to measure the extent to which targets are being reached. Implementation
of plans is monitored for new product development, joint ventures or financing. Management actions taken to
analyze and follow up on such reporting represent control activities.
 Direct Functional or Activity Management — Managers running functions or activities review performance
reports. A manager responsible for a bank's consumer loans reviews reports by branch, region and loan
(collateral) type, checking summarizations and identifying trends, and relating results to economic statistics and
targets. In turn, branch managers receive data on new business by loan-officer and local-customer segment.
Internal Use Only

Branch managers focus also on compliance issues, for example, reviewing reports required by regulators on
new deposits over specified amounts. Reconciliations are made of daily cash flows with net positions reported
centrally for overnight transfer and investment.
 Information Processing — A variety of controls are performed to check accuracy, completeness and
authorization of transactions. Data entered are subject to edit checks or matching to approved control files. A
customer's order, for example, is accepted only upon reference to an approved customer file and credit limit.
Numerical sequences of transactions are accounted for. File totals are compared and reconciled with prior
balances and with control accounts. Exceptions in need of follow-up are acted upon by clerical personnel, and
reported to supervisors as necessary. Development of new systems and changes to existing ones are
controlled, as is access to data, files and programs. Controls over information processing are discussed further
below.
 Physical Controls — Equipment, inventories, securities, cash and other assets are secured physically, and
periodically counted and compared with amounts shown on control records.
 Performance Indicators — Relating different sets of data — operating or financial — to one another, together
with analyses of the relationships and investigative and corrective actions, serve as control activities.
Performance indicators include, for example, purchase price variances, the percentage of orders that are "rush
orders" and the percentage of returns to total orders. By investigating unexpected results or unusual trends,
management identifies circumstances where the underlying procurement activity objectives are in danger of not
being achieved. Whether managers use this information only to make operating decisions, or also follow up on
unexpected results reported by financial reporting systems, determines whether analysis of performance
indicators serves operational purposes alone or financial reporting control purposes as well.
 Segregation of Duties — Duties are divided, or segregated, among different people to reduce the risk of error or
inappropriate actions. For instance, responsibilities for authorizing transactions, recording them and handling the
related asset are divided. A manager authorizing credit sales would not be responsible for maintaining accounts
receivable records or handling cash receipts. Similarly, salespersons would not have the ability to modify
product price files or commission rates.
These are just a very few among a myriad of procedures performed every day in enterprises that serve to
enforce adherence to established action plans, and to keep entities on track toward achieving their objectives.
Policies and Procedures. Control activities usually involve two elements: a policy establishing what should be
done and, serving as a basis for the second element, procedures to effect the policy. A policy, for example,
might call for review of customer trading activities by a securities dealer retail branch manager. The procedure is
the review itself, performed in a timely manner and with attention given to factors set forth in the policy, such as
the nature and volume of securities traded, and their relation to customer net worth and age.
Internal Use Only

Many times, policies are communicated orally. Unwritten policies can be effective where the policy is a long-
standing and well-understood practice, and in smaller organizations where communications channels involve
only limited management layers and close interaction and supervision of personnel. But regardless of whether a
policy is written, it must be implemented thoughtfully, conscientiously and consistently. A procedure will not be
useful if performed mechanically without a sharp continuing focus on conditions to which the policy is directed.
Further, it is essential that conditions identified as a result of the procedures be investigated and appropriate
corrective actions taken. Follow-up actions might vary depending on the size and organizational structure of an
enterprise. They could range from formal reporting processes in a large company — where business units state
why targets weren't met and what actions are being taken to prevent recurrence — to an owner-manager of a
small business walking down the hall to speak with the plant manager to discuss what went wrong and what
needs to be done.
Integration with Risk Assessment
Along with assessing risks, management should identify and put into effect actions needed to address the risks.
The actions identified as addressing a risk also serve to focus attention on control activities to be put in place to
help ensure that the actions are carried out properly and in a timely manner.
For example, a company set as an objective "Meeting or exceeding sales targets". Risks identified include
having insufficient knowledge of current and potential customers' needs. Management's actions to address the
risks included establishing buying histories of existing customers and undertaking new market research
initiatives. These actions also serve as focal points for establishment of control activities.
Control activities are very much a part of the process by which an enterprise strives to achieve its business
objectives. Control activities are not simply for their own sake or because it seems to be the "right or proper"
thing to do. In this example, management needs to take steps to ensure that sales targets are met. Control
activities serve as mechanisms for managing the achievement of that objective. Such activities might include
tracking the progress of the development of the customer buying histories against established timetables, and
steps to ensure accuracy of the reported data. In this sense, control is built directly into the management
process.
Controls over Information Systems
With widespread reliance on information systems, controls are needed over all such systems: financial,
compliance and operational, large and small.
Most entities, including small companies or units of larger ones, utilize computers in information processing.
Accordingly, the following discussion is geared to information systems that include both manual and
computerized elements. For information systems that are strictly manual, different controls would be applied;
such controls, though different, would be based on the same underlying concepts of control.
Internal Use Only
Two broad groupings of information systems control activities can be used. The first is general controls‡— which
apply to many if not all application systems and help ensure their continued, proper operation. The second
category is application controls, which include computerized steps within the application software and related
manual procedures to control the processing of various types of transactions. Together, these controls serve to
ensure completeness, accuracy and validity of the financial and other information in the system.
General Controls
General controls commonly include controls over data center operations, system software acquisition and
maintenance, access security, and application system development and maintenance. These controls apply to
all systems — mainframe, minicomputer and end-user computing environments.
Data Center Operations Controls. These include job set-up and scheduling, operator actions, backup and
recovery procedures, and contingency or disaster recovery planning. In a sophisticated environment, these
controls also address capacity planning and resource allocation and use. In a high technology environment, the
job scheduler is automatic and job control language is on-line. Storage management tools automatically load
data files onto high-speed devices in anticipation of the next job. The shift supervisor no longer needs to initial
the console log manually, because it is not printed out; the log is maintained on the system. Hundreds of
messages flash by each second on a consolidated console that supports multiple mainframes. Minicomputers
run all night, unattended.
System Software Controls. These include controls over the effective acquisition, implementation and
maintenance of system software — the operating system, data base management systems, telecommunications
software, security software and utilities — which run the system and allow applications to function. The master
director of system activities, system software also provides the system logging, tracking and monitoring
functions. System software can report on uses of utilities, so that if someone accesses these powerful data-
altering functions, at the least their use is recorded and reported for review.
Access Security Controls. These controls have assumed greater importance as telecommunications networks
have grown. System users may be halfway around the world or down the hall. Effective access security controls
can protect the system, preventing inappropriate access and unauthorized use of the system. If well designed,
they can intercept hackers and other trespassers.
Adequate access control activities, such as changing dial-up numbers frequently, or implementing dial-back —
where the system calls a potential user back at an authorized number, rather than allowing direct access into the
system — can be effective methods to prevent unauthorized access. Access security controls restrict authorized
users to only the applications or application functions that they need to do their jobs, supporting an appropriate
division of duties. There should be frequent and timely review of the user profiles that permit or restrict access.
Former or disgruntled employees can be more of a threat to a system than hackers; terminated employee
Internal Use Only

passwords and user IDs should be revoked immediately. By preventing unauthorized use of and changes to the
system, data and program integrity are protected.
Application System Development and Maintenance Controls. Development and maintenance of application
systems have traditionally been high-cost areas for most organizations. Total costs for MIS resources, the time
needed, the skills of people to perform these tasks, and hardware and software required, are all considerable.
To control those costs, many entities have some form of system development methodology. It provides structure
for system design and implementation, outlining specific phases, documentation requirements, approvals and
checkpoints to control the development or maintenance project. The methodology should provide appropriate
control over changes to the system, which may involve required authorization of change requests, review of the
changes, approvals, testing results, and implementation protocols, to ensure that changes are made properly.
An alternative to in-house development is the use of packaged software, which has grown in popularity. Vendors
provide flexible, integrated systems allowing customization through the use of built-in options. Many system
development methodologies address the acquisition of vendor packages as a development alternative and
include the necessary steps to provide control over the selection and implementation process.
Application Controls
As the name indicates, application controls are designed to control application processing helping to ensure the
completeness and accuracy of transaction processing, authorization and validity. Particular attention should be
paid to an application's interfaces, since they are often linked to other systems that in turn need control, to
ensure that all inputs are received for processing and all outputs are distributed appropriately.
One of the most significant contributions computers make to control is their ability to prevent errors from entering
the system, as well as detecting and correcting them once they are present. To do this, many application
controls depend on computerized edit checks. These consist of format, existence, reasonableness and other
checks on the data which are built into each application during its development. When these checks are
designed properly, they can help provide control over the data being entered into the system.
Relationship Between General and Application Controls
These two categories of control over computer systems are interrelated. General controls are needed to ensure
the function of application controls that depend on computer processes.
For example, application controls such as computer matching and edit checks examine data as they are entered
on-line. They provide immediate feedback when something doesn't match, or is in the wrong format, so that
corrections can be made. They display error messages that indicate what is wrong with the data, or produce
exception reports for subsequent follow-up.
Internal Use Only

If there are inadequate general controls, it may not be possible to depend on application controls, which assume
the system itself will function properly, matching with the right file, or providing an error message that accurately
reflects a problem, or including all exceptions in an exception report.
Another example of the required balance between application and general controls is a completeness control,
often used over certain types of transactions, involving pre-numbered documents. These are usually documents
generated internally, such as purchase orders, where pre-numbered forms are employed. Duplicates are flagged
or rejected. To effect this as a control, depending on its design, the system will reject an inappropriate item or
hold it in suspense, while users get a report which lists all missing, duplicate and out-of-range items. Or does it?
How do those who need to rely on the report content for follow-up know that all items that should be on the
report are, in fact, listed?
The answer is the general controls. Controls over system development requiring thorough reviews and testing of
applications ensure that the logic of the report program is sound, and that it has been tested to ascertain that all
exceptions are reported. To provide control after implementation of the application, controls over access and
maintenance ensure that applications are not accessed or changed without authorization and that required,
authorized changes are made. The data center operations controls and systems software controls ensure that
the right files are used and updated appropriately.
The relationship between the application controls and the general controls is such that general controls are
needed to support the functioning of application controls, and both are needed to ensure complete and accurate
information processing.
Evolving Issues
Control issues are raised in considering the impact of many emerging technologies. These include CASE
(computer assisted software engineering) development tools, prototyping to create new systems, image
processing and electronic data interchange. These technologies will affect how controls are implemented,
without changing the basic requirements of control.
For one example, in end-user computing (EUC), increasingly powerful microcomputers and ever-cheaper
minicomputers allow for distributing data and computing power. Departments and line units do their own
processing, often supported by a stand-alone, low-cost local area network. These are user-maintained systems,
rather than centrally developed software.
To provide needed control for EUC systems, entity-wide policies for system development, maintenance and
operation should be implemented and enforced. Local processing environments should be governed by a level
of control activities similar to the more traditional mainframe environment.
An emerging technology is artificial intelligence or expert systems. In the future, as such systems are embedded
in many applications — whether developed by a data processing department or end-users, or purchased —
Internal Use Only
issues will include how to decide which applications are best suited, which tool to use and how to control
development. Many people feel that such systems will ultimately be controlled in the same way as end-user
computing is now. When EUC first started to mushroom, people raised similar concerns before they realized that
control would be provided in the same way as before: through appropriate control activities.
Entity Specific
Because each entity has its own set of objectives and implementation strategies, there will be differences in
objectives structure and related control activities. Even if two entities had identical objectives and structures,
their control activities would be different. Each entity would be managed by different people who use individual
judgments in effecting internal control. Moreover, controls reflect the environment and industry in which an entity
operates, as well as the complexity of its organization, its history and its culture.
The environment in which an entity operates affects the risks to which it is exposed and may present unique
external reporting requirements, or special legal or regulatory requirements. A chemicals manufacturer, for
example, must manage greater environmental risks than those facing a typical service company, and must
consider waste disposal issues in its financial statement disclosures.
The complexity of an entity, and the nature and scope of its activities, affect its control activities. Complex
organizations with diverse activities may face more difficult control issues than simple organizations with less
varied activities. An entity with decentralized operations and an emphasis on local autonomy and innovation
presents different control circumstances than a highly centralized one. Other factors that influence an entity's
complexity and, therefore, the nature of its controls include: location and geographical dispersion, the
extensiveness and sophistication of operations, and information processing methods.
All these factors affect an entity's control activities, which need to be designed accordingly to contribute to the
The concepts underlying control activities in smaller organizations are not likely to differ significantly from those
in larger entities, but the formality with which they operate will vary. Further, smaller entities may find that certain
types of control activities are not always relevant because of highly effective controls applied by management of
the small or mid-size entity.
For example, direct involvement by the CEO and other key managers in a new marketing plan, and retention of
authority for credit sales, significant purchases and draw downs on lines of credit, can provide strong control
over those activities, lessening or obviating the need for more detailed control activities. Direct hands-on
knowledge of sales to key customers and careful review of key ratios and other performance indicators often can
serve the purpose of lower level control activities typically found in large companies.
Internal Use Only

An appropriate segregation of duties often appears to present difficulties in smaller organizations, at least on the
surface. Even companies that have only a few employees, however, can usually parcel out their responsibilities
to achieve the necessary checks and balances. But if that is not possible — as may occasionally be the case —
direct oversight of the incompatible activities by the owner-manager can provide the necessary control. For
example, it is not uncommon, where there is a risk of improper cash payments, for the owner-manager to be
named the only authorized check signer, or to require that monthly bank statements be delivered unopened
directly to him or her for review of paid checks.
Controls over information systems, particularly general computer controls and more specifically access security
controls, may present problems to small and mid-size entities. This is because of the informal way in which
control activities are often implemented. Once again, a solution can often be found in the greater amount of
direct top management involvement typically found in smaller organizations. Reasonable assurance that any
material errors would be detected often comes from management's continual use of information generated by
the system, and relating that information to direct knowledge of those activities, together with the existence of
certain key controls applied by other personnel.
Evaluation
Control activities must be evaluated in the context of management directives to address risks associated with
established objectives for each significant activity. An evaluator therefore will consider whether control activities
relate to the risk-assessment process and whether they are appropriate to ensure that management's directives
are carried out. This will be done for each significant business activity, including general controls over
computerized information systems. (These will be each of the activities identified in evaluating risk assessment
— see Chapter 3.) An evaluator will consider not only whether established control activities are relevant to the
risk-assessment process, but also whether they are being applied properly.
Chapter 5 —Information and

Communication
Internal Use Only

Chapter Summary: Pertinent information must be
identified, captured and communicated in a form and
timeframe that enables people to carry out their
responsibilities. Information systems produce reports,
containing operational, financial and compliance-related
information, that make it possible to run and control the
business. They deal not only with internally generated
data, but also information about external events,
activities and conditions necessary to informed business
decision-making and external reporting. Effective
communication also must occur in a broader sense,
flowing down, across and up the organization. All
personnel must receive a clear message from top
management that control responsibilities must be taken
seriously. They must understand their own role in the
internal control system, as well as how individual
activities relate to the work of others. They must have a
means of communicating significant information
upstream. There also needs to be effective
communication with external parties, such as
customers, suppliers, regulators and shareholders.
Every enterprise must capture pertinent information - financial and non-financial, relating to external as well as
internal events and activities. The information must be identified by management as relevant to managing the
business. It must be delivered to people who need it in a form and timeframe that enables them to carry out their
control and other responsibilities.
Information
Information is needed at all levels of an organization to run the business, and move toward achievement of the
entity's objectives in all categories - operations, financial reporting and compliance. An array of information is
used. Financial information, for instance, is used not only in developing financial statements for external
dissemination. It is also used for operating decisions, such as monitoring performance and allocating resources.
Management reporting of monetary and related measurements enables monitoring, for example, of brand
profitability, receivables performance by customer type, market share, customer complaint trends and accident
Internal Use Only

statistics. Reliable internal financial measurements also are essential to planning, budgeting, pricing, evaluating
vendor performance, and evaluating joint ventures and other alliances.
Similarly, operating information is essential for developing financial statements. This includes the routine —
purchases, sales and other transactions — as well as information on competitors' product releases or economic
conditions, which can affect inventory and receivables valuations. Operating information such as airborne
particle emissions or personnel data may be needed to achieve both compliance and financial reporting
objectives. As such, information developed from internal and external sources, both financial and non-financial,
is relevant to all objectives categories.
Information is identified, captured, processed and reported by information systems. The term "information
systems" frequently is used in the context of processing internally generated data relating to transactions, such
as purchases and sales, and internal operating activities, such as production processes. Information systems —
which may be computerized, manual or a combination — certainly address those matters. But, as used here, it is
a much broader concept. Information systems also deal with information about external events, activities and
conditions. Such information includes: market- or industry-specific economic data that signal changes in demand
for the company's products or services; data on goods and services the entity needs for its production process;
market intelligence on evolving customer preferences or demands; and information on competitors' product
development activities and legislative or regulatory initiatives.
Information systems sometimes operate in a monitoring mode, routinely capturing specific data. In other cases,
special actions are taken to obtain needed information. Consider, for example, systems capturing information on
customers' satisfaction with the entity's products. Information systems might regularly identify and report sales
by product and location, customer gains and losses, returns and requests for allowances, application of product
warranty provisions and direct feedback in the form of complaints or other comments. On the other hand, special
efforts may be made from time to time to obtain information on evolving market requirements regarding technical
product specifications, or customer delivery or service needs. This information may be obtained through
questionnaires, interviews, broad-based market demand studies or targeted focus groups.
Information systems can be formal or informal. Conversations with customers, suppliers, regulators and
employees often provide some of the most critical information needed to identify risks and opportunities.
Similarly, attendance at professional or industry seminars and memberships in trade and other associations can
provide valuable information.
Keeping information consistent with needs becomes particularly important when an entity operates in the face of
fundamental industry changes, highly innovative and quick-moving competitors or significant customer demand
shifts. Information systems must change as needed to support resulting new entity objectives related, for
example, to reduced cycle time in bringing products to market, outsourcing certain functions and workforce
changes. In such environments there is a special need to differentiate measurements serving as early warning
Internal Use Only
indicators from strictly historical accounting data. Both are important, and the latter, when used effectively, can
provide warning signals. But to be effective, information systems must not only identify and capture needed
financial and non-financial information, they must also process and report it in a timeframe and way that is useful
in controlling the entity's activities.
Strategic and Integrated Systems
Information systems often are an integral part of operational activities. They not only capture information needed
in decision-making to effect control, as discussed above, but also are increasingly designed to carry out strategic
initiatives. A recently issued study‡ indicates that the most important management challenge in the 1990s is to
integrate the planning, design and implementation of systems with the organization's overall strategy.
Systems Support Strategic Initiatives. The strategic use of information systems has meant success to many
organizations. Early examples of such use include an airline's reservation system that gave travel agents easy
access to flight information and booking of flights. Another oft-cited example is the hospital supplier that gave on-
line access to its system directly to the hospitals, creating a vast competitive advantage as they ordered on-the-
spot via terminal. These examples, and others, showed that systems truly could make a difference in achieving
competitive advantage.
As the business world learned how to use newer systems that gave better information, more organizations
tracked how their products were selling in targeted areas, and whether particular lines were doing better than
others. Using technology to help respond to a better-understood marketplace is a growing trend, as systems are
used to support proactive rather than reactive business strategies.
Integration with Operations. The strategic use of systems demonstrates the shift that has occurred from purely
financial systems to systems integrated into an entity's operations. These systems help control the business
process, tracking and recording transactions on a real-time basis, often including many of the organization's
operations in an integrated, complex systems environment.
In manufacturing facilities, information systems support all phases of production. They are used for the receipt
and acceptance testing of raw materials, selection and combination of components, quality control over finished
products, updating inventory and customer records and distribution of finished goods. In many environments,
these steps are linked through process control systems and robotics to such an extent that few human hands
make contact with the product.
The effect of integrated operations systems is dramatic, as can be seen in a just-in-time (JIT) inventory system.
Companies using JIT keep minimal inventory on hand, cutting their costs considerably. The systems themselves
order and schedule arrival of raw materials automatically, frequently through the use of EDI (electronic data
interchange). Organizations using JIT depend on their systems to meet production goals, since such close
monitoring would be impossible without them.
Internal Use Only

Many of the newer production systems are highly integrated with other organizational systems and may include
the organization's financial systems. Financial data and accounting records are updated automatically as the
systems perform other applications.
Here is an example of how such systems can work: In today's insurance companies, claims may be settled on-
line. Adjustors query the system about limits on a particular type of claim, check on whether a claimant is insured
and print a check for the claim. At the same time, the claim file, claim statistics and other related files are
updated. Contrast this with an unintegrated system where each claim is processed separately within each
application or sub-system. The integrated system helps control operations, since on-line settlement is faster,
more efficient and more effective than the old paper-based method. It produces financial information, and can
answer questions such as: How many claims have been paid this period? How much has been paid? It also can
facilitate compliance with regulatory requirements through questions such as: Are covered claims processed and
paid in a timely fashion? Are loss reserves adequate?
Coexisting Technologies. Despite the challenges of keeping up with the revolution in information systems
technology, it is a mistake to assume that newer systems provide better control just because they are new. In
fact, the opposite may be true. Older systems may have been tried and tested through their use and provide
what is required. The process is such that an organization's systems often evolve to suit requirements, and
become an amalgam of many technologies.
Acquisition of technology is an important aspect of corporate strategy, and choices regarding technology can be
critical factors in achieving growth objectives. Decisions about its selection and implementation depend on many
factors. These include organizational goals, marketplace needs, competitive requirements and, importantly, how
the new systems will help effect control, and in turn be subject to the necessary controls, to promote
Information Quality
The quality of system-generated information affects management's ability to make appropriate decisions in
managing and controlling the entity's activities. Modern systems often provide online query ability, so that the
freshest information is available on request.
It is critical that reports contain enough appropriate data to support effective control. The quality of information
includes ascertaining whether:
 Content is appropriate — Is the needed information there?

 Information is timely — Is it there when required?
 Information is current — Is it the latest available?
 Information is accurate — Are the data correct?
 Information is accessible — Can it be obtained easily by appropriate parties?
Internal Use Only

All of these questions must be addressed by the system design. If not, it is probable that the system will not
provide the information that management and other personnel require.
Because having the right information, on time, at the right place is essential to effecting control, information
systems, while themselves a component of an internal control system, also must be controlled. The quality of
information can depend on the functioning of control activities, discussed in Chapter 4.
Communication
Communication is inherent in information systems. As discussed above, information systems must provide
information to appropriate personnel so that they can carry out their operating, financial reporting and
compliance responsibilities. But communication also must take place in a broader sense, dealing with
expectations, responsibilities of individuals and groups, and other important matters.
Internal
In addition to receiving relevant data for managing their activities, all personnel, particularly those with important
operating or financial management responsibilities, need to receive a clear message from top management that
internal control responsibilities must be taken seriously. Both the clarity of the message and the effectiveness
with which it is communicated are important.
In addition, specific duties must be made clear. Each individual needs to understand the relevant aspects of the
internal control system, how they work and his or her role and responsibility in the system. Without this
understanding, problems are likely to arise. In one company, for example, unit heads were required to sign a
monthly report affirming that specified reconciliations had been performed. Each month, the reports were
dutifully signed and submitted. Later, however, after serious problems were uncovered, it was discovered that at
least two unit heads did not know what was really expected of them. One believed the reconciliation was
complete when the amount of the difference between the two figures was merely identified. Another took the
reconciliation process only one step further, believing that its objective was satisfied when each individual
reconciling item was identified. In fact, the intended process was not complete until the reasons for the
differences were pinpointed and appropriate corrective action was taken.
In performing their duties, personnel should know that whenever the unexpected occurs, attention is to be given
not only to the event itself, but also to its cause. In this way, a potential weakness in the system can be identified
and action taken to prevent a recurrence. For example, finding out about unsalable inventory should result not
only in an appropriate writedown in financial reports, but also in a determination of why the inventory became
unsalable in the first place.
People also need to know how their activities relate to the work of others. This knowledge is necessary to
recognize a problem or to determine its cause and corrective action. People need to know what behavior is
expected, or acceptable, and what is unacceptable. There have been instances of fraudulent financial reporting
Internal Use Only
in which managers, under pressure to meet budgets, misrepresented operating results. In a number of such
instances, no one had told the individuals that such misreporting can be illegal or otherwise improper. This
points up the critical nature of how messages are communicated within an organization. A manager who
instructs subordinates, "Meet the budget — I don't care how you do it, just do it," can unwittingly send the wrong
message.
Personnel also need to have a means of communicating significant information upstream in an organization.
Front-line employees who deal with critical operating issues every day are often in the best position to recognize
problems as they arise. Sales representatives or account executives may learn of important customer product
design needs. Production personnel may become aware of costly process deficiencies. Purchasing personnel
may be confronted with improper incentives from suppliers. Accounting department employees may learn of
overstatements of sales or inventory, or identify instances where the entity's resources were used for personal
benefit.
For such information to be reported upstream, there must be both open channels of communication and a clear-
cut willingness to listen. People must believe their superiors truly want to know about problems and will deal with
them effectively. Most managers recognize intellectually that they should avoid "shooting the messenger." But
when caught up in everyday pressures they can be unreceptive to people bringing them legitimate problems.
Employees are quick to pick up on spoken or unspoken signals that a superior doesn't have the time or interest
to deal with problems they have uncovered. Compounding such problems, the manager who is unreceptive to
troublesome information often is the last to know that the communications channel has been effectively shut
down.
In most cases, the normal reporting lines in an organization are the appropriate communications channel. In
some circumstances, however, separate lines of communication are needed to serve as a fail-safe mechanism
in case normal channels are inoperative. Some companies provide a channel directly to a senior officer, the
chief internal auditor or the entity's legal counsel. One company's chief executive makes himself available one
evening a week, and makes it well known that visits by employees on any subject are truly welcome. Another
chief executive periodically visits with employees in the plant — fostering an atmosphere where people can
communicate problems and concerns. Without both open communications channels and a willingness to listen,
the upward flow of information in an organization might be blocked.
In all cases, it is important that personnel understand that there will be no reprisals for reporting relevant
information. As noted in Chapter 2, a clear message is sent by the existence of mechanisms to encourage
employees to report suspected violations of an entity's code of conduct, and the treatment of employees who
make such reports. Much has been written about the desirability of "whistle-blower" protection, most frequently
in the context of government employees. Some commentators counter with expressions of concern about
entities becoming bogged down dealing with unfounded assertions of disgruntled employees. Certainly, a
Internal Use Only

balance can and should be reached. It is important that management communicate the right messages and
provide reasonable vehicles for legitimate upstream reporting.
Communications between management and the board of directors and its committees are critical. Management
must keep the board up to date on performance, developments, risks, major initiatives, and any other relevant
events or occurrences. The better the communications to the board, the more effective it can be in carrying out
its oversight responsibilities, and in acting as a sounding board on critical issues and providing advice and
counsel. By the same token, the board should communicate to management what information it needs, and
provide direction and feedback.
External
There needs to be appropriate communication not only within the entity, but outside. With open communications
channels, customers and suppliers can provide highly significant input on the design or quality of products or
services, enabling a company to address evolving customer demands or preferences. Also, anyone dealing with
the entity must recognize that improper actions, such as kickbacks and other improper payments, will not be
tolerated. Companies may communicate directly with vendors, for example, regarding how the company expects
the vendor's employees to act in dealing with it.
Communications from external parties often provide important information on the functioning of the internal
control system. External auditors' understanding of an entity's operations and related business issues and
control systems provides management and the board important control information.
Regulators such as state banking or insurance authorities report results of compliance reviews or examinations
that can highlight control weaknesses. Complaints or inquiries about shipments, receipts, billings or other
activities often point to operating problems. They should be reviewed by personnel independent of the original
transaction. Personnel should be ready to recognize implications of such circumstances, and investigate and
take necessary corrective actions.
Communications to shareholders, regulators, financial analysts and other external parties should provide
information relevant to their needs, so they can readily understand the circumstances and risks the entity faces.
Such communications should be meaningful, provide pertinent and timely information and, of course, conform to
legal and regulatory requirements.
Management's communications with external parties — whether open and forthcoming and serious in follow-up
or otherwise — also send messages internally throughout the organization.
Means of Communication
Communication takes such forms as policy manuals, memoranda, bulletin board notices and videotaped
messages. Where messages are transmitted orally — in large groups, smaller meetings or one-on-one sessions
— tone of voice and body language serve to emphasize what is being said.
Internal Use Only
Another powerful communications medium is the action taken by management in dealing with subordinates.
Managers should remind themselves, "Actions speak louder than words." Their actions are, in turn, influenced
by the history and culture of the entity, drawing on past observations of how their superiors dealt with similar
situations.
An entity with a long and rich history of operating with integrity, and whose culture is well understood by people
throughout the organization, will likely find little difficulty in communicating its message. An entity without such a
tradition will likely need to put more effort into the way messages are communicated.
Information systems in smaller organizations are likely to be less formal than in large organizations, but their role
is just as significant. With today's computer and information technology, internally generated data can be
processed effectively and efficiently in most organizations, regardless of size. Information systems in smaller
entities will also typically identify and report on relevant external events, activities and conditions, but their
effectiveness is usually significantly affected by and dependent on top management's ability to monitor external
events. Discussions by an owner-manager or other management personnel with key customers and suppliers,
for example, could be a key source of information on evolving customer preferences or supply sources
necessary to monitor changing conditions and related risks.
Effective internal communication between top management and employees may well be easier to achieve in a
small or mid-size company than in a large enterprise, because of the smaller organization size and its fewer
levels, and greater visibility and availability of the CEO. In effect, internal communication takes place through the
daily meetings and activities in which the CEO and key managers participate. Without the formal
communications channels typically found in large enterprises, many smaller entities find that the more frequent
day-to-day contacts coupled with an open-door policy for senior executives provide effective communication.
And an "actions-speak-louder-than-words policy" can be an even more important communications device —both
internally and externally — in a smaller organization, since the top executives interact directly with a large
proportion of the entity's employees, customers and suppliers.
Evaluation
An evaluator will consider the appropriateness of information and communication systems to the entity's needs.
Listed below are issues one might consider. The list is not all-inclusive, nor will every item apply to every entity; it
can, however, serve as a starting point.
Information
 Obtaining external and internal information, and providing management with necessary reports on the entity's
performance relative to established objectives.
Internal Use Only

 Providing information to the right people in sufficient detail and on time to enable them to carry out their
responsibilities efficiently and effectively.
 Development or revision of information systems based on a strategic plan for information systems — linked to
the entity's overall strategy — and responsive to achieving the entity-wide and activity-level objectives.
 Management's support for the development of necessary information systems is demonstrated by the
commitment of appropriate resources — human and financial.
Communication
 Effectiveness with which employees' duties and control responsibilities are communicated.
 Establishment of channels of communication for people to report suspected improprieties.
 Receptivity of management to employee suggestions of ways to enhance productivity, quality or other similar
improvements.
 Adequacy of communication across the organization (for example, between procurement and production
activities) and the completeness and timeliness of information and its sufficiency to enable people to discharge
their responsibilities effectively.
 Openness and effectiveness of channels with customers, suppliers and other external parties for communicating
information on changing customer needs.
 Extent to which outside parties have been made aware of the entity's ethical standards.
 Timely and appropriate follow-up action by management resulting from communications received from
customers, vendors, regulators or other external parties.
Chapter 6 — Monitoring
Chapter Summary: Internal control systems need to be
monitored - a process that assesses the quality of the
system's performance over time. This is accomplished
through ongoing monitoring activities, separate
evaluations or a combination of the two. Ongoing
monitoring occurs in the course of operations. It
includes regular management and supervisory activities,
and other actions personnel take in performing their
duties. The scope and frequency of separate
evaluations will depend primarily on an assessment of
risks and the effectiveness of ongoing monitoring
procedures. Internal control deficiencies should be
Internal Use Only

reported upstream, with serious matters reported to top
management and the board.
Internal control systems change over time. The way controls are applied may evolve. Once-effective procedures
can become less effective, or perhaps are no longer performed. This can be due to the arrival of new personnel,
the varying effectiveness of training and supervision, time and resource constraints or additional pressures.
Furthermore, circumstances for which the internal control system originally was designed also may change,
causing it to be less able to warn of the risks brought by new conditions. Accordingly, management needs to
determine whether the internal control system continues to be relevant and able to address new risks.
Monitoring ensures that internal control continues to operate effectively. This process involves assessment by
appropriate personnel of the design and operation of controls on a suitably timely basis, and the taking of
necessary actions. It applies to all activities within an organization, and sometimes to outside contractors as well.
For example, with outsourcing of health claims processing to a third-party administrator, and such processing
directly affecting benefits' costs, the entity will want to monitor the functioning of the administrator's activities and
controls.
Monitoring can be done in two ways: through ongoing activities or separate evaluations. Internal control systems
usually will be structured to monitor themselves on an ongoing basis to some degree. The greater the degree
and effectiveness of ongoing monitoring, the less need for separate evaluations. The frequency of separate
evaluations necessary for management to have reasonable assurance about the effectiveness of the internal
control system is a matter of management's judgment. In making that determination, consideration should be
given to the following: the nature and degree of changes occurring and their associated risks, the competence
and experience of the people implementing the controls, as well as the results of the ongoing monitoring.
Usually, some combination of ongoing monitoring and separate evaluations will ensure that the internal control
system maintains its effectiveness over time.
It should be recognized that ongoing monitoring procedures are built in to the normal, recurring operating
activities of an entity. Because they are performed on a real-time basis, reacting dynamically to changing
conditions, and are ingrained in the entity, they are more effective than procedures performed in connection with
separate evaluations. Since separate evaluations take place after the fact, problems will often be identified more
quickly by the ongoing monitoring routines. Some entities with sound ongoing monitoring activities will
nonetheless conduct a separate evaluation of their internal control system, or portions thereof, every few years.
An entity that perceives a need for frequent separate evaluations should focus on ways to enhance its ongoing
monitoring activities and, thereby, to emphasize "building in" versus "adding on" controls.
Ongoing Monitoring Activities
Internal Use Only

Activities that serve to monitor the effectiveness of internal control in the ordinary course of operations are
manifold. They include regular management and supervisory activities, comparisons, reconciliations and other
routine actions.
Examples of ongoing monitoring activities include the following:
 In carrying out its regular management activities, operating management obtains evidence that the system of
internal control continues to function. When operating reports are integrated or reconciled with the financial
reporting system and used to manage operations on an ongoing basis, significant inaccuracies or exceptions to
anticipated results are likely to be spotted quickly. For example, managers of sales, purchasing and production
at divisional, subsidiary and corporate levels are in touch with operations and question reports that differ
significantly from their knowledge of operations. The effectiveness of the internal control system is enhanced by
timely and complete reporting and resolution of these exceptions.
 Communications from external parties corroborate internally generated information or indicate problems.
Customers implicitly corroborate billing data by paying their invoices. Conversely, customer complaints about
billings could indicate system deficiencies in the processing of sales transactions. Similarly, reports from
investment managers on securities gains, losses and income can corroborate or signal problems with the
entity's (or the manager's) records. An insurance company's review of safety policies and practices provides
information on the functioning of controls, from both operational safety and compliance perspectives, thereby
serving as a monitoring technique. Regulators may also communicate with the entity on compliance or other
matters that reflect on the functioning of the internal control system.
 Appropriate organizational structure and supervisory activities provide oversight of control functions and
identification of deficiencies. For example, clerical activities serving as a control over the accuracy and
completeness of transaction processing are routinely supervised. Also, duties of individuals are divided so that
different people serve as a check on each other. This is also a deterrent to employee fraud since it inhibits the
ability of an individual to conceal his or her suspect activities.
 Data recorded by information systems are compared with physical assets. Finished product inventories, for
example, may be examined periodically. The counts are then compared with accounting records, and
differences reported.
 Internal and external auditors regularly provide recommendations on the way internal controls can be
strengthened. In many entities, auditors focus considerable attention on evaluating the design of internal
controls and on testing their effectiveness. Potential weaknesses are identified, and alternative actions
recommended to management, often accompanied by information useful in making cost-benefit determinations.
Internal auditors or personnel performing similar review functions can be particularly effective in monitoring an
entity's activities.
Internal Use Only

 Training seminars, planning sessions and other meetings provide important feedback to management on
whether controls are effective. In addition to particular problems that may indicate control issues, participants'
control consciousness often becomes apparent.
 Personnel are asked periodically to state explicitly whether they understand and comply with the entity's code of
conduct. Operating and financial personnel may be similarly requested to state whether certain control
procedures, such as reconciling specified amounts, are regularly performed. Such statements may be verified
by management or internal audit personnel.
It can be seen that these ongoing monitoring activities address important aspects of each of the internal control
components.
While ongoing monitoring procedures usually provide important feedback on the effectiveness of other control
components, it may be useful to take a fresh look from time to time, focusing directly on the system's
effectiveness. This also provides an opportunity to consider the continued effectiveness of the ongoing
monitoring procedures.
Scope and Frequency
Evaluations of internal control vary in scope and frequency, depending on the significance of risks being
controlled and importance of the controls in reducing the risks. Controls addressing higher-priority risks and
those most critical to reducing a given risk will tend to be evaluated more often. Evaluation of an entire internal
control system — which will generally be needed less frequently than the assessment of specific controls — may
be prompted by a number of reasons: major strategy or management change, major acquisitions or dispositions,
or significant changes in operations or methods of processing financial information. When a decision is made to
evaluate an entity's entire internal control system, attention should be directed to each of the internal control
components with respect to all significant activities. The evaluation scope will also depend on which of the three
objectives categories — operations, financial reporting and compliance — are to be addressed.
Who Evaluates
Often, evaluations take the form of self-assessments, where persons responsible for a particular unit or function
will determine the effectiveness of controls for their activities. The chief executive of a division, for example, may
direct the evaluation of its internal control system. He or she might personally assess the control environment
factors, and have individuals in charge of the division's various operating activities assess the effectiveness of
other components. Line managers might focus attention primarily on operations and compliance objectives, and
the divisional controller may focus on financial reporting objectives. Then, all results would be subject to the chief
executive's review. The division's assessments would then be considered by corporate management, along with
the internal control evaluations of other divisions.
Internal Use Only
Internal auditors normally perform internal control evaluations as part of their regular duties, or upon special
request of the board of directors, senior management or subsidiary or divisional executives. Similarly,
management may use the work of external auditors in considering the effectiveness of internal control. A
combination of efforts by both parties may be used in conducting whatever evaluative procedures management
deems necessary.
The Evaluation Process
Evaluating a system of internal control is a process in itself. While approaches or techniques vary, there should
be a discipline brought to the process, and certain basics inherent in it.
The evaluator must understand each of the entity activities and each of the components of the internal control
system being addressed. It may be useful to focus first on how the system purportedly functions, sometimes
referred to as the system design. This may involve discussions with entity personnel and review of existing
documentation.
The evaluator must determine how the system actually works. Procedures designed to operate in a particular
way may over time be modified to operate differently. Or, they may no longer be performed. Sometimes new
controls are established but are not known to persons who described the system and are not included in
available documentation. A determination as to the actual functioning of the system can be accomplished by
holding discussions with personnel who perform or are affected by controls, by examining records on
performance of the controls or a combination of procedures.
The evaluator must analyze the internal control system design and the results of tests performed. The analysis
should be conducted against the backdrop of the established criteria, with the ultimate goal of determining
whether the system provides reasonable assurance with respect to the stated objectives.
Methodology
A wide variety of evaluation methodologies and tools is available, including checklists, questionnaires and
flowcharting techniques. Quantitative techniques are presented in the business and academic literature. Also,
lists of control objectives have been presented, identifying generic objectives of internal control.
As part of their evaluation methodology, some companies compare their internal control systems to those of
other entities, commonly referred to as benchmarking. A company may, for example, measure its system against
companies with reputations for having particularly good internal control systems. Comparisons might be done
directly with another company, or under the auspices of trade or industry associations. Management consultants
may be able to provide comparative information, and peer review functions in some industries can help a
company to evaluate its control system against its peers. A word of caution is needed. When comparing internal
control systems, consideration must be given to differences that always exist in objectives, facts and
Internal Use Only

circumstances. And, the five individual components and the limitations of internal control (see Chapter 7) need to
be kept in mind.
Documentation
The extent of documentation of an entity's internal control system varies with the entity's size, complexity and
similar factors. Larger organizations usually have written policy manuals, formal organization charts, written job
descriptions, operating instructions, information system flowcharts, and so forth. Smaller companies typically
have considerably less documentation.
Many controls are informal and undocumented, yet are regularly performed and highly effective. These controls
may be tested in the same ways documented controls are. The fact that controls are not documented does not
mean that an internal control system is not effective, or that it cannot be evaluated. An appropriate level of
documentation does usually make the evaluation more efficient. It is helpful in other respects: It facilitates
employees' understanding of how the system works and their particular roles, and makes it easier to modify
when necessary.
The evaluator may decide to document the evaluation process itself. He or she will usually draw on existing
documentation of the entity's internal control system. That will typically be supplemented with additional system
documentation, along with descriptions of the tests and analyses performed in the evaluation process.
The nature and extent of documentation normally will become more substantive when statements about the
system or evaluation are made to additional parties. Where management intends to make a statement to
external parties regarding internal control system effectiveness, it should consider developing and retaining
documentation to support the statement. Such documentation may be useful if the statement is subsequently
challenged.
Action Plan
Executives directing evaluations of internal control systems for the first time might consider the following
suggested outline of where to start and what to do:
 Decide on the evaluation's scope, in terms of the categories of objectives, internal control components and
activities to be addressed.
 Identify ongoing monitoring activities that routinely provide comfort that internal control is effective.
 Analyze control evaluation work by internal auditors, and consider control-related findings of external auditors.
 Prioritize by unit, component or otherwise the higher risk areas that warrant immediate attention.
 Based on the above, develop an evaluation program with short- and long-range segments.
 Bring together the parties who will carry out the evaluation. Together, consider not only scope and timeframes,
but also methodology, tools to be used, input from internal and external auditors and regulators, means of
reporting findings and expected documentation.
Internal Use Only
 Monitor progress and review findings.
 See that necessary follow-up actions are taken, and modify subsequent evaluation segments as necessary.
Much of the work will be delegated. It's important, however, that the person responsible for conducting the
evaluation manage the process through to completion.
Reporting Deficiencies
Deficiencies in an entity's internal control system surface from many sources, including the entity's ongoing
monitoring procedures, separate evaluations of the internal control system and external parties.
The term "deficiency" as used here is defined broadly as a condition within an internal control system worthy of
attention. A deficiency, therefore, may represent a perceived, potential or real shortcoming, or an opportunity to
strengthen the internal control system to provide a greater likelihood that the entity's objectives will be achieved.
Sources of Information
One of the best sources of information on control deficiencies is the internal control system itself. Ongoing
monitoring activities of an enterprise, including managerial activities and everyday supervision of employees,
generate insights from personnel directly involved in the entity's activities. These insights are gained in real time
and can provide quick identification of deficiencies. Other sources of control deficiencies are the separate
evaluations of an internal control system. Evaluations performed by management, internal auditors or other
personnel can highlight areas in need of improvement.
A number of external parties frequently provide important information on the functioning of an entity's internal
control system. These include customers, vendors and others doing business with the entity, independent public
accountants and regulators. Reports from external sources must be carefully considered for their internal control
implications, and appropriate corrective actions taken.
What Should Be Reported
What should be reported? A universal answer is not possible, as this is highly subjective. Certain parameters,
however, can be drawn.
Certainly, all internal control deficiencies that can affect the entity's attaining its objectives should be reported to
those who can take necessary action, as discussed in the next section. The nature of matters to be
communicated will vary depending on individuals' authority to deal with circumstances that arise, and the
oversight activities of superiors.
In considering what needs to be communicated, it is necessary to look at the implications of findings. For
example, a salesperson points out that earned sales commissions were computed incorrectly. Payroll
department personnel investigate and find that an outdated price on a particular product was used, resulting in
Internal Use Only

undercomputation of commissions, as well as underbillings to customers. Action taken may include recalculation
of all salespersons' commissions and billings since the price change went into effect. However, this action still
may not address a number of important related questions. Why wasn't the new price used in the first place?
What controls exist to ensure price increases are entered to the information system correctly and on time? Is
there a problem with the computer programs that compute sales commissions and customer billings? If so, are
controls over software development or changes to software in need of attention? Would another component of
internal control have identified the problem on a timely basis had the salesperson not pointed out the error?
Thus, a seemingly simple problem with an apparent solution might have more far-reaching control implications.
This underscores the need for reporting errors or other problems upstream. It is essential not only that the
particular transaction or event be reported, but that potentially faulty controls be reevaluated.
It can be argued that no problem is so insignificant as to make investigation of its control implications
unwarranted. An employee's taking of a few dollars from a petty cash fund for personal use, for example, would
not be significant in terms of that particular event, and probably not in terms of the amount of the entire petty
cash fund. Thus, investigating it might not be worthwhile. However, such apparent condoning personal use of
the entity's money might send an unintended message to employees.
To Whom to Report
Information generated by employees in conducting regular operating activities usually is reported through normal
channels to their immediate superior. He or she may in turn communicate upstream or laterally in the
organization so that the information ends up with people who can and should act on it. As discussed in Chapter
5, there should be alternative communications channels for reporting sensitive information such as illegal or
improper acts.
Findings of internal control deficiencies usually should be reported not only to the individual responsible for the
function or activity involved, who is in the position to take corrective action, but also to at least one level of
management above the directly responsible person. This process enables that individual to provide needed
support or oversight for taking corrective action, and to communicate with others in the organization whose
activities may be affected. Where findings cut across organizational boundaries, the reporting should cross over
as well and be directed to a sufficiently high level to ensure appropriate action.
Reporting Directives
Providing needed information on internal control deficiencies to the right party is critical to the continued
effectiveness of an internal control system. Protocols can be established to identify what information is needed
at a particular level for decision-making.
Such protocols are based on the general rule that a manager should receive control information needed to affect
action or behavior of people under his or her responsibility, or to achieve the activity's objectives. A chief
Internal Use Only
executive normally would want to be apprised, for example, of very serious infractions of policies and
procedures. He or she would also want supporting information on the nature of matters that could have
significant financial consequences or strategic implications, or that could affect the entity's reputation. Senior
managers should be apprised of control deficiencies affecting their units. Examples include where assets with a
specified monetary value are at risk, where the competence of personnel is lacking or where important financial
reconciliations are not performed correctly. Managers should be informed of control deficiencies in their units in
increasing levels of detail as one moves down the organizational structure.
Protocols are established by supervisors, who define for subordinates what matters should be reported. The
degree of specificity will vary, usually increasing at lower levels in the organization. While reporting protocols can
inhibit effective reporting if too narrowly defined, they can enhance the reporting process if sufficient flexibility is
provided.
Parties to whom deficiencies are to be communicated sometimes provide specific directives regarding
information to be reported. A board of directors or audit committee, for example, may ask management or
internal or external auditors to communicate only those findings of deficiencies meeting a specified threshold of
seriousness or importance. One such threshold used by the public accounting profession is "reportable
conditions." They are defined as:
… significant deficiencies in the design or operation of the internal control structure, which could adversely
affect the organization's ability to record, process, summarize and report financial data consistent with the
assertions of management in the financial statements.‡
This definition relates to financial reporting objectives, though the concept probably could be adapted to cover
operations and compliance objectives as well.
Ongoing monitoring activities of small and mid-size entities are more likely to be informal and involve the CEO
and other key managers. Their monitoring of controls is typically a by-product of monitoring the business. It is
accomplished through hands-on involvement in most if not all facets of operations. Their close involvement in
operations often will bring to light significant variances from expectations and inaccuracies in operating or
financial data. An owner-manager of a small business may frequently visit the factory floor, assembly facility or
warehouse, and compare physical inventory with amounts reported by the data processing system. Direct
knowledge of significant customer and vendor complaints, as well as any communications from regulators, also
may alert the management of a smaller enterprise about operating or compliance problems that could signal a
breakdown in controls.
Small and mid-size entities are less likely to undergo separate evaluations of their internal controls systems, and
the need for separate evaluations may be offset by highly effective ongoing monitoring activities. Mid-size
Internal Use Only

companies may have an internal auditor who performs separate evaluations. Even smaller entities might assign
accounting personnel certain job functions that serve to evaluate controls. Some entities request that their
external auditor perform evaluations of certain aspects of the control system, on perhaps a rotating basis, to
provide the CEO with information about effectiveness.
Because of the more limited organization structures, deficiencies surfacing from monitoring procedures can
easily be communicated to the right person. Personnel in a smaller entity usually have a clear understanding of
the types of problems that need to be reported upstream. What may not always be apparent is who is
responsible for determining the cause of a problem and taking corrective action. This is as important to a small
or mid-size organization as it is for a large one.
Evaluation
In considering the extent to which the continued effectiveness of internal control is monitored, both ongoing
monitoring activities and separate evaluations of the internal control system, or portions thereof, should be
considered. Listed below are issues one might consider. The list is not all-inclusive, nor will every item apply to
every entity; it may, however, serve as a starting point.
Ongoing Monitoring
 Extent to which personnel, in carrying out their regular activities, obtain evidence as to whether the system of
internal control continues to function.
 Extent to which communications from external parties corroborate internally generated information, or indicate
problems.
 Periodic comparison of amounts recorded by the accounting system with physical assets.
 Responsiveness to internal and external auditor recommendations on means to strengthen internal controls.
 Extent to which training seminars, planning sessions and other meetings provide feedback to management on
whether controls operate effectively.
 Whether personnel are asked periodically to state whether they understand and comply with the entity's code of
conduct and regularly perform critical control activities.
 Effectiveness of internal audit activities.
 Scope and frequency of separate evaluations of the internal control system.

 Appropriateness of the evaluation process.
 Whether the methodology for evaluating a system is logical and appropriate.
 Appropriateness of the level of documentation.
Internal Use Only
 Existence of mechanism for capturing and reporting identified internal control deficiencies.
 Appropriateness of reporting protocols.
 Appropriateness of follow-up actions.
Chapter 7 — Limitations of Internal

Control
Chapter Summary: Internal control, no matter how well designed and operated, can provide only reasonable
assurance to management and the board of directors regarding achievement of an entity's objectives. The
likelihood of achievement is affected by limitations inherent in all internal control systems. These include the
realities that human judgment in decision-making can be faulty, and that breakdowns can occur because of such
human failures as simple error or mistake. Additionally, controls can be circumvented by the collusion of two or
more people, and management has the ability to override the internal control system. Another limiting factor is
the need to consider controls' relative costs and benefits.
Internal control has been viewed by some observers as ensuring an entity will not fail - that is, the entity will
always achieve its operations, financial reporting and compliance objectives. In this sense, internal control
sometimes is looked upon as a cure-all for all real and potential business ills. This view is misguided. Internal
control is not a panacea.
In considering limitations of internal control, two distinct concepts must be recognized:
 First, internal control - even effective internal control - operates at different levels with respect to different
objectives. For objectives related to the effectiveness and efficiency of an entity's operations - achievement of its
basic mission, profitability goals and the like - internal control can help to ensure that management is aware of
the entity's progress, or lack of it. But it cannot provide even reasonable assurance that the objectives
themselves will be achieved.
 Second, internal control cannot provide absolute assurance with respect to any of the three objectives
categories.
The first set of limitations acknowledges that certain events or conditions are simply outside management's
control. This is discussed in Chapter 3 under "Achievement of Objectives." The second has to do with the reality
that no system will always do what it's intended to do. The best that can be expected in any internal control
system is that reasonable assurance is obtained. This is discussed in this chapter.
Reasonable assurance certainly does not imply that internal control systems will frequently fail. Many factors,
individually and collectively, serve to provide strength to the concept of reasonable assurance. The cumulative
effect of controls that satisfy multiple objectives and the multipurpose nature of controls reduce the risk that an
Internal Use Only
entity may not achieve its objectives. Furthermore, the normal, everyday operating activities and responsibilities
of people functioning at various levels of an organization are directed at achieving the entity's objectives. Indeed,
among a cross-section of well-controlled entities, it is very likely that most will be regularly apprised of movement
toward their operations objectives, will regularly achieve compliance objectives, and will consistently produce —
period after period, year after year — reliable financial statements. However, because of the inherent limitations
discussed above, there is no guarantee that, for example, an uncontrollable event, a mistake or improper
reporting incident could never occur. In other words, even an effective internal control system can experience a
failure. Reasonable assurance is not absolute assurance.
Judgment
The effectiveness of controls will be limited by the realities of human frailty in the making of business decisions.
Such decisions must be made with human judgment in the time available, based on information at hand, and
under the pressures of the conduct of business. Some decisions based on human judgment may later, with the
clairvoyance of hindsight, be found to produce less than desirable results, and may need to be changed.
The nature of internal control-related decisions that must be made based on human judgment is described
further below in the discussion of breakdowns, management override and costs versus benefits.
Breakdowns
Even if internal controls are well designed, they can break down. Personnel may misunderstand instructions.
They may make judgment mistakes. Or, they may commit errors due to carelessness, distraction or fatigue. An
accounting department supervisor responsible for investigating exceptions might simply forget or fail to pursue
the investigation far enough to be able to make appropriate corrections. Temporary personnel executing control
duties for vacationing or sick employees might not perform correctly. System changes may be implemented
before personnel have been trained to react appropriately to signs of incorrect functioning.
Management Override
An internal control system can only be as effective as the people who are responsible for its functioning. Even in
effectively controlled entities — those with generally high levels of integrity and control consciousness — a
manager might be able to override internal control.
The term "management override" is used here to mean overruling prescribed policies or procedures for
illegitimate purposes with the intent of personal gain or an enhanced presentation of an entity's financial
condition or compliance status. A manager of a division or unit, or a member of top management, might override
the control system for many reasons: to increase reported revenue to cover an unanticipated decrease in market
share, to enhance reported earnings to meet unrealistic budgets, to boost the market value of the entity prior to a
public offering or sale, to meet sales or earnings projections to bolster bonus pay-outs tied to performance, to
appear to cover violations of debt covenant agreements, or to hide lack of compliance with legal requirements.
Internal Use Only
Override practices include deliberate misrepresentations to bankers, lawyers, accountants and vendors, and
intentionally issuing false documents such as purchase orders and sales invoices.
Management override should not be confused with management intervention, which represents management's
actions to depart from prescribed policies or procedures for legitimate purposes. Management intervention is
necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled
inappropriately by the control system. Provision for management intervention is necessary in all internal control
systems because no system can be designed to anticipate every condition. Management's actions to intervene
are generally overt and commonly documented or otherwise disclosed to appropriate personnel, whereas
actions to override usually are not documented or disclosed, with an intent to cover up the actions.
Collusion
The collusive activities of two or more individuals can result in control failures. Individuals acting collectively to
perpetrate and conceal an action from detection often can alter financial data or other management information
in a manner that cannot be identified by the control system. For example, there may be collusion between an
employee performing an important control function and a customer, supplier or another employee. On a different
level, several layers of sales or divisional management might collude in circumventing controls so that reported
results meet budgets or incentive targets.
Costs Versus Benefits
Resources always have constraints, and entities must consider the relative costs and benefits of establishing
controls.
In determining whether a particular control should be established, the risk of failure and the potential effect on
the entity are considered along with the related costs of establishing a new control. For example, it may not pay
for a company to install sophisticated inventory controls to monitor levels of raw material if the cost of raw
material used in a production process is low, the material is not perishable, ready supply sources exist and
storage space is readily available.
Cost and benefit measurements for implementing controls are done with different levels of precision. Generally,
it is easier to deal with the cost side of the equation which, in many cases, can be quantified in a fairly precise
manner. All direct costs associated with instituting a control, and indirect costs where practically measurable, are
usually considered. Some companies also include opportunity costs associated with use of the resources.
In other cases, however, it may be more difficult to quantify costs. It may be difficult to quantify time and effort
related, for example, to certain control environment factors, such as management's commitment to ethical values
or the competence of personnel; risk assessments; and capturing certain external information such as market
intelligence on evolving customer preferences. The benefit side often requires an even more subjective
valuation. For example, the benefits of effective training programs are usually readily apparent, but difficult to
Internal Use Only
quantify. Nevertheless, certain factors can be considered in assessing potential benefits: the likelihood of the
undesired condition occurring, the nature of the activities, and the potential financial or operating effect the event
might have on the entity.
The complexity of cost-benefit determinations is compounded by the interrelationship of controls with business
operations. Where controls are integrated with, or "built in" to, management and business processes, it is difficult
to isolate either their costs or benefits.
Similarly, many times a variety of controls may serve, individually or together, to mitigate a particular risk.
Consider the case of returned shipments. When they are recorded, is it enough to reconcile updates of inventory
and accounts receivable master files to total returns? Do individual customer account codes also need to be
verified and, if so, to what extent? Is the monthly reconciliation of subsidiary files to master files sufficient? Or,
are more extensive procedures needed to ensure that the subsidiary records are properly updated for the
returns? And what mechanisms are in place to focus attention on whether returns are symptomatic of a systemic
problem in product design, manufacturing, shipping, billing or customer service? The answers to these questions
depend on the risks involved in the particular circumstances and the related costs and benefits of establishing
each control procedure.
Cost-benefit determinations also vary considerably depending on the nature of the business. For example, a
computer system providing information on the frequency with which customers place orders, the dollar value of
orders, and the number of items purchased per order, is very important to a mail order catalog company. For a
manufacturer of top-of-the-line, custom-made sailing vessels, such detailed customer profile information would
be much less important. For the boat maker, such an information system would probably not be deemed cost-
beneficial. Because of the relative insignificance of a particular activity or related risk, it may not be necessary
even to make a cost-benefit analysis at all. The effort to conduct the analysis may not be justified.
The challenge is to find the right balance. Excessive control is costly and counterproductive. Customers making
telephone orders will not tolerate order acceptance procedures that are too cumbersome or time-consuming. A
bank that makes creditworthy potential borrowers "jump through hoops" will not book many new loans. Too little
control, on the other hand, presents undue risk of bad debts. An appropriate balance is needed in a highly
competitive environment. And, despite the difficulties, cost-benefit decisions will continue to be made.
Chapter 8 —Roles and Responsibilities

Chapter Summary: Everyone in an organization has some responsibility for internal control. Management,
however, is responsible for an entity's internal control system. The chief executive officer is ultimately
responsible and should assume "ownership" of the control system. Financial and accounting officers are central
to the way management exercises control, though all management personnel play important roles and are
accountable for controlling their units' activities. Similarly, internal auditors contribute to the ongoing
Internal Use Only
effectiveness of the internal control system, but they do not have primary responsibility for establishing or
maintaining it. The board of directors and its audit committee provide important oversight to the internal control
system. A number of external parties, such as external auditors, often contribute to the achievement of the
entity's objectives and provide information useful in effecting internal control. However, they are not responsible
for the effectiveness of, nor are they a part of, the entity's internal control system.
Internal control is effected by a number of parties, each with important responsibilities. The board of directors
(directly or through its committees), management, internal auditors and other personnel all make important
contributions to an effective internal control system. Other parties, such as external auditors and regulatory
bodies, are sometimes associated with internal control. There is a distinction between those who are part of an
entity's internal control system and those who are not, but whose actions nonetheless can affect the system or
help achieve the entity's objectives.
Parties internal to an organization are a part of the internal control system. They contribute, each in his or her
own way, to effective internal control — that is, to providing reasonable assurance that specified entity objectives
are achieved.
Parties external to the entity may also help the entity achieve its objectives through actions that provide
information useful to the entity in effecting control, or through actions that independently contribute to the entity's
objectives. However, merely because a party contributes, directly or indirectly, to achieving an entity's objectives,
does not thereby make that party a part of the entity's internal control system.
Responsible Parties
Every individual within an entity has some role in effecting internal control. Roles vary in responsibility and
involvement. The roles and responsibilities of management, the board of directors, internal auditors and other
personnel are discussed below.
Management
Management is directly responsible for all activities of an entity, including its internal control system. Naturally,
management at different levels in an entity will have different internal control responsibilities. These will differ,
often considerably, depending on the entity's characteristics.
In any organization, "the buck stops" with the chief executive. He or she has ultimate ownership responsibility for
the internal control system. One of the most important aspects of carrying out this responsibility is to ensure the
existence of a positive control environment. More than any other individual or function, the chief executive sets
the "tone at the top" that affects control environment factors and other components of internal control. The
influence of the CEO on an entire organization cannot be overstated. What's not always obvious is the influence
a CEO has over the selection of the board of directors. A CEO with high ethical standards can go a long way in
ensuring that the board reflects those values. On the other hand, a CEO who lacks integrity may not be able, or
Internal Use Only
want, to obtain board members who possess it. One individual who serves on a number of boards of directors
and audit committees said unequivocally that if he has any reservations about the integrity of a CEO, he will
flatly turn down an invitation to serve. Effective boards and audit committees also will look closely at top
management's integrity and ethical values to determine whether the internal control system has the necessary
critical underpinnings.
The chief executive's responsibilities include seeing that all the components of internal control are in place. The
CEO generally fulfills this duty by:
 Providing leadership and direction to senior managers. Together with them, the CEO shapes the values,
principles and major operating policies that form the foundation of the entity's internal control system. For
example, the CEO and key senior managers will set entity-wide objectives and broad-based policies. They take
actions concerning the entity's organizational structure, content and communication of key policies, and the type
of planning and reporting systems the entity will use.
 Meeting periodically with senior managers responsible for the major functional areas - sales, marketing,
production, procurement, finance, human resources, etc. - to review their responsibilities, including how they are
controlling the business. The CEO will gain knowledge of controls inherent in their operations, improvements
required and status of efforts under way. To discharge this responsibility, it is critical that the CEO clearly define
what information he or she needs.
Senior managers in charge of organizational units have responsibility for internal control related to their units'
objectives. They guide the development and implementation of internal control policies and procedures that
address their units' objectives and ensure that they are consistent with the entity-wide objectives. They provide
direction, for example, on the unit's organizational structure and personnel hiring and training practices, as well
as budgeting and other information systems that promote control over the unit's activities. In this sense, in a
cascading responsibility, each executive is effectively a CEO for his or her sphere of responsibility.
Senior managers usually assign responsibility for the establishment of more specific internal control procedures
to personnel responsible for the unit's particular functions or departments. Accordingly, these subunit managers
usually play a more hands-on role in devising and executing particular internal control procedures. Often, these
managers are directly responsible for determining internal control procedures that address unit objectives, such
as developing authorization procedures for purchasing raw materials or accepting new customers, or reviewing
production reports to monitor product output. They will also make recommendations on the controls, monitor
their application and meet with upper level managers to report on the controls' functioning.
Depending on the levels of management in an entity, these subunit managers, or lower level management or
supervisory personnel, are directly involved in executing control policies and procedures at a detailed level. It is
their responsibility to take action on exceptions and other problems as they arise. This may involve investigating
Internal Use Only

data entry errors or transactions appearing on exception reports, looking into reasons for departmental expense
budget variances or following up on customer back-orders or product inventory positions. Significant matters,
whether pertaining to a particular transaction or an indication of larger concerns, are communicated upward in
the organization.
With each manager's respective responsibilities should come not only the requisite authority, but also
accountability. Each manager is accountable to the next higher level for his or her portion of the internal control
system, with the CEO ultimately accountable to the board.
Although different management levels have distinct internal control responsibilities and functions, their actions
should coalesce in the entity's internal control system.
Financial Officers. Of particular significance to monitoring are finance and controllership officers and their
staffs, whose activities cut across, up and down the operating and other units of an enterprise. These financial
executives often are involved in developing entity-wide budgets and plans. They track and analyze performance,
often from operations and compliance perspectives, as well as a financial one. These activities are usually part
of an entity's central or "corporate" organization, but they commonly also have "dotted line" responsibility for
monitoring division, subsidiary or other unit activities. As such, the chief financial officer, chief accounting officer,
controller and others in an entity's financial function are central to the way management exercises control.
The importance of the role of the chief accounting officer in preventing and detecting fraudulent financial
reporting was emphasized in the Treadway Commission report: "As a member of top management, the chief
accounting officer helps set the tone of the organization's ethical conduct; is responsible for the financial
statements; generally has primary responsibility for designing, implementing and monitoring the company's
financial reporting system; and is in a unique position regarding identification of unusual situations caused by
fraudulent financial reporting". The report noted that the chief financial officer or controller may perform functions
of a chief accounting officer.
When looking at the components of internal control, it is clear that the chief financial (accounting) officer and his
or her staff play critical roles. That person should be a key player when the entity's objectives are established
and strategies decided, risks are analyzed and decisions are made on how changes affecting the entity will be
managed. He or she provides valuable input and direction, and is positioned to focus on monitoring and
following up on the actions decided.
As such, the chief financial (accounting) officer should come to the table an equal partner with the other
functional heads in an entity. Any attempt by management to have him or her more narrowly focused — limited
to principally areas of financial reporting and treasury, for example — could severely limit the entity's ability to
succeed.
Board of Directors
Internal Use Only

Management is accountable to the board of directors or trustees, which provides governance, guidance and
oversight. By selecting management, the board has a major role in defining what it expects in integrity and
ethical values, and can confirm its expectations through its oversight activities. Similarly, by reserving authority in
certain key decisions, the board can play a role in high-level objective setting and strategic planning, and with
the oversight that the board provides, the board is involved pervasively in internal control.
Effective board members are objective, capable and inquisitive. They have a working knowledge of the entity's
activities and environment, and commit the time necessary to fulfill their board responsibilities. They should
utilize resources as needed to investigate any issues they deem important, and have an open and unrestricted
communications channel with all entity personnel, including the internal auditors, and with the external auditors
and legal counsel.
Many boards of directors carry out their duties largely through committees. Their use and focus vary from one
entity to another, but often include audit, compensation, finance, nominating and employee benefits. Each
committee can bring specific emphasis to certain components of internal control. For example, the audit
committee has a direct role relating to financial reporting, and the nominating committee plays an important role
in internal control by its consideration of qualifications of prospective board members. In fact, all board
committees, through their oversight roles, are an important part of the internal control system. Where a particular
committee has not been established, the related functions are carried out by the board itself.
Audit Committee. Over the years, attention has been given by a number of regulatory and professional bodies
to establishing audit committees. Although audit committees have received increased emphasis over the years,
they are not universally required, nor are their specific duties and activities prescribed. Audit committees of
different entities have different responsibilities, and their levels of involvement vary.
Although some variations in responsibilities and duties are necessary and appropriate, certain characteristics
and functions generally are common to all effective audit committees. Management is responsible for the
reliability of the financial statements, but an effective audit committee plays an important role. The audit
committee (or the board itself, where no audit committee exists) is in a unique position: It has the authority to
question top management regarding how it is carrying out its financial reporting responsibilities, and it also has
authority to ensure that corrective action is taken. The audit committee, in conjunction with or in addition to a
strong internal audit function, is often in the best position within an entity to identify and act in instances where
top management overrides internal controls or otherwise seeks to misrepresent reported financial results. Thus,
there are instances where an audit committee, or board, must carry its oversight role to the point of directly
addressing serious events or conditions.
The Treadway Commission provided "general guidelines," which deal with committee size and terms of
appointment, meeting schedules and participants, full board reporting, members' knowledge of company
Internal Use Only

operations, review of plans of internal and external auditors, adoption of new accounting principles, significant
estimates, reserves, contingencies and variances between years.
The Treadway Commission emphasized the value of audit committees and recommended that all public
companies be required to establish audit committees composed solely of independent directors. The New York
Stock Exchange requires such audit committees, and the National Association of Securities Dealers, for
companies with securities included in its NASDAQ National Market System, requires audit committees having a
majority of independent directors. The Treadway Commission recognized the practical difficulties, particularly for
smaller, newly public companies, in recruiting a sufficient number of qualified independent directors. It also
recognized that procedures and controls can exist that are the functional equivalent of an audit committee.
Although there are no universal requirements for audit committees, it is clear that internal control is strengthened
by their presence. It makes eminent sense for even small companies, to the extent practicable, to have audit
committees composed of independent directors.
Compensation Committee. This committee can see that emphasis is placed on compensation arrangements
that help achieve the entity's objectives and that do not unduly emphasize short-term results at the expense of
long-term performance.
The Finance Committee. This committee is useful in controlling major commitments of funds and ensuring that
capital expenditure budgets are consistent with operating plans.
The Nominating Committee. This committee provides control over the selection of candidates for directors and
perhaps for top management.
The Employee Benefits Committee. This committee oversees employee benefit programs and sees that they
are consistent with the entity's objectives and that fiduciary responsibilities are being appropriately discharged.
Other Committees. There may be other committees of the board which oversee specific areas, such as ethics,
public policy or technology. Generally, these committees are established only in certain large organizations, or
sometimes in other enterprises due to particular circumstances of the entity.
Internal Auditors
Internal auditors directly examine internal controls and recommend improvements. Standards established by the
Institute of Internal Auditors specify that the scope of internal auditing should encompass the examination and
evaluation of the adequacy and effectiveness of the organization's system of internal control and the quality of
performance in carrying out assigned responsibilities.‡ The standards state that the internal auditors should:
 "Review the reliability and integrity of financial and operating information and the means used to identify,
measure, classify, and report such information.
Internal Use Only

 "Review the systems established to ensure compliance with those policies, plans, procedures, laws, and
regulations which could have a significant impact on operations and reports and should determine whether the
organization is in compliance.
 "Review the means of safeguarding assets and, as appropriate, verify the existence of such assets.
 "Appraise the economy and efficiency with which resources are employed.
 "Review operations or programs to ascertain whether results are consistent with established objectives and
goals and whether the operations or programs are being carried out as planned."
All activities within an organization are potentially within the scope of the internal auditors' responsibility. In some
entities, the internal audit function is heavily involved with controls over operations. For example, internal
auditors may periodically monitor production quality, test the timeliness of shipments to customers or evaluate
the efficiency of the plant layout. In other entities, the internal audit function may focus primarily on compliance
or financial reporting-related activities.
The Institute of Internal Auditors standards also set forth the internal auditors' responsibility for the roles they
may be assigned. Those standards, among other things, state that internal auditors should be independent of
the activities they audit. They possess, or should possess, such independence through their position and
authority within the entity and through recognition of their objectivity.
Organizational position and authority involve such matters as a reporting line to an individual who has sufficient
authority to ensure appropriate audit coverage, consideration and response; selection and dismissal of the
director of internal auditing only with board of directors' or audit committee's concurrence; internal auditor access
to the board or audit committee; and internal auditor authority to follow up on findings and recommendations.
Internal auditors are objective when not placed in a position of subordinating their judgment on audit matters to
that of others. The primary protection for this objectivity is appropriate internal auditor staff assignments. These
assignments should be made to avoid potential and actual conflicts of interest and bias. Staff assignments
should be rotated periodically and internal auditors should not assume operating responsibilities. Similarly, they
should not be assigned to audit activities with which they were involved recently in connection with prior
operating assignments.
It should be recognized that the internal audit function does not — as some people believe — have primary
responsibility for establishing or maintaining the internal control system. That, as noted, is the responsibility of
the CEO, along with key managers with designated responsibilities (which may include the chief internal
auditor). The internal auditors play an important role in evaluating the effectiveness of control systems and thus
contribute to ongoing effectiveness. Because of organizational position and authority in an entity, and the
objectivity with which it carries out its activities, an internal audit function often plays a very significant role in
effective internal control.
Internal Use Only

Other Entity Personnel
Internal control is, to some degree, the responsibility of everyone in an entity and therefore should be an explicit
or implicit part of everyone's job description. This is true from two perspectives.
 First, virtually all employees play some role in effecting control. They may produce information used in the
internal control system — for example, inventory records, work in-process data, sales or expense reports — or
take other actions needed to effect control. These actions may include performing reconciliations, following up
on exception reports, performing physical inspections or investigating reasons for cost variances or other
performance indicators. The care with which those activities are performed directly affects the effectiveness of
the internal control system.
 Second, all personnel should be responsible for communicating to a higher organizational level problems in
operations, noncompliance with the code of conduct, or other violations of policy or illegal actions. Internal
control relies on checks and balances, including segregation of duties, and on employees' not "looking the other
way". Personnel should understand the need to resist pressure from superiors to participate in improper
activities, and channels outside of normal reporting lines should be available to permit reporting of such
circumstances.
Internal control is everyone's business, and roles and responsibilities of all personnel should be well defined and
effectively communicated.
External Parties
A number of external parties can contribute to achievement of the entity's objectives — sometimes by actions
that parallel those taken within an entity. In other cases, external parties may provide information useful to the
entity in its internal control activities.
External Auditors
Perhaps no other external party plays as important a role in contributing to achievement of the entity's financial
reporting objectives as the independent certified public accountants. They bring to management and the board
of directors a unique independent and objective view, and contribute to an entity's achievement of its financial
reporting objectives, as well as other objectives.
In connection with a financial statement audit, the auditor expresses an opinion on the fairness of the financial
statements in conformity with generally accepted accounting principles, and thus contributes to the entity's
financial reporting objectives. While an entity's internal control system can provide a degree of assurance
regarding the fair presentation of the financial statements, the auditor brings the assurance to a higher level. The
auditor, in addition, often provides information to management useful to them in conducting their control
responsibilities.
Internal Use Only

People have different perceptions regarding the attention given during a financial statement audit to an entity's
internal control system. Some believe that an auditor expressing a standard, unqualified, "clean" opinion on the
financial statements has concluded that the entity's internal control system is effective. Others believe that, at the
very least, the auditor necessarily has conducted a sufficiently thorough review of the internal control system to
identify all or most significant weaknesses. Neither of these views is accurate.
To put a financial statement audit in perspective, it may help first to recognize that an entity can have an
ineffective internal control system, and an auditor may still be able to issue an opinion that the financial
statements are "fairly presented". This is because an auditor focuses attention directly on the financial
statements. If corrections to the financial statements are needed, they can be made, in which case a "clean"
opinion can be rendered. The auditor gives an opinion on the financial statements, not on the internal control
system. Inadequate controls may affect the audit, and make it more costly, due to the need for the auditor to
perform more extensive tests of financial statement balances before forming an opinion.
An auditor must gain sufficient knowledge of an entity's internal control system in order to plan the audit. The
extent of attention given to internal control varies from audit to audit. In some cases, considerable attention is
given, and in others, relatively little attention is given. But even in the former case, an auditor usually would not
be in a position to identify all internal control weaknesses that might exist.
In most cases, auditors conducting a financial statement audit do, in fact, provide information useful to
management in carrying out their internal control-related responsibilities:
 By communicating audit findings, analytical information and recommendations for use in taking actions
necessary to achieve established objectives.
 By communicating findings regarding deficiencies in internal control that come to their attention, and
recommendations for improvement.
This information frequently will relate not only to financial reporting but to operations and compliance activities as
well, and can make important contributions to an entity's achievement of its objectives in each of these areas.
The information is reported to management and, depending on its significance, to the board of directors or audit
committee.
Legislators and regulators affect the internal control systems of many entities, either through requirements to
establish internal controls or through examinations of particular entities. Many of the relevant laws and
regulations deal only with internal controls over financial reporting, although some, particularly those that apply
to government organizations, can deal with operations and compliance objectives, as well.
Internal Use Only

The Foreign Corrupt Practices Act of 1977 requires that public companies establish and maintain internal
accounting control systems that satisfy specified objectives. Other federal laws and regulations apply to federal
financial assistance programs, which address a variety of activities ranging from civil rights matters to cash
management, and specify required internal control procedures or practices. The Single Audit Act of 1984
requires independent auditors to report on entities' compliance with the requirements — as do a number of
regulations in certain industries such as financial services. The Federal Deposit Insurance Corporation
Improvement Act of 1991 requires that certain banks report on the effectiveness of their internal controls over
financial reporting, along with an independent auditor's attestation report.
Several regulatory agencies directly examine entities for which they have oversight responsibility. For example,
federal and state bank examiners conduct examinations of banks, and often focus on certain aspects of the
banks' internal control systems. These agencies make recommendations, and frequently are empowered to take
enforcement action.
Thus, legislators and regulators affect entities' internal control systems in two ways. They establish rules that
provide the impetus for management to ensure that internal control systems meet the minimum statutory and
regulatory requirements. And, pursuant to examination of a particular entity, they provide information used by the
entity's internal control system, and provide recommendations and sometimes directives to management
regarding needed internal control system improvements.
Parties Interacting with the Entity
Customers, vendors and others transacting business with an entity are an important source of information used
in conducting control activities:
 A customer, for example, informs a company about shipping delays, inferior product quality or failure to
otherwise meet the customer's needs for product or service. Or, a customer may be more proactive and work
with an entity in developing needed product enhancements.
 A vendor provides statements or information regarding completed or open shipments and billings, which is used
in identifying and correcting discrepancies and reconciling balances.
 A potential supplier notifies top management of an employee's request for a kickback.
These parties provide information that, in some cases, can be extremely important to an entity in achieving its
operations, financial reporting and compliance objectives. The entity must have mechanisms in place with which
to receive such information and to take appropriate action. Appropriate action would include not only addressing
the particular situation reported, but also investigating the underlying source of the problem and fixing it.
In addition to customers and vendors, other parties, such as creditors, can provide oversight regarding
achievement of an entity's objectives. A bank, for example, may request reports on an entity's compliance with
certain debt covenants, and recommend performance indicators or other desired targets or controls.
Internal Use Only
Financial Analysts, Bond Rating Agencies and the News Media
Financial analysts and bond rating agencies consider many factors relevant to an entity's worthiness as an
investment. They analyze management's objectives and strategies, historical financial statements and
prospective financial information, actions taken in response to conditions in the economy and marketplace,
potential for success in the short and long term, and industry performance and peer group comparisons. The
print and broadcast media, particularly financial journalists, may also at times undertake similar analyses.
The investigative and monitoring activities of these parties can provide insights to management on how others
perceive the entity's performance, industry and economic risks the entity faces, innovative operating or financing
strategies that may improve performance, and industry trends. This information is sometimes provided directly in
face-to-face meetings between the parties and management, or indirectly in analyses for investors, potential
investors and the public. In either case, management should consider the observations and insights of financial
analysts, bond rating agencies and the news media that may enhance internal control.
Footnotes
‡ The term "business" as used here pertains to the activities of any entity, including government and other
not-for- profit organizations.
‡ Although referred to as "a process," internal control may be viewed as a multiplicity of processes.
‡ Report of the National Commission on Fraudulent Financial Reporting (National Commission on

Fraudulent Financial Reporting, 1987).
‡ Kenneth A. Merchant, Fraudulent and Questionable Financial Reporting: A Corporate Perspective

(Morristown, NJ: Financial Executives Research Foundation, 1987).
‡ R.K. Mautz and J. Winjum, Criteria for Management Control Systems (New York: Financial Executives
Research Foundation, 1981).
‡ Michael E. Porter, Competitive Advantage (New York: Free Press, 1985).
‡ Statement on Auditing Standards No. 69, The Meaning of "Present Fairly in Conformity With Generally
Internal Use Only

Accepted Accounting Principles" in the Independent Auditor's Report (New York: AICPA, 1992).
‡ A transaction is an exchange between the entity and an outside party. The sale of products or services
to customers, and the purchase of products or services from suppliers, are examples of transactions.
An event is another occurrence that can affect financial reporting. For example, a decline in market
value of short-term investments below cost, and a ban on the future sale of certain pharmaceuticals in
product inventory, are events that affect financial reporting. Such events include transfers within an
entity, and allocations and amortization of costs on either a time basis or a measurement of effort or
usage. Applying direct costs during production, and allocating manufacturing overhead costs and costs
of depreciable assets, are occurrences that affect financial reporting.
Events differ from transactions in that they do not involve an exchange between the entity and an
outside party. The primary purpose of distinguishing among these occurrences is to recognize that
exchanges with outside parties are not the only matters that can affect financial reporting. Often, special
attention must be given to identifying these events, since they will not always be evident from daily
operations.
It should be recognized that often considerable judgment, estimates and forecasting future activities are
represented in the financial reporting process.
‡ Statement on Auditing Standards No. 31, Evidential Matter (New York: AICPA, 1980).
‡ Terminology in existing literature varies. These controls are sometimes called general computer
controls, general controls or information technology controls. The term "general controls" is used here
for convenience.
‡ Systems Auditability and Control, referred to as the SAC Report (Altamonte Springs, FL: The Institute of
Internal Auditors Research Foundation, 1991), has as one of its principal objectives providing guidance
on information systems and related control activities.
‡ Reportable conditions include what are referred to as "material weaknesses," discussed in theReporting
to External Parties volume.
‡ The Institute of Internal Auditors, Inc., Codification of Standards for the Professional Practice of Internal
Internal Use Only

Auditing (Altamonte Springs, FL: IIA, 1989).
Appendices
Appendix A — Background and Events

Leading to the Study
The need to exercise control within organizations was recognized by the earliest leaders of government,
religious and commercial enterprises. With the need to direct and monitor activities, controls were established in
an effort to ensure that the objectives of the entity were achieved.
Over time, the significance of internal control to an entity's success has been recognized not only by leaders of
organizations, but by numerous other parties. Some have looked to internal control to deal with issues beyond
those that business leaders initially considered relevant to their needs.
In recent years, considerable attention has been devoted to internal control by a number of public, private and
professional bodies, which have proposed or issued recommendations or requirements on the subject. This
heightened activity has produced a wide variety of philosophies, resulting in different views about the nature,
purpose and means of achieving effective internal control. To put these views into perspective, a brief review of
the more significant developments is provided.
Perhaps the first important shift in how internal control was viewed stemmed from the emergence of reliable
information as an indispensable means of effecting control. Management of growing enterprises placed
increasing importance on using financial and non-financial information in controlling their entities' activities.
Systems were developed to improve the usefulness and reliability of information. Management also found that,
faced with larger organizations and increasing numbers of employees, directing and limiting people's discretion
became essential. The evolution of effective management practices provided guidance to employees and
greater control over their actions.
From an auditing perspective, it was recognized that an audit of financial statements of entities with effective
internal control systems could be performed more efficiently by directing attention to internal controls. Beginning
in the 1940s, public accounting and internal auditing professional organizations published a number of reports,
guidelines and standards dealing with the implications of internal control in audits. These publications also
addressed definitions and elements of internal control, techniques for its evaluation and the responsibilities of
various parties for internal control.
Internal Use Only
Watergate
Until the mid-1970s, the preponderance of activity concerning internal control occurred in the fields of systems
design and auditing, focusing on ways to improve internal control systems and to best consider them in audits.
As a result of the 1973-1976 Watergate investigations, however, legislative and regulatory bodies began to give
significant attention to internal control. Separate investigations by the Office of the Watergate Special Prosecutor
and the SEC revealed that a number of major U.S. corporations had been making illegal domestic political
contributions and questionable or illegal payments, including bribes, to foreign government officials. In response
to these investigations, a Congressional committee held hearings on improper payments to foreign government
officials by American corporations. A bill was introduced and ultimately became enacted as the Foreign Corrupt
Practices Act of 1977 (FCPA).
Foreign Corrupt Practices Act of 1977
In addition to anti-bribery provisions, the FCPA contains provisions pertaining to accounting and internal control.
These provisions require corporate management to maintain books, records and accounts that accurately and
fairly reflect the transactions and dispositions of the corporation's assets, and to devise and maintain a system of
internal accounting control adequate to accomplish certain objectives. Thus, a key theme underlying passage of
this act was that sound internal control should provide an effective deterrent to illegal payments.
Immediately following enactment of the FCPA, a spate of activity occurred concerning internal control. Many
public companies expanded the size and capabilities of their internal audit functions, and looked closely at their
internal control systems. Additionally, several bodies, both professional and regulatory, studied various aspects
of internal control and issued a number of proposals and guidelines.
Cohen Commission
The Commission on Auditors' Responsibilities, better known as the Cohen Commission, was formed in 1974 by
the AICPA to study auditors' responsibilities. One of the Commission's recommendations‡ was that corporate
management present a report along with the financial statements that disclosed the condition of the company's
internal control system. Another was that auditors report on management's report. Following the Cohen
Commission's report, which was issued in 1978, the Financial Executives Institute (FEI) issued a letter to its
members endorsing the Cohen Commission management reporting recommendation, with guidelines to assist in
implementing it. Such management reports have appeared with increasing frequency in companies' annual
reports to shareholders.
Securities and Exchange Commission
In 1979 the SEC took the Cohen Commission and FEI actions a step further and proposed rules for mandatory
management reports on an entity's internal accounting controls.‡ The proposed rules called for independent
auditor reporting as well.
Internal Use Only
The SEC's proposal was significant for a number of reasons. It stated that maintaining a system of internal
control had always been an important management responsibility. And, it suggested that information on the
effectiveness of an entity's internal control system is necessary to enable investors to better evaluate
management's performance of its stewardship responsibilities as well as the reliability of interim and other
unaudited financial information. Although the proposal was later withdrawn — having been criticized for its cost,
the irrelevance of the information to be reported and its too-close correlation with the FCPA, implying a
requirement to state compliance with the law — it tended to further solidify recognition of management's
responsibility for maintaining an effective system of internal control over interim and other unaudited financial
information. In withdrawing the proposal, the SEC said that the public reporting issue would be revisited.
Minahan Committee
Partially in response to the FCPA legislation and the proposals for reporting on internal control, the AICPA in
1979 formed a Special Advisory Committee on Internal Control to provide guidance about establishing and
evaluating internal control. This "Minahan Committeee," formed just prior to enactment of the FCPA, was
created to address a perceived void in internal control guidance. Existing guidance was contained mainly in the
professional auditing literature and had been developed especially for auditors. Additional guidance was deemed
necessary to assist management in meeting its internal control responsibilities. Although not formed specifically
for this purpose, the Committee acknowledged that the guidance in its report should be useful to management
and boards of directors in considering whether their companies complied with the internal control provisions of
the FCPA.
Financial Executives Research Foundation
In response to the FCPA, the Financial Executives Research Foundation (FERF) engaged a research team to
study the state of the art of internal control in U.S. corporations. One major contribution of the study, published in
1980, was the cataloging of internal control characteristics, conditions, practices and procedures, and the
identification of the wide diversity of views concerning the definition, nature and purpose of internal control and
how effective internal control should be achieved.
A second, related FERF research study,‡ published in 1981, identified broad, conceptual criteria for evaluating
internal control.
Auditing Pronouncements
The period from 1980 until 1985 saw the development and refinement of professional standards in the auditing
profession related to internal control:
 In 1980, the AICPA issued a standard on the independent auditor's evaluation of, and reporting on, internal
control.‡
Internal Use Only

 In 1982, the AICPA issued a statement that contained revised guidance concerning the independent auditor's
responsibility for the study and evaluation of internal control in a financial statement audit.‡
 In 1983, the Institute of Internal Auditors (IIA) published a standard that established and revised guidance to
internal auditors on the nature of control and the roles of the participants in its establishment, maintenance and
evaluation.‡
 In 1984, the AICPA published additional guidance concerning the effects of computer processing on internal
control.‡
Legislative Initiatives
By 1985, however, attention was focused on internal control with renewed intensity. Sparked by a number of
business failures and alleged audit failures, a Congressional subcommittee began hearings focusing on a variety
of events involving public companies that raised questions about management's conduct, the propriety of
financial reporting and the effectiveness of independent audits.
During these hearings, legislation was introduced containing provisions intended to curb the kind of financial
reporting problems that were aired during the hearings, including a requirement for a public company's
management to evaluate and report on the effectiveness of the company's internal control. In addition, the
legislation contained a provision requiring independent auditors to provide an opinion on management's report.
Although the legislation was not enacted, the subcommittee expanded the scope of its hearings to consider
other aspects of the financial reporting process and kept the subject of internal control in the spotlight.
Treadway Commission
The National Commission on Fraudulent Financial Reporting, known as the Treadway Commission, was created
in 1985 by the joint sponsorship of the AICPA, American Accounting Association, FEI, IIA and Institute of
Management Accountants (IMA, formerly the National Association of Accountants). The Treadway Commission
had as its major objective to identify the causal factors of fraudulent financial reporting and to make
recommendations to reduce its incidence. The Commission's report,‡ issued in 1987, included
recommendations for management and boards of directors of public companies, the public accounting
profession, the SEC and other regulatory and law enforcement bodies, and academics.
The Commission made a number of recommendations that directly addressed internal control. It emphasized the
importance of the control environment, codes of conduct, competent and involved audit committees and an
active and objective internal audit function. It renewed the call for management reports on the effectiveness of
internal control. Additionally, the Commission called for the sponsoring organizations to work together to
integrate the various internal control concepts and definitions, and to develop a common reference point. It was
suggested that this guidance would help public companies improve their internal control systems, and help judge
their effectiveness.
Internal Use Only
Based on this recommendation, a task force under the auspices of the Committee of Sponsoring Organizations
of the Treadway Commission conducted a review of internal control literature. The results, published by the IMA,
recommended that the sponsoring organizations undertake a project to provide practical, broadly accepted
criteria for establishing internal control and evaluating its effectiveness. The task force recommended that the
criteria be directed toward the needs of management, since management has the primary responsibility for
establishing, monitoring, evaluating and reporting on internal control. However, it suggested that the criteria
should be developed through a process that would result in their acceptance by other groups having a significant
interest in internal control, including internal and external auditors, educators and regulatory bodies. This study is
a result of that recommendation.
Recent Initiatives
Several other initiatives concerning internal control have emerged. The AICPA's Auditing Standards Board in
1988 issued a revised auditing standard on internal control.‡ This statement more explicitly defined the elements
of an entity's internal control structure, increased the independent auditor's responsibility to understand it and
provided guidance on assessing control risk when conducting a financial statement audit.
Also in 1988, the SEC responded to the Treadway Commission's recommendation that management report on
internal control. The SEC proposed a rule that, among other provisions, calls for management to issue reports
on its responsibility for internal control and its assessment of the effectiveness of the internal control system. In
addition, the proposal would require some limited independent auditor involvement with management's report.
In the years since, legislators and regulators made several initiatives involving internal control, some directed to
specific industries, such as banks, savings and loan institutions, and defense contractors, with others being
broad based, potentially affecting all SEC registrants. Proposed legislation included requirements that
management assess and report on the effectiveness of its internal controls and that an independent auditor
attest to the management reports. One such bill, relating to banks, has become law, in the form of the Federal
Deposit Insurance Corporation Improvement Act of 1991. Many observers expect to see additional legislative
initiatives forthcoming.
Also in 1991, two separate initiatives dealing with certain aspects of internal control were completed. First, the
Institute of Internal Auditors Research Foundation issued a report providing guidance on the control and audit of
information systems.‡ Later in the year the U.S. Sentencing Commission enacted guidelines‡ for criminal justice
system use in assessing sanctions for white-collar crime. The guidelines, which permit significantly reduced
penalties for entities having an effective program to prevent and detect violations of law, deal largely with what
are viewed as compliance-related internal controls.
The Study
Internal Use Only

An array of concepts and views of internal control has developed over the years, expressed in proposed
legislation, regulation, professional standards and guidelines, public and private reports, and a substantial and
diverse body of academic literature.
The scope of these writings is as broad as the wide variety of purposes internal control can serve and the many
perspectives from which it can be viewed. They contain different definitions of internal control, disparate views
on the role of internal control in an entity and how it should be established, and varying opinions on how internal
control effectiveness should be determined.
The expanded focus of both the public and private sectors on internal control has increased the sensitivity of
corporate management, internal and independent auditors, legislators, regulators, academics and the general
public to the need for effective internal control to manage and control an entity's activities. This study was
initiated to provide a common understanding of internal control among all parties and to assist management to
exercise better control over an enterprise.
Appendix B — Methodology
The methodology employed in this study was designed to produce a report meeting the stated objectives: to
assist managements in improving their entities' internal control systems, and to provide a common
understanding of internal control among interested parties. It was geared to the development of a report that is
both theoretically sound and meets the needs of business executives who effect internal control in the "real
world."
Because of their diverse needs, the project plan was designed to solicit the views of the various parties
interested in the subject of internal control, including corporate executives, legislators, regulators, academics
and auditors. Input was obtained from executives of companies of varying size, both public and private, in
different industries, and included chief executives, chief financial officers, controllers and internal auditors.
The project consisted of seven phases:
1. Literature Search — to identify existing alternative conceptualizations of, and viewpoints and
perspectives on, internal control.

2. One-on-One Interviews — to obtain insights from a broad range of knowledgeable individuals,
regarding both conceptual issues and how corporate executives control business activities.
3. Questionnaire — to obtain additional input on issues which, as a result of information obtained in the
previous phases, the project team identified as needing clarification or additional insights.
4. Workshops — to obtain comments and recommendations on a preliminary draft of the framework.
Internal Use Only

5. Public Exposure — to determine if the framework is sound, logical and useful to managements and
other interested parties.

6. Field Tests — to obtain additional feedback on the framework's evaluation criteria, methodologies and
tools.
7. Additional Exposure and Meetings — to determine whether modifications to the prior draft released for
public exposure appropriately addressed the issues raised.

The plan was designed as a cumulative process. Not all topics were addressed in each phase. Rather, the
results from one phase served as input to and shaped the design of the next. Accordingly, the concepts,
components and criteria set forth in this report evolved over the course of the project, and are the result of
information received in all phases of the project.
As one might expect, many different and sometimes contradictory opinions were expressed on many issues —
within a project phase, and between phases. The project team considered the merits of the various positions,
both individually and in light of their effect on related issues, placing emphasis on those facilitating development
of a relevant, logical and internally consistent framework.
Throughout the project, the project team received advice and counsel from an Advisory Council to the
Committee of Sponsoring Organizations. The Advisory Council, composed of individuals in senior financial
management, internal and external audit and academia, met periodically with the project team to review the
project plan, study drafts of the framework and take up related matters. The Advisory Council's views are fully
reflected in this report. Each of the project phases is summarized below.
Literature Search
A search of the literature was performed to identify alternative conceptualizations, viewpoints and perspectives
regarding internal control — that is, to identify relevant information in existing published sources. It focused
primarily on two data bases.
The Accountants Index data base was used to identify literature dealing directly with the subject of internal
control. The Abstracted Business Information/Inform data base was used to identify sources not directly related
to the subject of internal control over financial reporting. It focused on topics in fields other than accounting and
auditing. For example, literature was identified relating to criteria for evaluating the effectiveness of a research
and development department, an academic institution and a health care facility.
The project team read abstracts of approximately 1,700 articles, books and other publications identified as
containing potentially useful information. From those abstracts, approximately 700 sources were selected and
read. These sources were supplemented by others brought to the attention of the project team.
One-on-One Interviews
Internal Use Only

Interviews were conducted with corporate chief executive officers, chief financial officers, legislators, regulators,
public accountants, management consultants and academics.
Corporate executives were selected through a random selection process coordinated by Decision Research
Corporation (DRC), using a data base with the trade name "FINEX," to provide a cross-section based on
company size and geographical location, industry and ownership characteristics. Those selections were
supplemented with individuals identified by the Financial Executives Research Foundation, the Advisory Council
and the project team.
Interviews were conducted as follows:
Chief executive officers 7
Chief financial officers 14
Controllers 2
Internal auditors 1
Legislators and regulators 8
Senior executives of large, medium and small public accounting and consulting firms 8
Academics 5
Total 45
Many of the interviewees were accompanied by their associates. The interviews were generally attended by two
members of the project team, and were conducted in accordance with an interview guide prepared by the project
team with the assistance of DRC. Interview results were summarized in a standard format.
Questionnaire
The questionnaire was designed to obtain additional input on a limited number of issues that, as a result of
information obtained in the previous phases, the project team identified as needing clarification and additional
insights.
The questionnaire was mailed to corporate executives (including chief executive officers, chief financial officers,
controllers and internal audit directors), members of boards of directors, legislators and regulators, external
auditors and academics.
Internal Use Only

The corporate executives included in the mailing were selected at random by DRC from the FINEX data base.
Directors were selected by the project team from corporate proxy statements published during the year
preceding the mailing. Legislators and regulators were selected by the project team based on input received
from one-on-one interviews and, within specific functional categories such as banking or insurance committees,
using the 1989-1990 Congressional Directory for Committees, Departments or Independent Agencies and the
1989-1990 State Legislative Leadership, Committees & Staff. External auditors were selected by the project
team from a list supplied by the AICPA and included audit and consulting partners from large, medium and small
public accounting firms located throughout the country. Academics, including faculty in accounting, finance and
management disciplines, were selected by the project team from the 1989 Accounting and Faculty Directory and
from lists recommended by business school deans.
The following table summarizes the responses received:
Chief financial officers 108
Controllers 78
Internal audit directors 86
Directors, including audit committee chairmen and members 26
External auditors 49
Academics 81
Total 522
Workshops
Eight workshops were held to obtain comments and recommendations on a preliminary report draft. One
workshop was held with each of the five sponsoring organizations, and one each with federal legislators and
regulators, executives from the financial services industry and representatives of the Committee on Law and
Accounting of the Business Law Section of the American Bar Association.
Each of the sponsoring organizations selected members from the organization to attend the workshop. The
project team selected the participants for the legislators and regulators workshop, FERF selected the
Internal Use Only

participants for the financial services industry workshop and the chairman of the ABA committee selected the
participants for the ABA workshop.
Each workshop was conducted by two members of the project team. Prior to the workshop, participants were
provided with a copy of the preliminary report to allow identification of topics requiring discussion. The
workshops included an overview presentation on the project and the preliminary report, and a discussion of
selected issues identified by the project team and matters identified by the participants.
Public Exposure
A draft report was circulated for public comment. The exposure draft was distributed to members of the five
sponsoring organizations, corporate chief executive officers and federal legislators and regulators. More than
40,000 copies were distributed.
Two hundred eleven comment letters were received, from the following categories of respondents (comments
from professional organizations are included with the category of respondent that they represent):
Chief financial officers or controllers 107
Internal auditors 37
External auditors 23
Academics 14
Other 5
Total 211
Field Tests
To obtain additional feedback, the framework's evaluation criteria, methodologies and tools were field tested by
five public companies. The companies, from different industries, ranged in size from less than $10 million in
annual sales to a multibillion-dollar company. The field testers considered each of the components and focused
on at least one activity in detail, some limiting the evaluation to controls over financial reporting, and some
including operations and compliance controls as well.
Additional Exposure and Meetings

Internal Use Only
A revised report was distributed for comment to parties who responded to the initial exposure draft, parties
identified by the sponsoring organizations and others requesting a copy. Approximately 3,000 copies were
distributed. Forty-five comment letters were received.
Twelve meetings, similar in scope to the workshops, were held to obtain comments and recommendations on
the revised draft. A total of five meetings were held with four of the sponsoring organizations. Meetings were
also held with representatives of the federal bank regulators, SEC and General Accounting Office, Committee on
Law and Accounting of the Business Law Section of the American Bar Association, American Banking
Association, boards of directors and audit committees, and the AICPA Public Oversight Board. In addition, an
open meeting was held for recipients of the revised draft who did not attend any of the other meetings.
Acknowledgments
The Project Advisory Council and Coopers & Lybrand gratefully acknowledge individuals who made important
contributions to this study.
The following individuals provided comments on various topics during group discussions: Lewis E. Burnham,
General Auditor, Phillips Petroleum; John H. Dykes, Vice President - Finance & CFO, Engraph Inc.; Williard E.
Hick, Second Vice President, Mass. Mutual Life Insurance Company; James K. Loebbecke, School of
Accounting, College of Business, University of Utah; James L. Moody, Jr., Chairman and Chief Executive
Officer, Hannaford Bros. Co; Donald S. Perkins, Former Chairman of the Board, Jewel Companies, Inc.; Owen
Robbins, Vice President Finance, Teradyne; Robert J. Sack, Lecturer, Darden Graduate School of Business,
University of Virginia; Edward J. Sot, Controller, Merck & Co., Inc.; John B. Sullivan, Partner, Deloitte & Touche;
and Dr. Wanda A. Wallace, School of Business Administration, The College of William and Mary.
The following individuals served as consultants to Coopers & Lybrand in conducting the study: Henry R.
Jaenicke, Professor of Accounting, Drexel University; Alan J. Winters, Professor of Accounting, University of
South Carolina; and Maureen Berman, Decision Research Corporation.
Roland L. Laing of the Financial Executives Research Foundation coordinated the early stages of the study.
Many other individuals, including executives, legislators, regulators, auditors and academics, gave their time and
energy in participating in and contributing to various aspects of the study.
Appendix C — Perspectives on and Use

of Definition
Many groups use the term "internal control" or variations of it — but it doesn't mean the same thing to all of
them. Different terms and definitions have been created to suit each party, which are used both in practice and
in literature on internal control.
Internal Use Only
While different perspectives on internal control are necessary, the variety of meanings prevents common
understanding of internal control. Operating executives, financial executives, directors, independent and internal
auditors, legislators and regulators, and investors and creditors often perceive internal control differently.
Before attempting a definition of internal control, it is useful to review the meaning of the words "control" and
"internal," and then consider different parties' perspectives.
Existing definitions of control include: exercising, restraining or directing influence; power or authority to guide or
manage; direction, regulation and coordination of business activities; and a mechanism used to regulate or guide
the operation of a system.‡ These definitions have in common the guiding or directing of activities, but they do
not focus on the desired end result. The concept of moving toward a desired objective is, however, incorporated
into the following definition:
"Purposive influence toward a predetermined objective."‡
This definition embodies two related notions:
 To effect control, there need to be predetermined objectives. Without objectives, control has no meaning.
 Control involves influencing someone and/or something — such as an entity's personnel, a business unit or an
entire enterprise — with the purpose of moving toward the objectives.
Establishing objectives, and taking actions toward achieving them, are fundamental to the concept of control.
The actions may involve directing, guiding, restraining, regulating or managing. But to effect control, they must
seek to achieve specified objectives.
A dictionary definition for internal is "existing or situated within the limits or surface of something." For this study,
the "something" is an "entity" or "enterprise." That is, the focus is within the limits of a business or other entity
such as a university, a government agency, a charitable organization or an employee benefit plan. Thus, internal
control would include, for example, actions of an entity's board of directors, management or other personnel,
including internal auditors, but would exclude actions of regulators and external auditors.
Different Perspectives
Different perspectives on internal control are not undesirable. Internal control is concerned with entity objectives,
and different groups are interested in different objectives for different reasons.
Management
Management views internal control from the broad perspective of the entire organization. Its responsibility is to
develop the entity's objectives and the strategies, and to direct its human and material resources to achieve the
objectives.
Internal Use Only

For management, internal control covers a wide spectrum, including policies, procedures and actions to help
ensure that an entity achieves its objectives. It includes all personally carried out and delegated activities that
enable management to: direct and monitor operations, be aware of relevant internal and external events, and
identify and deal with risks.
Internal control enables management to take timely action when conditions change. Information is provided, for
example, on production, sales, inventory levels and other areas that bear on effective decision-making. Broader-
based events — such as technology changes, industry innovations, actions of competitors, customers and
suppliers, and legislative initiatives — also are addressed. This allows management to lessen adverse impacts
or take advantage of emerging opportunities. Internal control also helps management ensure that it complies
with environmental, social and legal responsibilities. These include fiduciary rules for employee benefit plans,
worker safety regulations and rules for proper disposal of hazardous waste. Ensuring compliance protects the
reputation of the enterprise.
Internal Auditors
The Institute of Internal Auditors (IIA) defines internal control as "any action taken by management to enhance
the likelihood that established objectives and goals will be achieved," and elaborates on the nature of these
actions by noting that control is the result of proper planning, organizing and directing by management.‡
This broad view of internal control is consistent with the IIA's view of internal auditing's role in an entity: that
"internal auditing examines and evaluates the planning, organizing, and directing processes to determine
whether reasonable assurance exists that goals and objectives will be achieved." All of an entity's systems,
processes, operations, functions and activities are included within the purview of internal control. In practice, the
scope of internal auditing organizations will vary, depending on their charter in the entity.
Independent Auditors
Independent certified public accountants, because of their role as auditors of financial statements, have focused
their perspective of internal control primarily on those aspects that support or affect the entity's external financial
reporting.
Still, the literature of the AICPA first defines internal control broadly as "the policies and procedures established
to provide reasonable assurance that specific entity objectives will be achieved."‡ This definition is consistent
with the perspectives of management and internal auditors discussed above.
The broad definition, however, is then narrowed to identify the scope of internal control relevant to the
independent auditor's responsibility. This narrowing is accomplished by noting that policies and procedures are
relevant to an audit of the entity's financial statements when they "pertain to the entity's ability to record, process,
summarize, and report financial data consistent with the assertions embodied in the financial statements."‡
Internal Use Only

Although for audit-planning purposes independent auditors gain knowledge of an entity's business and industry
— including its business objectives, strategies and competitive position — they do not need to address the
totality of internal control to audit the enterprise's financial statements. This narrowing of focus is the same
process that many others must perform to carry out their duties.
Other External Parties
Legislators, regulators, investors and creditors each have different perspectives on internal control.
Legislators and regulatory agencies have developed various definitions of internal control to conform to their
responsibilities. These definitions generally relate to the types of activities monitored, and may encompass
achievement of the entity's goals and objectives, reporting requirements, use of resources in compliance with
laws and regulations, and safeguarding resources against waste, loss and misuse. In certain instances, such as
the Foreign Corrupt Practices Act of 1977, government has focused on one particular area. The FCPA defines
internal accounting control in terms of providing reasonable assurance regarding the achievement of certain
objectives, dealing with execution of transactions in accordance with management's authorization, recording
transactions to permit financial statement preparation in accordance with generally accepted accounting
principles and to maintain asset accountability, permitting access to assets only with management's
authorization, and comparing assets with accounting records.
Investors and creditors need information, primarily financial, that generally is consistent with the type addressed
by independent auditors. Other external parties need a variety of information about an entity. However, these
constituencies have limited ability to require specific entities to provide information and usually are not in a
position to impose their perspectives on internal control.
Definition
Despite the variety of perspectives, there are commonalities. Internal control generally is considered to pertain to
a spectrum of activities within an entire organization. There also is general agreement that internal control is
intended to assist in attaining an entity's objectives, and thus is a means to an end. And there is considerable
agreement that internal control constitutes a set of positive actions taken by an entity to foster appropriate
behavior of its personnel. These common perspectives are consistent with the aforementioned definition of
control as "purposive influence toward a predetermined objective," and lead to the position that two elements are
essential to any definition of internal control:
 There must be objectives that an entity seeks to achieve.

 There must be actions taken with the purpose of moving toward achievement of the objectives.
Although different definitions may be used by different parties, any particular definition must be precise enough
to avoid misunderstandings and unwarranted expectations. Because achieving objectives is the purpose of
Internal Use Only

establishing internal control, its basic definition should be comprehensive — broad enough to encompass most
objectives applicable to all entities — yet structured to allow a narrowing of focus on perhaps only one objective
or category of objectives. The common linkage of internal control to objectives provides the basis for establishing
a core definition from which all other definitions can be extrapolated.
Core Definitions
A core definition that meets these requirements is used in this study:

The three categories of objectives are separate but overlapping, and generally address different needs. A
separate focus on each is generally the most relevant for assessing the effectiveness of controls.
The state or condition of any one or all three internal control categories can be effective or ineffective. Internal
control can be judged effective in each of the three categories, respectively, if the board of directors and
management have reasonable assurance that:
Special-Purpose Definitions
While an entity may consider the effectiveness of all three categories of objectives, it will likely want to focus
attention on certain categories, and perhaps on only certain activities within a category. Such targeted focus
leads to special-purpose definitions for certain activities or objectives. By identifying and describing specific
objectives, special-purpose definitions of internal control can be derived from the core definition.
A special-purpose definition for the effectiveness and efficiency of operations category involving the sales
activity, derived from the core definition, would be:
Internal control over sales operations is a process, effected by an entity's vice-president of sales and
other personnel, designed to provide reasonable assurance regarding the achievement of the objectives
specified in the entity's 19XX sales budget.
Internal Use Only

Internal control over the sales operations can be judged effective if the entity's vice-president of sales has
reasonable assurance that he or she understands the extent to which the objectives specified in the
entity's 19XX sales budget are being achieved.
For the objective of reliable financial reporting, a definition is:
Internal control over the preparation of published financial statements is a process, effected by an
entity's board of directors, management and other personnel, designed to provide reasonable assurance
regarding the reliability of such financial statement preparation.
Internal control over the preparation of published financial statements can be judged effective if the entity's
board of directors and management have reasonable assurance that such financial statements are being
prepared reliably.
Similarly, a definition for compliance, such as compliance with government contracting requirements, would be:
Internal control over compliance with government contracting rules and regulations is a process,
effected by an entity's board of directors, management and other personnel, designed to provide
reasonable assurance regarding such compliance.
Internal control over compliance with government contracting rules and regulations can be judged effective
if the entity's board of directors and management have reasonable assurance that applicable government
contracting laws and regulations are being complied with.
Appendix D — Consideration of
Comment Letters
As noted in Appendix B, a draft of this report was issued for public comment, generating 211 comment letters.
These letters contained literally thousands of individual comments on a wide variety of the issues discussed.
Also as noted, a revised report draft was issued to respondents to the initial draft and used at meetings held to
discuss it, generating 45 comment letters and many oral comments. Each comment was considered in
formulating revisions to the report drafts.
This appendix summarizes the more significant comments, and the resulting modifications reflected in this final
report. It also includes reasons why certain views were accepted and others were not.
Definition
Breadth of Definition. The exposure draft defined internal control broadly, addressing achievement of all
categories of an entity's objectives — effectiveness and efficiency of operations, reliability of financial reporting,
and compliance with laws and regulations. Some respondents supported the broad definition, while others said it
Internal Use Only

was too broad and should address only financial reporting objectives. Some of the latter respondents indicated
that the broad definition could result in inappropriate expectations and misunderstandings of an entity's ability to
achieve all its objectives, and is inconsistent with the framework's guidelines for reporting to external parties,
which are limited to the reliability of financial reporting.
It was concluded that a broad definition should be retained for several reasons:
 A concept fundamental to any framework is that it defines the whole, as well as its parts. A framework for
internal control, therefore, must define the totality of what internal control encompasses, as well as specific
categories of internal control. A broad definition and identification of individual parts will help to facilitate
communication, minimize misunderstanding and reduce the "expectation gap" (the difference between what is
expected of internal control and what it can actually deliver).
 A broad definition can accommodate narrower views of internal control. The definition in this report
encompasses most, if not all, of the narrower definitions suggested, and allows a specific focus on the narrower
concepts.
 The three internal control categories — operations, financial reporting and compliance - are interrelated, and
internal control itself is integrated with the business and management processes. These relationships would
largely be lost with a narrow definition restricted, for example, to financial reporting.
Categories of Objectives. The exposure draft presented three categories of objectives but they were not
explicitly named in the formal definition of internal control. Some respondents stated that the categories of
objectives should be included within that definition.
It was agreed the three categories should be explicitly named in the definition for two reasons: because of their
central importance to internal control, and because naming them would help clarify that any one of the three
categories could be a separate focus of attention.
Process. The exposure draft defined internal control as a process. Some respondents agreed with this concept,
but others indicated that internal control is a state or condition.
It was concluded that internal control is in fact a process and, in order to communicate its relationship to the
management process and its dynamic nature, it should continue to be defined as a process. Recognizing,
however, that a process can be identified as having a particular state or condition at one or more points in time,
it was concluded that another definition pertaining to the state of internal control should be presented. The final
report therefore contains two definitions: one for internal control, which is a process, and another for "effective"
internal control, which is a state or condition of the process.
Specified Objectives. The definition in the exposure draft referred to the achievement of "specified objectives."
Some respondents suggested that a more appropriate term would be "entity's specified objectives," because no
one set of objectives exists for all entities.
Internal Use Only
The report has been revised to reflect this point. The definition of effective internal control reflects the notion that
operations objectives are unique to the entity. The definition does, however, retain the notion that objectives for
the reliability of financial reporting and compliance with laws and regulations are established primarily by
external parties and are generally consistent across entities.
Reasonable Assurance. The definition in the exposure draft included the term "reasonable assurance." Some
respondents said that although internal control cannot provide absolute assurance, the word "reasonable" in the
term "reasonable assurance" should not be used because it is used by management to avoid responsibility.
Others argued that the word "assurance" is not appropriate because it implies a guarantee that objectives
always will be achieved. The term reasonable likelihood was suggested as one alternative.
The term "reasonable assurance" was retained in the definition because it is believed to best describe the
limitations of internal control. Much of the literature on the subject uses the term, and it is commonly used and
well understood in the business community. To better communicate what is meant by reasonable assurance, the
concept has been more directly related in the final report to the topics addressed in Chapter 7. This direct
linkage is intended to portray more fully the reasonable assurance concept and to address respondents'
concerns.
Another comment on the term "reasonable assurance" involved a question of to whom the assurance is being
provided. The final report clarifies that internal control is a management tool, to be used by and for management
and the board. (When a management report is issued, management makes a public statement that it and the
board have reasonable assurance as to achievement of the specified objectives.)
Naming the Components in the Definition. The exposure draft's definition included the nine internal control
components. Some respondents proposed that the nine components be eliminated from the definition because
they add length, making the definition more difficult to comprehend. Others suggested that the components be
retained because they are fundamental to the internal control framework and should be part of the definition;
further, their retention in the definition helps to communicate that all components apply to each of the three
categories of objectives.
It was concluded that the internal control components could be removed from the definition, to make it less
verbose, without loss of clarity or emphasis with regard to the related concepts. Further, to better describe the
relationship between the objectives categories and the components, a chart depicting the relationship has been
added.
Achievement of Operations Objectives. Some respondents said the exposure draft's definition implies that to
have effective internal control an entity must achieve all of its objectives, including its operations objectives.
They generally agreed with the discussion in the exposure draft that an internal control system can provide
information regarding progress being made toward achievement of operations objectives, and they proposed
that the definition be revised to better reflect that fact.
Internal Use Only
The addition in the final report of a definition of effective internal control addresses this concern. The report
explicitly defines effective internal control over operations in terms of management and the board having an
understanding of the extent to which the entity's operations objectives are being achieved.
Reliability of Financial Reporting. The exposure draft used the term "reliability" of financial reporting. Some
respondents said use of that term carries unfortunate liability implications, and it should be replaced. For the
same reason, use of the term "materially correct" should be avoided.
The final report retains the term "reliable," because of its common usage, but now defines it in terms of the
preparation of fairly presented financial statements, supported by specific financial statement assertions. The
term "materially correct" has been deleted.
Safeguarding of Assets. Some respondents, generally those suggesting that internal control be defined
narrowly to deal only with financial reporting objectives, suggested that asset safeguarding objectives be
included as well.
The final report carries forward the exposure draft's discussion of safeguarding of assets, noting that while
safeguarding objectives are primarily operations objectives, certain aspects of that concept fall under each of the
objectives categories — operations, financial reporting and compliance. The final report has further discussion of
circumstances in which certain safeguarding controls could fall under the financial reporting category.
Components
Grouping of Components. Some respondents commenting on the nine internal control components agreed
with the proposed components. Others, however, said that nine components were too many, and that there was
excessive overlap and redundancy among them. A variety of suggestions on how to restructure the components
were provided.
It was concluded that the components structure could be streamlined and unnecessary overlap eliminated
without loss of substance, by restructuring the components as follows:
Exposure Draft Final Report
Integrity, Ethical Values and Competence Control Environment
Control Environment
Objectives
Risk Assessment Risk Assessment
Managing Change
Internal Use Only

Control Procedures Control Activities
Information Systems Information and Communication
Communication
Monitoring Monitoring
The "objectives" component has been eliminated as a separate component. The view expressed by some
respondents that the establishment of objectives is part of the management process but is not part of internal
control, was adopted. The final report recognizes this distinction, and discusses objective setting as a
precondition to internal control.
There were two changes in terminology. "Control procedures" is now "control activities," to capture the notion
that both policies and the procedures to carry them out are encompassed. The word "systems" is no longer
attached to information, to avoid the implication that it is restricted to data processing systems. The information
(and communication) component is a much broader concept.
Determining Effectiveness. Some respondents questioned the exposure draft's statement that all nine
components must be present to conclude that internal control is effective. They indicated that the components
should be considered together and need not be individually present for internal control to be effective. They
suggested that the report recognize that weaknesses in one component could be offset or compensated for by
other components.
It was concluded that the concept set forth in the exposure draft, that all components must be present for
effective internal control, should be retained. It was agreed, however, that there is validity to the position that
some degree of trade-off among components may occur. The final report acknowledges that controls in one
component may compensate for weak controls in another, and describes how the existence of complementary
controls in different components can, together, provide effective internal control.
Internal Control and the Management Process
Management Activities. Some respondents said that internal control is only a part, albeit an important part, of
the management process, and that the exposure draft incorrectly defines internal control in a way that
encompasses or appears to encompass the entire management process. They believe this implies that internal
control can ensure management's achievement of the entity's objectives, which implication could continue or
aggravate the existing expectation gap.
To address these comments, the final report more clearly distinguishes internal control from other aspects of the
management process. It makes clear that many management responsibilities such as establishing objectives,
Internal Use Only

making business decisions, executing transactions and carrying out plans are among the management activities
that are integrated with, but not a part of, the internal control system.
Preventing Business Failures. In addition to the concerns described above, some respondents said that the
exposure draft implies that effective internal control will prevent business failures and other problems, and that
this too could expand the expectation gap. They suggested strengthening the discussion of the limitations of
internal control.
The final report contains additional emphasis of the limitations of internal control and explicitly states that internal
control cannot ensure achievement of objectives, and that it is not a panacea. The addition of a definition of
effective internal control, and clarification of the distinction between internal control and the management
process (discussed above), also address these concerns.
Accountability of Management. Some respondents suggested that the report should be more specific
regarding management's accountability to the board of directors.
The report has been revised to state that management is responsible for the internal control system, and is
accountable to the board for establishing a system that provides reasonable assurance with respect to
achievement of the entity's objectives. The board, in turn, provides governance, guidance and oversight.
Boards of Directors and Audit Committees. Some respondents suggested that the report should recommend that
audit committees consist solely of outside directors because independence strengthens the committee's
effectiveness. Some respondents said that boards of directors should have a majority of outside directors as a
required condition of effective internal control; this is necessary to challenge management where necessary, and
to provide an objective view of management's integrity and ethical values.
It was agreed that the benefits of independent audit committees is a point worth making. As such, the final report
addresses recommendations and requirements regarding independent audit committees; it also speaks to their
usefulness and desirability, recognizing practical limitations for some companies. The final report makes clear
that an active board of directors is necessary for effective internal control (with the exception of entities —
usually smaller ones — that are owner-managed with no outside capital). Although a majority of independent
directors is not deemed essential, having a "critical mass" of outside directors is.
Large Company Versus Small
Some respondents commented that the exposure draft seemed to apply to only large entities and was not
practical for small and mid-size companies.
It was concluded that, although the report as set forth in the exposure draft was intended to apply to all
companies, particularly to those smaller companies needing guidance in evaluating and improving their internal
Internal Use Only

control systems, this was not sufficiently apparent. It was decided that additional discussion should be provided
on how the internal control concepts relate to small and mid-size entities, and the final report incorporates such a
discussion in each component chapter.
Reporting to External Parties
The exposure draft contained a chapter discussing the subject of management reporting on internal control to
external parties. Some respondents indicated that the subject should be addressed, some said it should not, and
some made other proposals.
Respondents opposed to a discussion of the subject argued that management reporting is outside the scope of
the study, the purpose of which is to develop an internal control framework. The study is an outgrowth of a
recommendation of the Treadway Commission, which recommended that its sponsoring organizations work
together to develop a common definition of internal control and to provide guidance on judging the effectiveness
of, and improving, internal control. As the exposure draft stated, management reporting is not a component of
internal control, and an entity need not report on its internal control system in order for it to have an effective
system. These respondents also said that management reporting is a significant public policy issue that should
be resolved in the appropriate legislative or regulatory forum.
Respondents in favor of a discussion of management reporting stated that management reporting is an issue of
importance to management and is directly linked to a report establishing an internal control framework. They
noted that many public companies issue management reports in their annual reports to shareholders, and
guidelines on reporting would be useful.
Some respondents suggested that the discussion of management reporting be put in an appendix or a separate
document. They indicated that although the discussion should not be part of the internal control framework, the
guidance should be provided to interested parties.
It was concluded that the discussion on management reporting should be separated from the main framework
document. Management reporting is not relevant to a definition of internal control or to determining internal
control effectiveness. However, because of the many companies issuing or contemplating issuing reports on
internal control, it was decided that presenting the discussion would provide useful guidance and might promote
more consistent and improved communication to readers. Accordingly, the discussion is presented in a separate
volume.
Prudent Person Concept. In discussing limitations of internal control, the exposure draft discussed the notion
of the prudent person. Some respondents stated that, rather than addressing limitations, the discussion of the
prudent person, which is drawn from tort law, deals with determining legal liability and is not appropriate.
Internal Use Only

That discussion has been replaced with a discussion of the need to apply judgment in making internal control-
related decisions.
Form and Presentation. Respondents commented on the length, format, style and tone of the exposure draft,
and expressed a variety of views on how the report could be repackaged and streamlined.
It was concluded that the report should be reorganized and streamlined to accommodate these comments. The
exposure draft's "executive briefing" has been replaced by a shorter summary, included in this volume and
published separately. The exposure draft's chapter on management reporting to external parties, and the
evaluation tools, because they are supplemental to and not an integral part of the framework, are each issued in
separate volumes. Further, redundancies have been reduced and the report wording has been streamlined.
Bibliography. Some respondents proposed that a bibliography of reference material be provided, referring to
the articles and other publications considered in the literature search phase of the project.
It was decided that a bibliography of sources used in the literature search should not be included. The literature
search was but one of many sources of information used in developing the framework and, because the results
of one project phase served as input to and shaped the design of the next, there is no direct link from the
literature to the final report. Accordingly, it was concluded that it would not be useful, and indeed might be
misleading, to include a bibliography.
Glossary. Some respondents indicated it would be helpful to include a glossary of key terms used in the study.
It was agreed that this would promote a common understanding of key terms and facilitate communication of the
underlying concepts; accordingly, a glossary has been included.
Evaluation Tools. Some respondents said that the evaluation tools might be perceived as a standard for
conducting an evaluation of internal control effectiveness. They expressed concern that if management reporting
were to be mandated, regulators might expect these evaluation tools to supplant evaluation materials currently in
use in their organizations. Other respondents said the evaluation tools represented important guidance.
The tools were presented in the exposure draft with the intent to illustrate one technique, among many, that
might be used in whole or in part in an evaluation, or not at all. The final report more clearly communicates this
intent, emphasizing that the tools are included only as a guide to demonstrate one way to conduct an evaluation.
To further emphasize that the evaluation tools are not a direct part of the main framework document, they are
being issued in a separate volume. Emphasis was also added indicating that those entities using the tools
should tailor them for their individual needs.
Unwarranted Regulation. Some respondents expressed concern that the framework could lead to unwarranted
regulation, high implementation cost and increased liability. This is related to the concern about the breadth of
the definition of internal control and management reporting thereon.
Internal Use Only

As noted, the final report's definition differentiates the three internal control categories, and the report contains
additional supporting discussion of the distinction among them. In addition, the Reporting to External Parties
volume further discusses the distinction and explicitly provides guidance only on the second category, controls
over financial reporting.
--------------
The comment letters are available for public inspection at the library of the American Institute of Certified Public
Accountants, 1211 Avenue of the Americas, New York, NY 10036-8775.
Appendix E — Glossary of Selected

Terms
Application Controls — Programmed procedures in application software, and related manual procedures,
designed to help ensure the completeness and accuracy of information processing. Examples include
computerized edit checks of input data, numerical sequence checks and manual procedures to follow up on
items listed in exception reports.
Category — One of three groupings of objectives of internal control, control activities or controls. The categories
are effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable
laws and regulations. The categories overlap, so that a particular objective, for example, might fall into more
than one category.
Compliance — Having to do with conforming with laws and regulations applicable to an entity.
Component — One of five elements of internal control. The internal control components are the control
environment, risk assessment, control activities, information and communication, and monitoring.
Computer Controls — (1) Controls performed by computer, i.e., controls programmed into computer software
(contrast with Manual Controls). (2) Controls over computer processing of information, consisting of general
controls and application controls (both programmed and manual).
Control — (1) A noun, used as a subject, e.g., existence of a control - a policy or procedure that is part of
internal control. A control can exist within any of the five components. (2) A noun, used as an object, e.g., to
effect control - the result of policies and procedures designed to control; this result may or may not be effective
internal control. (3) A verb, e.g., to control - to regulate; to establish or implement a policy that effects control.
Criteria — A set of standards against which an internal control system can be measured in determining
effectiveness. The five internal control components, taken in the context of inherent limitations of internal control,
represent criteria for internal control effectiveness for each of the three control categories. For one category,
reliability of financial reporting, there is a more detailed criterion, the material weakness concept.
Internal Use Only
Deficiency — A perceived, potential or real internal control shortcoming, or an opportunity to strengthen the
internal control system to provide a greater likelihood that the entity's objectives are achieved.
Design — (1) Intent. As used in the definition of internal control, the internal control system design is intended to
provide reasonable assurance as to achievement of objectives; when the intent is realized, the system can be
deemed effective. (2) Plan; the way a system is supposed to work, contrasted with how it actually works.
Detective Control — A control designed to discover an unintended event or result (contrast with Preventive
Control).
Effected — Used with an internal control system: devised and maintained.
Effective Internal Control — Internal control can be judged effective in each of the three categories,
respectively, if the board of directors and management have reasonable assurance that:
This is a state or condition of internal control.
Effective Internal Control System — A synonym for Effective Internal Control.
Entity — An organization of any size established for a particular purpose. An entity may, for example, be a
business enterprise, not-for-profit organization, government body or academic institution. Other terms used as
synonyms include organization and enterprise.
Ethical Values — Moral values that enable a decision maker to determine an appropriate course of behavior;
these values should be based on what is "right," which may go beyond what is "legal."
Financial Reporting — Used with "objectives" or "controls": having to do with the reliability of published
financial statements.
General Controls — Policies and procedures that help ensure the continued, proper operation of computer
information systems. They include controls over data center operations, system software acquisition and
maintenance, access security and application system development and maintenance. General controls support
the functioning of programmed application controls. Other terms sometimes used to describe general controls
are general computer controls and information technology controls.
Inherent Limitations — Those limitations of all internal control systems. The limitations relate to the limits of
human judgment; resource constraints and the need to consider the cost of controls in relation to expected
benefits; the reality that breakdowns can occur; and the possibility of management override and collusion.
Internal Use Only

Integrity — The quality or state of being of sound moral principle; uprightness, honesty and sincerity; the desire
Internal Control — A process, effected by an entity's board of directors, management and other personnel,

When an internal control system satisfies specified criteria, it can be deemed effective.
Internal Control System — A synonym for Internal Control.
Management Controls — Controls performed by one or more managers at any level in an organization.
Management Intervention — Management's actions to overrule prescribed policies or procedures for legitimate
purposes; management intervention is usually necessary to deal with non-recurring and non-standard
transactions or events that otherwise might be handled inappropriately by the system (contrast this term with
Management Override).
Management Override — Management's overruling of prescribed policies or procedures for illegitimate

purposes with the intent of personal gain or an enhanced presentation of an entity's financial condition or
compliance status (contrast this term with Management Intervention).
Management Process — The series of actions taken by management to run an entity. An internal control
system is a part of and integrated with the management process.
Manual Controls — Controls performed manually, not by computer (contrast with Computer Controls (1)).
Operations — Used with "objectives" or "controls": having to do with the effectiveness and efficiency of an
entity's operations, including performance and profitability goals, and safeguarding resources.
Policy — Management's dictate of what should be done to effect control. A policy serves as the basis for
procedures for its implementation.
Preventive Control — A control designed to avoid an unintended event or result (contrast with Detective
Control).
Procedure — An action that implements a policy.
Published Financial Statements — Financial statements, interim and condensed financial statements and
selected data derived from such statements, such as earnings releases, reported publicly.
Internal Use Only

Reasonable Assurance — The concept that internal control, no matter how well designed and operated, cannot
guarantee that an entity's objectives will be met. This is because of Inherent Limitations in all internal control
systems.
Reliability of Financial Reporting — Used in the context of published financial statements, reliability is
defined as the preparation of financial statements fairly presented in conformity with generally accepted (or other
relevant and appropriate) accounting principles and regulatory requirements for external purposes, within the
context of materiality. Supporting fair presentation are the five basic financial statement assertions: (1) existence
or occurrence, (2) completeness, (3) rights and obligations, (4) valuation or allocation, and (5) presentation and
disclosure. When applied to interim or condensed financial statements or selected data derived from such
statements, the factors representing fair presentation and the assertions apply only to the extent they are
relevant to the presentation.
Reportable Condition — An internal control deficiency related to financial reporting; it is a significant deficiency
in the design or operation of the internal control system, which could adversely affect the entity's ability to record,
process, summarize and report financial data consistent with the assertions of management in the financial
statements.
Footnotes
‡ Report, Conclusions, and Recommendations (The Commission on Auditors' Responsibilities, 1978).
‡ Statement of Management on Internal Accounting Control (SEC Release No. 34-15772, 1979).
‡ R.K. Mautz and J. Winjum, Criteria for Management Control Systems (New York: Financial Executives
Research
Foundation, 1981).
‡ Statement on Auditing Standards No. 30, Reporting on Internal Accounting Control (New York: AICPA,
1980).
‡ Statement on Auditing Standards No. 43, Omnibus Statement on Auditing Standards (New York:
AICPA, 1982).
Internal Use Only

‡ Statement on Internal Auditing Standards No. 1, Control: Concepts and Responsibilities (Altamonte
Springs, FL: The Institute of Internal Auditors, Inc., 1983).
‡ Statement on Auditing Standards No. 48, The Effects of Computer Processing on the Examination of
Financial Statements (New York: AICPA, 1984).
‡ Report of the National Commission on Fraudulent Financial Reporting (National Commission on

Fraudulent Financial Reporting, 1987).
‡ Statement on Auditing Standards No. 55, Consideration of the Internal Control Structure in a Financial
Statement Audit (New York: AICPA, 1988). Currently, the Auditing Standards Board is in the process of
revising its standards on internal control reporting.
‡ Systems Auditability and Control (Altamonte Springs, FL: The Institute of Internal Auditors Research
Foundation, 1991).
‡ United States Sentencing Commission, Federal Sentencing Guidelines (Washington, DC, 1991).
‡ Webster's New Collegiate Dictionary (Springfield, MA: G. & C. Merriam Company, 1974).
‡ James R. Beniger, The Control Revolution (Cambridge, MA: Harvard University Press, 1986).
‡ Statement on Internal Auditing Standards No. 1, Control: Concepts and Responsibilities (Altamonte
Springs, FL: The Institute of Internal Auditors, Inc., 1983).
‡ Statement on Auditing Standards No. 55, Consideration of the Internal Control Structure in a Financial
Statement Audit (New York: AICPA, 1988), para. 6.
‡ Ibid.
Internal Use Only

Reporting to External Parties
Summary: Many public companies include management reports on internal control in their annual reports to
shareholders. Those reports address internal control over preparation of the entity's published financial
statements. Legislative and regulatory initiatives have also called for such reporting. The reporting guidelines
presented here suggest, where reports on internal control are issued, that they address the effectiveness of such
controls, and identify the criteria against which the system is measured and the date as of which management's
conclusion is made. Illustrative reports are presented.
Significant attention has been given to the subject of public reporting on internal control. Recommendations and
proposals have been put forth over the years by private and public sector bodies, and a number of companies
currently include a management report that addresses internal control in their annual shareholders' report.
The Cohen Commission, the Financial Executives Institute and the Treadway Commission are among the
private sector bodies that recommended management reporting on internal control. A federal law was recently
enacted that mandates management reporting by certain banks. Rules proposed by the SEC (not yet finalized)
and other legislation and rules continue to be considered.
About one public company in four includes in its annual shareholders' report‡ a management report discussing
some aspects of internal control. For Fortune 500 companies, the number is about 60%. As discussed below,
the content of these reports varies widely.
The vast majority of such management reports address internal control over preparation of published financial
statements. The aforementioned recommendations and proposals similarly deal exclusively with that subject.
Except as otherwise noted, this discussion focuses only on issues related to internal control over the preparation
of an entity's published financial statements.
Management reports often discuss matters in addition to internal control. Reports can discuss, for example,
management's responsibility for financial statements, use of estimates and judgments in their preparation,
responsibility of the independent public accountant in auditing the financial statements, changes in auditors, the
entity's social responsibilities and uncertainties the entity faces. Except as otherwise noted, the guidance in this
report addresses only management reporting on internal control.
The term "management report" traditionally has been used to mean an entity's report, signed by top
management officials on behalf of the entity. Because of its common usage, the term "management report" is
used in this discussion to mean such entity reports.
The purpose of this report is to provide guidance to entities that report or are considering reporting publicly on
their internal control systems. The merits of management reporting on internal control are being addressed by
Internal Use Only
public and private sector bodies with responsibility for or an interest in this issue. This report does not express a
position on the issue. Independent public accountants' involvement with public management reporting on internal
control is also being considered by various public and private sector bodies, and that, too, is an issue beyond the
scope of this report.
It should be recognized that public reporting on internal control is not a component of, or criterion for, effective
internal control. An entity can have an effective internal control system without making a public statement to that
effect. Although a management anticipating issuance of a report on internal control might look more closely at
the entity's system and initiate improvements to it, in the end internal control effectiveness is determined by the
adequacy of the system, not by what is said about it.
Scope of Report
A particularly important aspect of a management report on internal control is a statement about what is being
reported on. As discussed in the Framework volume of this report, the following basic definition of internal
control can encompass all of an entity's objectives:
designed to provide reasonable assurance regarding the achievement of objectives in the following
categories:

Reports used exclusively within an entity may deal with internal controls related to any or all of those objectives.
But public management reports have almost always been confined to controls over preparation of the entity's
published financial statements. A definition of internal control consistent with this focus, drawn from the above
basic definition of internal control, is:
Internal control over the preparation of published financial statements is a process, effected by an entity's
board of directors, management and other personnel, designed to provide reasonable assurance regarding
the reliability of such financial statement preparation.
Internal control over the preparation of published financial statements can be judged effective if the entity's board
of directors and management have reasonable assurance that such financial statements are being prepared
reliably. "Published financial statements" in this definition relates to financial statements, interim and condensed
financial statements and selected data derived from such statements, such as earnings releases, reported
publicly. "Reliability" relates to preparation of financial statements that are "fairly presented" in conformity with
Internal Use Only

generally accepted or other relevant and appropriate accounting principles and regulatory requirements for
external purposes. The term "fair presentation" and underlying financial statement assertions are defined in the
Framework volume of this report. In considering whether internal control adequately addresses these objectives,
one looks to the five internal control components, within the context of the limitations inherent in all internal
control systems (discussed in the Framework volume) and the material weakness threshold (discussed later in
this volume).
Such reporting coincides with the needs of securityholders and other external parties who may look to internal
control reports for management's statements about the process by which it prepares published financial
statements. Focusing reports on controls over financial reporting puts an appropriate fence around internal
control reporting, recognizing limitations and the state of the art. If the scope of reporting is extended to
operations and compliance objectives, not only would efforts and related costs increase very substantially, but
other problems would be encountered. This is because evaluating and reporting on controls over financial
reporting are more well-developed disciplines.
Controls over Compliance with Laws and Regulations
An evolving area of management reporting on internal control is controls over compliance with laws and
regulations. Such reporting has been principally if not exclusively in the government arena. The Federal
Managers Financial Integrity Act requires reporting on compliance controls, but such reporting can be viewed as
intended essentially for internal "management," rather than for public users of financial reports.
In a different arena, the Federal Deposit Insurance Corporation Improvement Act of 1991 will soon require
certain banks to report on compliance with laws. Although the Act speaks to reporting on actual compliance,
future requirements on compliance might call for reporting on compliance controls. Indeed, focusing on the
control system would better address the underlying objective of preventing non-compliance. By reporting on
controls, management would focus more on systemic conditions and preventive actions, and less on attempting
to detect past instances of non-compliance.
If regulators ultimately call for management reporting on compliance controls, the Framework volume can be
used as relevant criteria. However, an appropriate threshold for measuring the severity of control deficiencies,
perhaps similar to the material weakness concept, would need to be identified. The material weakness concept,
applicable to reporting on controls over financial reporting, is not as relevant to compliance controls, for two
reasons. One is that it would be cumbersome to attempt to relate control weaknesses regarding, for instance,
worker or environmental safety, to financial statement materiality. The other is that regulators are not likely to
want to limit such reporting to a financial statement threshold. Accordingly, if public reporting on compliance
controls is to become viable, a reporting threshold will need to be developed.
Differentiating Control Categories
Internal Use Only

Because there is overlap among objectives, it can be difficult to determine which controls are within the scope of
a report dealing with controls over financial reporting. Despite this difficulty, it is important to set boundaries to
ensure that reasonable expectations of report users are matched with the reality of the report's scope.
Three categories of objectives — operations, financial reporting and compliance — are described in the
Framework volume and examples of each are presented. Additional guide lines for distinguishing financial
reporting controls from other controls are provided in the following paragraphs. For each component, examples
of financial reporting controls are presented. Also discussed are controls that, because they are directed
primarily to the operations or compliance objectives, would not ordinarily have to be considered in determining
whether the entity's internal control system provided reasonable assurance that its financial reporting objectives
are being achieved.
In considering the following paragraphs, two concepts should be kept in mind:
 First, in most internal control systems, controls often serve to accomplish more than one objective. Frequently,
controls established primarily to accomplish operations or compliance objectives may also accomplish financial
reporting objectives. In those instances, where traditional financial reporting controls are not present,
management may be able to look to other controls that serve the same purpose. Those latter controls may be
"pulled" into the scope of the management report.
 Second, controls directed at operations or compliance may deal with events, transactions or other occurrences
that must be reported in the entity's financial statements. This does not mean that operations and compliance
controls fall within the scope of the management report. Rather, results of the activities subject to those other
controls must be properly reflected in the financial statements.
Control Environment
The Framework volume identifies seven factors that should be part of the control environment. An evaluation of
the extent to which an entity's control environment enhances its financial reporting objectives would likely focus
on certain aspects of those factors.
Integrity and Ethical Values. Indications of lack of integrity or ethical values in any endeavors of top
management — be it executive, operating or financial management — cast a pall over the reliability of the
financial reporting process. It is difficult, if not impossible, to draw a clear distinction between aspects of integrity
and ethical values that are related to financial reporting and those that are not. Questions on integrity or ethics of
an entity's personnel should, at a minimum, trigger concern as to whether or not such shortcomings are likely to
affect the reliability of financial reporting.
Areas that relate directly to reliability of financial statement preparation include the following:
Internal Use Only

 Management's attitude toward bypassing established control procedures aimed principally at achieving financial
 Management's interactions with internal and external auditors and outside counsel on financial reporting
matters, such as the extent to which management provides full disclosure of information on matters that may
have an adverse impact on the financial statements.
 Management's integrity in preparing financial statements (addressed further under "Management's Philosophy
and Operating Style").
Commitment to Competence. Reliability of an enterprise's financial statements can be compromised if

incompetent or unassertive people are involved in the financial reporting process. Directly affecting reliability of
financial statements are the knowledge and skills of personnel involved in the preparation process relative to the
nature and scope of operating and financial reporting issues, and whether such knowledge and skills are
sufficient to properly account for any new activities, products and services, or existing ones in the face of
downsizing.
Management's Philosophy and Operating Style. The delegation of authority for financial reporting is important
in achieving the entity's financial reporting objectives, in particular for making the accounting judgments and
estimates that enter into financial reporting. Related issues include reasonableness of accounting policies and
estimates in connection with preparation of financial statements, especially whether management's estimates
and policies are conservative or aggressive (that is, on the boundary of "reasonableness"). Deficiencies in this
area should be considered for inclusion in management's report on internal control. On the other hand, whether
or not management is risk averse in entering new markets may affect the entity's operations objectives, but
would generally not affect financial reporting.
Management's attitude toward financial reporting also affects the entity's ability to achieve its financial reporting
objectives. For example, the way management views the accounting function, and the authority assigned to it —
without unwarranted interference in obtaining relevant facts and reaching proper conclusions — can have a
significant impact on achieving financial reporting objectives. Are accounting personnel viewed as an important
vehicle for exercising control? Do divisional accounting personnel also have reporting responsibilities to
corporate management? Does corporate or senior operating management apply unreasonable pressure for
favorable reports?
Organizational Structure. Aspects of an entity's organizational structure that are specifically related to financial
reporting objectives include factors related to accounting personnel, such as:
 Appropriateness of reporting lines;

 Adequacy of staffing and experience levels;
 Clarity of delegation of authority and duties;
Internal Use Only

 Extent to which the organizational structure allows accounting personnel to interact with other departments and
activities in the organization, to have access to key data and to properly account for resulting conclusions.
If control functions important to financial reporting are performed by non-accounting personnel — such as by
production personnel who reconcile reported and on-hand work-in-process inventories or analyze cost variances
for financial reporting purposes — they may also be relevant to a report on internal control. However, non-
accounting aspects of the organizational structure, such as the organization and responsibilities of the entity's
marketing department or its office of general counsel, are normally relevant only to achieving operations and
compliance objectives.
Assignment of Authority and Responsibility. Deficiencies in the way that authority and responsibility are
assigned to employees in accounting, custodial and asset management functions may affect the entity's ability to
achieve its financial reporting objectives. Such deficiencies, therefore, should usually be considered in reporting
on internal control. Matters to consider include the adequacy of the work force and whether employees are
deployed to promote segregation of incompatible duties. Assignment of authority and responsibility to employees
in other areas — such as in the sales function — is generally aimed at achieving operations rather than financial
Human Resource Policies and Practices. Personnel policies and procedures usually are operations oriented.
However, an entity's ability to achieve its financial reporting objectives may reflect its recruiting, training,
promotion, retention and compensation policies and procedures insofar as they affect performance of accounting
personnel and employees outside of the accounting function who administer controls over financial reporting.
Where such performance is critical to effective controls over financial reporting, potential weaknesses in human
resource policies and practices should be considered.
Board of Directors or Audit Committee. Key aspects of the control environment are the composition of the
board and its audit committee and how its members fulfill responsibilities related to the financial reporting
process. Of particular interest for controls over financial reporting is the involvement of the board or audit
committee in overseeing the financial reporting process, including assessing the reasonableness of
management's accounting judgments and estimates and reviewing key filings with regulatory agencies. Other
committees of the board often are not a key part of controls over financial reporting.
Risk Assessment and Control Activities
Within the context of the control environment and entity-wide objectives, management establishes activity-level
objectives and mechanisms for identifying and analyzing risks related to their achievement, and develops the
necessary actions and control activities to address those risks. These components of the internal control system
— risk assessment and control activities — are considered here together.
Internal Use Only

Generally within the scope of a management report on internal control are risks associated with achievement of
objectives related to preparation of "fairly presented" financial statements, and the five financial statement
assertions, along with control activities to ensure actions directed at satisfying those objectives are carried out.
For the most part, recognizing those financial reporting-related objectives, risks and control activities is relatively
straight-forward.
A control is within the report scope if it is important to satisfying requirements for fair presentation, or financial
statement assertions. If not, it is outside the scope. Consideration also must be given to concepts discussed
earlier dealing with controls serving more than one objective, and the distinction between controls over
operations and compliance activities and controls over properly reporting results of those activities in financial
statements.
To illustrate, consider an operations objective that vendors supply quality materials that meet the entity's
engineering specifications. Associated risks include customer dissatisfaction with the entity's product, failure to
meet product sales targets, unworkable or unnecessarily costly production processes, and substantial recall,
rework or warranty costs. This objective, and related risk assessments, action plans and control activities, are
operations-oriented and outside the scope of the management report. Although there are financial reporting
implications — since resulting defective materials may require inventory write-downs and may affect
management's estimate of warranty reserves — traditional financial reporting controls will usually be in place to
capture the information needed to reflect these risks for financial reporting purposes. If that is not the case,
management should focus on the operations-oriented controls in determining whether the financial reporting
objectives are being satisfied. Only in that circumstance would those controls be brought within the management
report's scope.
As another example, an entity's operations objective of achieving specified sales and profit goals is affected by a
new competitor entering the company's market. This also has financial reporting implications — the possible
need to write inventory down to its net realizable value as a result of impending mark-downs. But controls related
to achievement of this objective would fall outside the report's scope, so long as controls effected by personnel
with financial reporting responsibility are in place to identify the effect on selling price of the company's product.
The information and communication component of internal control requires that relevant information be
identified, captured, processed and communicated throughout the organization. Some of those messages are
relevant to achieving the entity's financial reporting objectives. Examples of information and communications that
enable the organization to achieve its financial reporting objectives are downstream communication of standards
of ethical conduct and sending monthly statements to customers, with related follow-through on reported
discrepancies.
Internal Use Only

Many aspects of information and communication systems address operations and compliance objectives, and
are generally outside the scope of a report on internal control. An example is capturing data from sales
personnel about potential product improvements to meet customers' future needs and communicating that data
to engineering and production personnel. Other examples are procedures for receiving and responding to
customer complaints about product defects and sending and following through on complaints to vendors about
defects in purchased materials. In each of these cases, the control is instituted to achieve operations objectives,
not financial reporting objectives.
Although communications in the latter two examples may contain information of financial reporting significance
— namely, information helpful in valuing receivables and inventory and establishing liabilities — an organization
would ordinarily have a mechanism within the accounting function for identifying the need to make the necessary
adjustments to those accounts for financial reporting purposes. If that were not the case, appropriate follow-
through on the customer and vendor communications could serve as an alternative means of achieving the
entity's financial reporting objectives in the areas noted and could be incorporated within the scope of a
management report.
Monitoring
Ongoing monitoring activities address effectiveness of the other internal control components in achieving
financial reporting objectives, for example:
 Monitoring the accuracy and completeness of inventory balances by accounting personnel in connection with
monthly inventory cycle count procedures.
 Monitoring accounts receivable valuation by the credit manager through his or her monthly communications with
customers whose account balances are past due.
 Monitoring recorded accounts payable by purchasing department personnel in connection with their dealings
with vendors.
These types of ongoing monitoring procedures, or procedures serving similar purposes performed in conjunction
with separate evaluations, usually fall within the scope of a management report.
Many monitoring activities address controls over operations and compliance objectives, and those activities are
generally outside the scope of a report on internal control. As an example, management may regularly review
operating reports to monitor production and sales. In each case, the primary purpose of the monitoring control is
to help the entity achieve its operations objectives, not its financial reporting objectives. Nonetheless, as
discussed above, in performing those operations-oriented controls, the reviewer may be in a position to identify
inaccurate or incomplete financial data. If so, and if the traditional types of financial reporting monitoring controls
were not present, these operations and compliance-oriented controls could be "pulled" into the scope of the
management report.
Internal Use Only

Management's use of findings of internal and external auditors will fall within or outside the management report's
scope depending on the nature of the activities and related controls to which the findings relate.
Timeframe
Reports can pertain to internal control during a period of time or as of a point in time. For example, management
may report on internal control for an entire year (period of time) or as of one day during the year (point in time).
The timeframe is significant in two respects: It affects the assessment process and the disclosure of deficiencies
identified and corrected during the period.
When management reports on controls for a period of time, its evaluation process usually will be considerably
more extensive than when it reports as of a specific date. When the report is as of a point in time — year end, for
example‡ — the evaluation can be narrowed to focus solely on the effectiveness of controls in place on that
date.‡ On the other hand, a report covering an entire year will require an assessment on effectiveness of the
control system for the entire timeframe, a much more extensive process.
With regard to disclosure of deficiencies, when a report is as of a point in time, management often will have had
an opportunity to correct a deficiency identified earlier in the period. In such instances, management would be in
a position to report the existence of an effective internal control system as of the point in time. On the other
hand, if the report were to cover a period of time, such as an entire year, the existence of a significant deficiency
for any meaningful time during the year might bar management from stating that the internal control system was
effective during the full-year period covered by the report.
Reporting either for a period of time or at a point in time, such as an entity's year end, should meet the needs of
securityholders and other report users. Point-in-time reporting is, however, likely to be considered the preferred
alternative. It provides an environment more conducive to identification and correction of deficiencies. Internal
control systems and conditions they address are continually changing, and it is important to understand that
deficiencies are likely to arise from time to time. Point-in-time reporting provides a constructive focus, where
management can focus primary attention on fixing problems on a timely basis, rather than on disclosing
deficiencies that were identified during the year and promptly corrected.
Annual/Interim Reporting
Although many of the same controls apply to both the annual and interim (e.g., quarterly) financial reporting
processes, different controls may be applied.‡ Accordingly, for a management report that addresses internal
control as of a point in time, such as year end,‡ a question arises as to whether the report covers only the
annual reporting process, or the interim reporting process as well.
Because the management report deals with internal control over preparation of all of an entity's published
financial statements, it is appropriate that it address controls over interim as well as annual reporting. It must be
Internal Use Only
recognized, however, that the report covers the state of internal control over the annual and interim reporting
processes as of a point in time, such as year end.
Accordingly, this does not mean that internal control over interim reporting necessarily was effective at the end
of each interim period. For example, management might have been aware of deficiencies in controls over interim
reporting existing during the year, but if management corrected those deficiencies before year end and
determined that the corrections were effective, it could report that the system at year end was effective.
Notwithstanding that control weaknesses identified and corrected before year end need not be reported, there
are circumstances where management may find it beneficial to report them. Where, for example, a control
weakness existed giving rise to the issuance of interim financial statements later requiring correction, report
users might not immediately recognize why a management report would state that the internal control system
was effective. In such circumstances, management might wish to use the management report as a vehicle to
discuss the weakness, stating that it was identified and corrected before year end.
Future Periods
A question arises as to the degree of comfort readers can draw from internal control reports regarding future
effectiveness of systems. From a very practical standpoint, securityholders or others reading a company's most
recent annual report that includes a management report on the company's controls and audited financial
statements (both as of the end of the past year), will probably be looking at the controls report more from the
standpoint of conclusions to be drawn regarding the state of control in the next year than in the past year.
What, then, can be assumed with respect to periods after the date covered by a report on internal control? In
many cases, readers might justifiably assume that an internal control system that was effective at the end of one
year will continue to be effective into the next. The existence of mechanisms to manage changing conditions,
and ongoing monitoring procedures, provide some basis to expect that the system will continue to be effective.
A realistic question, however, is: "For how long?" If management were to communicate to report readers, for
example, that it continues to review the entity's change managing and monitoring controls, and it believes the
system continues to be effective, then report readers would have a basis for making conclusions on continuing
system effectiveness. Without such a communication, however, report readers wouldn't know whether internal
changes occurred that affected critical control mechanisms.
Accordingly, although it would be unusual for a control system effective one day to immediately become
ineffective the next, assumptions about continuing effectiveness usually become less valid as time passes. In
the end, to have comfort with respect to the effectiveness of internal control at a particular point in time, a current
report is needed.
Report Content
Internal Use Only
As noted, many companies currently include management reports covering internal control in their annual
reports to shareholders. The following paragraphs address the contents of these reports. The next section, "New
Report Guidelines," contains suggestions for reports that would be consistent with the criteria of this study.
Statement of Management's Responsibility
Published management reports on internal control have followed one of two broad approaches to discussing
management's responsibilities. Under one approach, management acknowledges its responsibilities for internal
control, sometimes addressing one or more specific matters, but stops short of explicitly stating that
management has fulfilled particular responsibilities. The report might state, for example, that management is
responsible for devising and maintaining a system of internal control that has specified characteristics or
objectives. It might say that the internal control system was established, or designed, to achieve certain
objectives.
In the other approach, management states its belief as to whether it has fulfilled specific responsibilities. For
example, the report might state that management has established and maintains a system of internal control that
provides reasonable assurance that certain actions are taken or objectives are met. Or, management might
address the effectiveness or the adequacy of the entity's internal control system.
These approaches are different in that one recognizes particular responsibilities for internal control while the
other addresses whether those responsibilities have been met.
Discussion of Specific Elements
A discussion of specific elements of the entity's internal control system has been suggested in recommendations
put forth by various individuals and groups. Specific areas addressed in reports published to date vary, but the
focus generally is on some or all of the following items‡:
 Audit Committee — The composition and role of the entity's audit committee is frequently a part of the
discussion of internal control. This discussion may emphasize the audit committee's role and describe its duties.
 Establishing and Communicating Written Policies — Some published reports contain a statement that
management has established written internal control policies and procedures consistent with the objectives of
internal control. Reports often state that management regularly communicates these policies and procedures to
employees.
 Organizational Relationships — Published reports sometimes recognize the significance of the delegation of
authority and segregation of responsibility to effective internal control. This recognition might be given through a
statement that the internal control system provides for appropriate reporting relationships and division of
responsibility.
Internal Use Only

 Personnel — Published reports sometimes address the careful selection and training of personnel and may also
mention recruiting and development. The statements are made with respect to personnel or staff in general, or
to financial and operating personnel or managers in particular.
 Code of Conduct — A number of published reports discuss an entity's code of conduct. The discussion may
encompass communication of the code's provisions; the major subjects addressed in the code (such as open
communication within the entity, potential conflicts of interest, compliance with domestic and foreign laws,
adherence to ethical standards and protecting the confidentiality of the entity's proprietary information); and
existence of a systematic program to assess compliance with the code.
 Program of Internal Auditing — Many reports refer to the entity's program of internal auditing. These references
usually are limited to a statement that the entity maintains an effective (or strong or comprehensive) internal
auditing program that independently assesses the effectiveness of the internal control system and recommends
potential improvements in it.
Inherent Limitations of Internal Control
It is well established that no internal control system can guarantee reliable financial reporting. With few
exceptions, reporting guidelines suggested by others and published reports include language to remind report
readers of this limitation.
The emphasis on inherent limitations varies from a simple mention of reasonable assurance to a one- or two-
sentence discussion of cost-benefit considerations and the need for judgment by management in evaluating
internal control. A decision about the extent of discussion devoted to inherent limitations of internal control needs
to be weighed against the possibility that it could overburden the report with negative or defensive language.
Management's Response to Deficiencies
Management may be informed of internal control deficiencies from numerous sources including internal auditors,
independent auditors or regulators. Some individuals or groups have suggested that a management report on
internal control should explicitly state when management has been informed of deficiencies, and describe what
the deficiency is, together with an indication of whether management has responded to or corrected such
deficiencies. Published management reports on internal control, however, typically do not do this.
There are arguments on both sides of this issue. Such reporting does affirm that the channels for communicating
deficiencies to management are functioning and thereby helps improve the effectiveness of internal control.
Also, it notifies report readers that management has considered the deficiencies and responded to them.
On the other hand, reporting these deficiencies may raise questions about how their effect should be considered
in the context of the entire report. That is, if management has stated that it believes its internal control system is
effective, report readers might be confused as to whether the reporting of corrected deficiencies is intended to
qualify management's belief or has been considered in forming its opinion. Or, identifying these deficiencies in
Internal Use Only
the report might cause report readers to second-guess management's overall assessment of internal control or
question the appropriateness of its actions in dealing with the deficiencies. All in all, the arguments against
reporting corrected deficiencies outweigh those for it.
Some management reports state that the internal control system is subject to continuous review resulting in
recommendations for improvement, and that management takes appropriate corrective action. Such discussion
communicates that the system includes a process for identifying deficiencies and reacting to them.
Signatures
Who signs the management report on internal control may initially appear to be simply an administrative issue,
but it has important implications. Current practice finds reports typically signed by the chief executive officer, who
might also serve as chairman of the board of directors, along with the chief financial officer or chief accounting
officer.
This practice is appropriate, because the chief executive must have "ownership" of the control system. That
individual's signature publicly acknowledges such responsibility. And because the report focuses on financial
reporting controls, it is similarly appropriate for the person directly responsible for that function also to sign the
report. This practice is consistent with recommendations and proposals of private and public sector bodies.
New Report Guidelines

As seen in the preceding section, the contents of internal control reports have varied considerably. This has
been due in part to the absence of a generally accepted definition of internal control, criteria for effectiveness
and reporting guidelines.
This study's report presents a definition, criteria and guidelines. Their use as a foundation for management
reporting on internal control will enable report issuers and readers to have a common understanding of what is
being communicated.
A fundamental issue, as discussed earlier under "Statement of Management's Responsibility," is whether the
management report speaks only to what management is responsible for or perhaps what the internal control
system is designed to do, or whether it also speaks to internal control system effectiveness. There are several
reasons why reporting on effectiveness is most appropriate:
 The Treadway Commission report states that management should report on the effectiveness of the company's
internal controls. The Treadway report explains that the investing public has a legitimate interest, not only in the
extent of management's responsibilities for internal control, but also in the means by which management
discharges its responsibilities.
Internal Use Only

 A statement on management's responsibilities or the design of the internal control system is much less
substantive than reporting on effectiveness, and might mislead readers who do not recognize the subtle
distinction in wording. Such reporting may in fact be one reason for the so-called expectation gap.
 One might think that reporting only on management's responsibilities or system design, without any reference to
effectiveness, would alleviate liability concerns in the event the financial statements were subsequently found to
contain a material misstatement. However, reporting on system effectiveness already carries the requisite
caveats and protections, through recognition of the reasonable assurance concept and the limitations inherent in
all internal control systems. Reporting that the internal control system is effective is not saying that there cannot
be a material misstatement in published financial statements.
The following reporting guidelines, which include the concept of reporting on internal control system
effectiveness, are consistent with the thrust of the Treadway recommendations, and should be followed by
entities that want to adhere to Treadway Management report content should include:
 The category of controls being addressed (controls over the preparation of the entity's published financial
statements).
 A statement about the inherent limitations of internal control systems.
 A statement about the existence of mechanisms for system monitoring and responding to identified control
deficiencies.
 A frame of reference for reporting - that is, identification of the criteria against which the internal control system
is measured.‡
 A conclusion on the effectiveness of the internal control system. If one or more material weaknesses exist,‡
which would preclude a statement that the criteria for system effectiveness are met, a description of the material
weaknesses should be included.
 The date as of which (or the period for which) the conclusion is made.
 The names of the report signers.
Terminology used in the report should be consistent with the standard against which the system is measured. If
this study's criteria serve as such standard, the report wording should be consistent with the terms and concepts
herein. Consistent use of terminology is essential for meaningful communication and helps to avoid
misunderstandings.
While consistency in reporting enhances communication, there is no need for total uniformity, or "boilerplate"
language. Managements may want to emphasize different matters, or may simply have a desired reporting style.
It is anticipated that management reports issued using the guidelines suggested in this report will evolve over
time, as managements experiment with different approaches.
An illustrative report that conforms to these guidelines and uses the criteria contained in this report is as follows:
Internal Use Only
XYZ Company maintains a system of internal control over financial reporting, which is designed to provide
reasonable assurance to the Company's management and board of directors regarding the preparation of
reliable published financial statements. The system contains self-monitoring mechanisms, and actions are
taken to correct deficiencies as they are identified. Even an effective internal control system, no matter how
well designed, has inherent limitations — including the possibility of the circumvention or overriding of
controls — and therefore can provide only reasonable assurance with respect to financial statement
preparation. Further, because of changes in conditions, internal control system effectiveness may vary over
time.
The Company assessed its internal control system as of December 31, 19XX in relation to criteria for
effective internal control over financial reporting described in "Internal Control — Integrated Framework"
issued by the Committee of Sponsoring Organizations of the Treadway Commission. Based on this
assessment, the Company believes that, as of December 31, 19XX, its system of internal control over
financial reporting met those criteria.
XYZ Company
by ___________________________________
Signature (CEO)
_______________ by ___________________________________
Date Signature (CFO/Chief Accounting Officer)
The wording of this illustrative report is provided as a guide, which may be particularly useful to managements
with little or no experience with reporting on internal control. The illustrative report's wording is not intended as
an absolute standard — managements may modify or expand on its contents. For example, management might
provide more information on certain components of its system, such as the control environment — perhaps
discussing the role of the board of directors and audit committee. Or management may discuss monitoring,
perhaps speaking to the role of the internal audit function.
If matters other than internal control are addressed in a management report covering internal control, they
should not be presented in a manner that might confuse readers regarding the discussion and conclusions on
internal control. Discussed separately should be such matters as management's responsibility for preparing the
financial statements, the use of estimates and judgments in their preparation and the responsibility of the
independent public accountant in auditing the financial statements. Such matters might be addressed under a
separate heading within the management report. In any event, the paragraphs describing the assessment of
internal control and the conclusion on the effectiveness of the system should be presented together.
Management should consider reviewing report wording with legal counsel. Such a review could help ensure that
the report wording does not undermine the requisite caveats and protections intended to be embodied in
Internal Use Only
reporting on system effectiveness. It may be particularly useful to obtain the advice of legal counsel when
considering how to disclose a material weakness.
An illustrative report that both provides more information about certain components of the enterprise's system of
internal control and addresses matters in addition to internal control is presented below. Certain other wording
differs slightly from that used in the preceding report to emphasize that, as stated above, complete uniformity in
reporting is not necessary.
Financial Statements
XYZ Company is responsible for the preparation, integrity and fair presentation of its published financial
statements. The financial statements, presented on pages xx to yy, have been prepared in accordance with
generally accepted accounting principles and, as such, include amounts based on judgments and estimates
made by management. The Company also prepared the other information included in the annual report and
is responsible for its accuracy and consistency with the financial statements.
The financial statements have been audited by the independent accounting firm, ABC & Co., which was
given unrestricted access to all financial records and related data, including minutes of all meetings of
stockholders, the board of directors and committees of the board. The Company believes that all
representations made to the independent auditors during their audit were valid and appropriate. ABC & Co.'s
audit report is presented on page ww.
Internal Control System
The Company maintains a system of internal control over financial reporting, which is designed to provide
reasonable assurance to the Company's management and board of directors regarding the preparation of
reliable published financial statements. The system includes a documented organizational structure and
division of responsibility, established policies and procedures including a code of conduct to foster a strong
ethical climate, which are communicated throughout the Company, and the careful selection, training and
development of our people. Internal auditors monitor the operation of the internal control system and report
findings and recommendations to management and the board of directors, and corrective actions are taken to
address control deficiencies and other opportunities for improving the system as they are identified. The
board, operating through its audit committee, which is composed entirely of directors who are not officers or
employees of the Company, provides oversight to the financial reporting process.
There are inherent limitations in the effectiveness of any system of internal control, including the possibility of
human error and the circumvention or overriding of controls. Accordingly, even an effective internal control
system can provide only reasonable assurance with respect to financial statement preparation. Furthermore,
the effectiveness of an internal control system can change with circumstances.
Internal Use Only

The Company assessed its internal control system as of December 31, 19XX in relation to criteria for
effective internal control over financial reporting described in "Internal Control — Integrated Framework"
issued by the Committee of Sponsoring Organizations of the Treadway Commission. Based on its
assessment, the Company believes that, as of December 31, 19XX, its system of internal control over
financial reporting met those criteria.
Where a material weakness exists at year end, the last sentence illustrated above might be modified along the
following lines:
Based on its assessment, except for the matter noted below the Company believes that, as of December 31,
19XX, its system of internal control over financial reporting met those criteria. During 19XX, the Company
established new warranty terms for certain products, but did not have the necessary engineering expertise at
year end to calculate the related liability accurately. That expertise has since been acquired, and has been
applied in calculating the liability represented in the December 31, 19XX financial statements.
Material Weaknesses
Because the management report contains a conclusion on the effectiveness of the entity's internal control
system, the question arises as to whether any deficiencies exist that are so serious as to preclude such a
statement.
The concept of internal control effectiveness has, in various writings, been associated with the term "material
weakness?" Coming from the independent public accounting literature, "material weakness" is put forth in
relation to an entity's financial reporting objectives, and is defined as a condition in which:
… the design or operation of the specific internal control structure elements do not reduce to a relatively low
level the risk that errors or irregularities in amounts that would be material to the financial statements being
audited may occur and not be detected within a timely period by employees in the normal course of
performing their assigned functions.
Material weakness, thus, includes several concepts: level of risk (which relates to reasonable assurance),
materiality in relation to the entity's financial statements, and timeliness of the detection of errors or irregularities.
The material weakness concept establishes boundaries around the concept of effectiveness - the threshold of
seriousness against which deficiencies are measured. It has probably been used more frequently than any other
term as a measure of effectiveness. It is the threshold that should be used for public reporting: The existence of
a material weakness precludes the entity from expressing its belief that an effective system of internal control
exists.
Another threshold for deficiencies is "reportable conditions," which are "significant deficiencies in the design or
operation of the internal control structure, which could adversely affect the organization's ability to record,
Internal Use Only
process, summarize and report financial data consistent with the assertions of management in the financial
statements."
This threshold — lower than that of material weaknesses — was developed by independent public accountants
for reporting matters identified during an audit to the entity's audit committee. It was not intended to serve, and
many observers believe it does not serve, as a yardstick for determining whether or not an internal control
system is "effective." Those observers point to the different intent of the concept, and note that the need to
report a finding to an entity's audit committee does not necessarily mean that the internal control system is
ineffective.
This hierarchy of reporting thresholds is consistent with the concepts introduced in the Framework volume
(Chapter 6, under "Reporting Directives"). Matters to be reported can be defined in the context of the needs of
the different parties. Management and the board of directors or audit committee need to be apprised of matters
defined as reportable conditions, whereas investors, creditors and other report readers should be informed of the
existence of any material weaknesses. It is those internal control deficiencies that would justifiably affect
investors' views of the entity's ability to produce reliable financial statements.
Although the material weakness threshold is the relevant one for public reporting on internal control, the reader
should not expect an easy answer to the question, "How do I know a material weakness when I see one?"
Unfortunately, the process of making that determination cannot be expressed in only quantitative terms.
Considerable judgment is needed that takes into account all of the facts and circumstances in a particular case.
The concepts of both materiality and material weakness have long been debated. While the discussion here will
not end the debate, it may provide some additional guidance.
Because of its importance, the material weakness concept should be studied by the appropriate bodies as a
basis for providing additional guidance on its application. In the meantime, the following paragraphs provide
some guidance for identifying material weaknesses.
Relating Deficiencies to Financial Statement Assertions
The definition of material weakness embraces the concept of the level of risk of errors or irregularities occurring
and not being detected in timely fashion. The term "errors and irregularities" in the definition provides a link to
the entity's financial statements and, as such, the basic financial reporting objectives — namely, the concept of
fair presentation and the five assertions that underlie an entity's financial statements.
In considering whether the entity's financial reporting objectives are achieved, findings in each of the five
components of internal control should be considered for the relevant assertions related to material accounts.
Deficiencies in some of the components of internal control may relate not to just one or a few financial statement
assertions and accounts; their effects could be pervasive. For example, a conclusion that top management lacks
integrity may call into question the reliability of every assertion for every account. The possible financial
Internal Use Only

statement effects of other deficiencies, however, can often be pinpointed more precisely. For example, control
deficiencies associated with communications from customers may raise questions about the adequacy of the
allowances for uncollectible receivables and defective inventory. Those deficiencies, by themselves, would not
call into question the carrying value of other assets.
The Significance of Specific Deficiencies
As used in this study, the term "deficiency" refers to a perceived, potential or real internal control shortcoming, or
an opportunity to strengthen the system to provide a greater likelihood that the entity's objectives are achieved.
Not every shortcoming is a material weakness. For one thing, other controls may be in place that accomplish the
same objective. When a deficiency is noted, the evaluator should look for control strengths in the same or other
components that will help to achieve the particular financial reporting objective affected by the deficiency.
For example, in considering control related to management's estimate of the allowance for uncollectible
accounts, management reviews of operating data, such as the number of days sales in accounts receivable,
could serve the same purpose as another control, such as follow-through on customer complaints. Both the
management reviews and the follow-through are desirable procedures. But the former alone might focus
sufficient attention on the adequacy of the allowance for uncollectible accounts and keep the absence of
adequacy in the follow-through from being a material weakness. To cite another alternative, if the entity institutes
special year end reviews of the collectibility of receivables that include following up on long-outstanding
accounts, that action might also enable management to assert that it had adequate controls to ensure the proper
valuation of accounts receivable. Management may consider controls that are present anywhere in the system in
forming a conclusion as to whether the entity's system, taken as a whole, is appropriately designed and
operating to achieve each specific financial reporting objective.
Quantitative Materiality Considerations
Once a weakness in financial reporting controls has been identified, the materiality of the possible
misstatements in relation to the entity's financial statements must be considered before a conclusion is reached
as to whether the control deficiency is a material weakness. The public accounting literature provides some
guidance in making these judgments.‡ While this guidance was written for auditors, it may be relevant to
management as well.
To the extent applicable to current conditions, knowledge of past errors that were not prevented or detected by
the system of internal control may be helpful in judging the amounts and likelihood of future possible
misstatements. But a word of caution is necessary. Just because a material misstatement has occurred or may
later occur does not necessarily mean that a material weakness existed in the past or exists today. Concepts of
the limitations of internal control systems — application of human judgment, costs versus benefits, management
override, collusion and the unavoidability of breakdowns — are all relevant to a discussion of whether actual
known misstatements can be traced to a material weakness in the internal control system.
Internal Use Only
Notwithstanding that the cost-benefit concept should be considered in determining whether a deficiency is a
material weakness, this concept by itself may not be the overriding factor. If, for example, a particular control is
absolutely essential to reduce the risk of material misstatement to a relatively low level (the definition of material
weakness), then even if the cost of such a control is high, its absence would constitute a material weakness. It
must be recognized, however, that "relatively low level" necessarily requires the application of business
judgment, which may bring in cost as one relevant factor.
Tailoring the Judgment
The factors discussed above suggest that deciding whether an internal control deficiency is a material weakness
requires both a detailed understanding of the relevant facts and circumstances, and a considerable amount of
judgment. Accordingly, a judgment that a material weakness exists cannot be made in the abstract. A particular
situation may be deemed a material weakness for one entity but not for another, depending on the industry, the
products or services being produced or the presence of other controls, to name just a few reasons. Because of
differences in control systems established to achieve financial reporting objectives and facts and circumstances
related to a particular situation for an entity, examples may be the best way to illustrate how management can
know a material weakness when it sees it. Several such examples are presented to illustrate the thought
process one might go through.
 Formal codes of corporate conduct can be an important part of the control environment component of internal
control. Issue: How should an evaluator of an internal control system view the absence of a formal code of
conduct? In a large entity the absence of a code would be conspicuous, and the evaluator might lean toward
viewing that as a material weakness. The evaluator might lean even further in that direction if unethical behavior
were to expose the entity to greater than average risk that unrecorded liabilities or unrecoverable assets might
make the organization's financial statements misleading. For example, this might be the case if a government
contractor fraudulently charged costs to a contract. An entity could, however, accomplish objectives similar to
those of a written code of conduct in a less formal manner. One way is by periodic meetings of top management
and employees at which acceptable and unacceptable behavior is discussed. If the evaluator believed that those
meetings were effective, he or she might conclude that the absence of a formal code of conduct did not create
an unacceptable risk of material errors or irregularities. That conclusion would be even more appropriate if
reliability of the entity's financial statements were less at risk from occurrence of an act that would ordinarily be
prohibited in a formal code of conduct.
 Lack of integrity on the part of management could have such pervasive effects on the financial statements that it
could well constitute a material weakness. However, not all unethical acts are alike or have the same impact on
the financial reporting process. For example, making "bill and hold" arrangements (designed to inflate reported
revenues) would usually evidence a "higher order" lack of integrity than using a company car for personal
purposes. Both acts evidence less than total integrity but the former seems, at least on the surface, to be more
egregious than the latter, and would have more direct and significant implications for the reliability of the entity's
Internal Use Only
financial statements. Similarly, unethical behavior by a lower level manager is less consequential in reaching a
conclusion about the ability of the entity's internal control system to generate reliable financial statements than is
such behavior by the chief executive or by management generally.
 As another example, assume that a high technology company's contracts with customers provide for an
extended warranty period for its products. Employees who provide service to customers or are otherwise aware
of customer problems with the product are required to communicate their knowledge of the extent of customer
dissatisfaction to accounting personnel. In this case, that process is critical to the accounting function's arriving
at a reasonable estimate for a warranty reserve. In this case, there are no other controls to accomplish the same
financial reporting objectives. The absence of such communication — either because there is no channel or
because the channel exists but is not used — could, if the amounts involved are material, lead to the conclusion
that a material weakness exists. Variations in the surrounding facts and circumstances, however, might lead to a
different conclusion. If the contract terms for the company's products were substantially different from those
cited, for example, a very short warranty period, the potential exposure might be far below any reasonable
materiality threshold. Or, internal audit or another designated group could correspond with customers at year
end to determine the extent of potential claims, thereby achieving the relevant financial reporting objectives by
other means. In either of these situations — and others could exist — management would likely conclude that a
material weakness did not exist.
 A fourth example involves assessing and responding to new risks. The absence of a mechanism in a financial
services company for identifying financial statement-related risks associated with new financial instruments that
it regularly enters into is more likely to be a material weakness than the absence of a similar identifying
mechanism in a manufacturing company that only occasionally engages in transactions involving more
traditional financial instruments with well-recognized risks.
 As another example, assume accounting clerks who perform reconciliations and other critical control functions
receive no training, or marginally effective training. In the abstract, this might be a material weakness. In reality
however, the clerks would likely be subject to effective supervision. Or, management reviews of reported data
might identify material misstatements, effectively removing the training issue from the material weakness
category.
 Lastly the absence of procedures to review the reliability of purchased software used to generate sales reports
and related sales commissions might, again in the abstract with no other controls in place, be a material
weakness. That would not be the case if reported sales are reconciled to shipping data, and if reported
commissions, which in this case are assumed to be at a uniform rate, are verified by an overall calculation.
Documentation
Internal Use Only

When an entity issues a public report on internal control, it should develop and retain documentation to support
the statements made. As noted in the Framework volume, Chapter 6, the type and extent of documentation will
vary by entity. The Evaluation Tools volume presents one way in which an internal control system, and the
evaluation process, may be documented. Other methods of documentation are acceptable, as long as they
support the statements made.
Appendix -- Consideration of Comment

Letters
This appendix summarizes the more significant comments generated from the public exposure of a draft of this
material and from input received on a revised draft. It lists the resulting modifications reflected in this final
document. It also includes reasons why certain views were accepted and others were not.
The draft of this material was included as part of a one-volume report exposed for public comment. Consistent
with comments received, the material is now presented in this separate volume. The reasons for that decision
are described in Appendix D to the Framework volume of the report. Other significant comments on the subject
of management reporting to external parties are presented here.
Scope of Reporting. The exposure draft stated that the management report should encompass only control
over financial reporting. Some respondents supported this position. They agreed with the exposure draft's
statements that reports addressing financial reporting controls coincide with the needs of securityholders, and
that extension of reports to other objectives would elevate costs and raise new questions needing study. Other
respondents, however, stated that management reporting also should cover operations and compliance controls.
They argued that investors want information on whether the organization has controls to help ensure that it is
operating efficiently and effectively and is complying with legal and regulatory requirements. Some respondents
stated that limiting the discussion of management reporting to financial reporting controls is inconsistent with the
rest of the document, which addresses internal control from a broad perspective.
It was concluded, for a number of reasons — including those set forth in the exposure draft and the lack of a
measurement standard for operations and compliance similar to the material weakness concept for financial
reporting — that the final document should take the position that reporting on financial reporting controls is most
relevant to today's circumstances. However, a discussion of the evolutionary nature of reporting on compliance
controls has been added.
Endorsement of Management Reporting. Some respondents indicated that the final document should endorse
mandatory reporting. They argued that mandatory reporting would heighten management's awareness of their
responsibility to maintain effective internal control over financial reporting, and would provide relevant and
important information to users.
Internal Use Only
The final document, similar to the exposure draft, does not take a position either for or against mandatory
management reporting. This is because the document was prepared in response to the Treadway
recommendation to provide, among other things, a basis for management reporting on internal control. Any
attempt at resolution of the debate regarding the need for or advisability of mandatory reporting is beyond the
scope of this study.
External Auditor Involvement with Management Reports. Although it was not addressed in the exposure
draft, respondents commented on whether or not management reports should be attested to by independent
public accountants. Some respondents argued against external auditor involvement, presenting views on the
relative costs and benefits. Others argued in favor, citing the added value external auditor involvement would
bring.
It was concluded, because of the level of interest, that the issue should be acknowledged in the final document.
It was decided that the final document should state, as with the issue of making management reporting
mandatory, that resolution of the issue is beyond the scope of this study.
Reporting Timeframe. The exposure draft supported "point-in-time" reporting. Some respondents agreed with
this position, while others said that point-in-time reporting is inconsistent with internal control as a process and
with the concept of continual monitoring of internal control. They suggested that "period-of-time" reporting should
be presented as most appropriate.
It was concluded that the final document should retain the preference for point-in-time reporting. Point-in-time
reporting meets the needs of securityholders, is less costly and provides an environment conducive to
identification and correction of control deficiencies.
Interim Reporting. The exposure draft stated that management reports on internal control should address
controls over both the interim and annual reporting processes. Some respondents indicated that it was not clear
how reporting at a point in time relates to controls over interim reporting. Other respondents said that
management reports should explicitly state that they cover interim reporting controls.
The final document more clearly describes the relationship between covering interim reporting controls and
point-in-time reporting. It states that the management report should address internal controls in effect at the point
in time (e.g., year end) over the preparation of interim (e.g., quarterly) published financial information; the
internal controls reported on are those in effect at year end related to the preparation of such information, rather
than controls that might have been in place at the end of each quarter.
Design vs. Effectiveness. The exposure draft stated that the management report should include management's
conclusion on the effectiveness of the internal control system. Some respondents said the management report
should cover only system design, rather than effectiveness, primarily to help avoid liability in the case of a
subsequent alleged failure.
Internal Use Only

The final document retains the basic thrust of reporting on effectiveness. It states that the Treadway Commission
called for reporting on effectiveness, and entities intending to comply with Treadway should report accordingly
The final document also presents additional reasons why reporting on effectiveness is appropriate.
Reporting Deficiencies. Some respondents expressed concern that because only material weaknesses
existing at the point-in-time reporting date are included in a management report, report readers might not
recognize that internal control systems, by their very nature, result in the identification and correction of
deficiencies on an ongoing basis.
To avoid any such misunderstanding, the final document calls for a statement in the management report as to
the existence of such self-monitoring mechanisms.
Illustrative Management Report. The exposure draft provided an illustrative management report demonstrating
how the reporting guidelines might be applied. Some respondents indicated that presenting only one illustrative
report might cause that illustration to become viewed as a required standard, resulting in use of "boilerplate"
language. In order to foster flexibility in reporting, some respondents suggested the illustration be deleted, while
others suggested that more examples, containing topics currently addressed in management reports, be
provided. Some respondents said illustrative management reports are particularly useful to managements with
little experience with reporting on internal control. Respondents also suggested that an example be provided of
how the existence of a material weakness might be reported.
It was decided that the illustrative management report is useful and should be retained, but that additional
examples should be provided to promote flexibility. The final document contains three illustrative reports,
including one discussing other topics addressed currently in management reports, and one describing the
existence of a material weakness. The final document also emphasizes management's tailoring reports to entity
circumstances and avoiding use of "boilerplate" language.
Criteria for Management Reporting. The illustrative management report in the exposure draft named the study
in identifying the criteria used in assessing internal control effectiveness. Some respondents said that the
illustrative management report should not refer to the name of the study because this might imply that these are
the only criteria available. They suggested clarifying that other criteria might be used to conduct an evaluation
and to report against.
It was decided that it is important for readers to be advised as to which criteria management uses for
determining effectiveness. The illustrative management report continues to name the study, but the document
clearly states that other criteria may be used.
Footnotes
Internal Use Only

‡ Based on 1989 annual reports.
‡ Management may prefer to report as of another point in time, such as the date the annual report is
issued.
‡ From a practical standpoint, an evaluation will not be done at one point in time. The internal control
system's ongoing monitoring activities, which identify control weaknesses and opportunities for
improvement, will usually serve as a basis for evaluation. Some managements carry out evaluative
procedures at various times through the year, with attention given to subsequent system changes
occurring before year end.
‡ Accounting Principles Board Opinion No. 28, Interim Financial Reporting (New York: AICPA, 1973),
notes the "inherent difficulties" present in reporting results of operations for interim periods and
discusses the types of estimates required by the interim reporting process (para. 4).
‡ The subsequent discussion assumes that only point-in-time reporting is used.
‡ As noted under "New Report Guidelines," reports on internal control based on this study will refer to
somewhat different matters.
‡ The criteria contained in the Framework volume of this report, or other criteria, may be used. Explicit
reference to the standard against which an entity's internal control system is measured is important to
effective communication with report readers. Identification of the Framework volume incorporates by
reference its discussions of important concepts including reasonable assurance and the various
inherent limitations of internal control systems, the components and possible tradeoffs among them,
and the definition of internal control over the preparation of published financial statements.
‡ If a material weakness was corrected before the date as of which the conclusion on system
effectiveness is made, say, year end, the weakness would not need to be described, so long as
management determined that the new or revised controls were operating effectively as of that (year
end) date. Managements determination might be made subsequent to that "as of" date, but before the
date the management report is issued.
Internal Use Only

‡ Among guidance provided in Statement on Auditing Standards No. 30, Reporting on Internal Accounting
Control (New York: AICPA, 1980), is that the combined effect of individually immaterial weaknesses
should be considered (para. 32).
Addendum to "Reporting to External

Parties"
Chairman
Gaylen N. Larson
Members
Organization Representative
Financial Executives Institute P. Norman Roy
American Institute of Certified Public Accountants Philip B. Chenok
American Accounting Association Andrew D. Bailey
Institute of Management Accountants Robert W. Liptak
Copyright © 1994 by the Committee of Sponsoring Organizations of the Treadway Commission
Purpose
Internal Control — Integrated Framework was issued in September 1992 by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). This report, frequently referred to as the COSO report, is
in four parts. It includes a Framework volume which defines internal control, describes its components, and
provides criteria against which managements, boards or others can assess their control systems. A Reporting to
External Parties volume provides guidance to those entities that report publicly on internal control over
preparation of their published financial statements, or are contemplating doing so. The report also includes an
Executive Summary and an Evaluation Tools volume.
Since issuance, the COSO report has been viewed by many parties as having achieved its stated objectives —
establishing a common definition serving the needs of different parties, and providing a standard against which
Internal Use Only
business and other entities can assess their control systems and determine how to improve them. However,
some parties, including the U.S. General Accounting Office, believe that the management reports suggested in
the COSO report do not adequately address controls relating to safeguarding of assets, and would not,
therefore, fully respond to the requirements of the Foreign Corrupt Practices Act of 1977 (FCPA).‡
This document constitutes an addendum to the Reporting to External Parties volume of the COSO report. It
discusses the issue of, and provides a vehicle for, expanding the scope of a management report on internal
control to address additional controls pertaining to safeguarding of assets.
Introduction
The COSO report defines internal control as:
. . . a process, effected by an entity's board of directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives in the following categories:

The COSO report states that operations objectives "pertain to effectiveness and efficiency of the entity's
operations, including performance and profitability goals and safeguarding resources against loss." In discussing
safeguarding of resources, the COSO report makes these statements:
Although these [objectives relating to safeguarding of resources] are primarily operations objectives, certain
aspects of safeguarding can fall under the other categories. Under the operations category is the efficient use
of an entity's recorded assets and other resources, and prevention of their loss through theft, waste,
inefficiency or what turns out to be simply bad business decisions — such as selling product at too low a
price, extension of credit to bad risks, failing to retain key employees or prevent patent infringement, or
incurring unforeseen liabilities. Where legal or regulatory requirements apply, these become compliance
issues. On the other hand, the goal of ensuring that any such asset losses are properly reflected in the
entity's financial statements represents a financial reporting objective.
The category in which an objective falls can sometimes depend on circumstances. Continuing the discussion
of safeguarding of assets, controls to prevent theft of asset — such as maintaining a fence around inventory,
and a gatekeeper verifying proper authorization of requests for movement of goods — fall under the
operations category. These controls normally would not be relevant to the reliability of financial statement
preparation, because any inventory losses would be detected pursuant to periodic physical inspection and
recorded in the financial statements. However, if for financial reporting purposes management relies solely on
perpetual inventory records, as may be the case for interim reporting, the physical security controls would
Internal Use Only

then also fall within the financial reporting category. This is because these physical security controls, along
with controls over the perpetual inventory records, would be needed to ensure reliable financial reporting.‡
Thus, when managements report on whether entities' systems of internal control over financial reporting met the
criteria in the COSO report, the reports for some entities would cover certain controls designed primarily to
safeguard assets, and reports for others would not.
Conclusion
COSO believes that the definition of internal control in its report, including the classification of controls into
operations, compliance, and financial reporting categories, remains appropriate. At the same time, COSO
recognizes that the FCPA encompasses certain controls related to safeguarding of assets that might not be
covered in a management report on financial reporting controls as defined by COSO, and that there is an
expectation on the part of some management report readers that reports will in all cases cover those additional
controls. That is, there is a reasonable expectation that a management report will cover not only controls to help
ensure that transactions involving the entity's assets are properly reflected in the financial statements, but also
controls to help prevent or timely detect unauthorized acquisition, use or disposition of the underlying assets.
COSO believes it is important that this expectation be met.
Definition
Accordingly, for purposes of public management reporting, the following definition‡ is provided:
Internal control over safeguarding of assets against unauthorized acquisition, use or disposition is a process,
effected by an entity's board of directors, management and other personnel, designed to provide reasonable
assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the entity's
assets that could have a material effect on the financial statements.
A related definition of effectiveness is as follows:
Such internal control can be judged effective if the board of directors and management have reasonable
assurance that unauthorized acquisition, use or disposition of the entity's assets that could have a material effect
on the financial statements is being prevented or detected on a timely basis.
Discussion
"Internal control over safeguarding of assets against unauthorized acquisition, use or disposition" is a subset of
the broader segment of internal control described as safeguarding of asset controls which, as defined in the
COSO report, fall within one or more of the three basic control categories. Accordingly, these controls
encompass each of the five internal control components as defined in the Framework volume of the report,
insofar as those components are relevant to the prevention or timely detection of unauthorized acquisition, use
Internal Use Only

or disposition of assets that could have a material effect on the financial statements.‡ Such controls include, for
example:
 Assessing the risk of unauthorized acquisition, use or disposition of assets.

 Establishing control activities to help ensure that management directives to address the risks are carried out.
Such control activities would include controls to permit acquisition, use or disposition of assets only in
accordance with management's general or specific authorization, including compliance with established policies
and procedures for such acquisition, use or disposition. They would also include comparing existing assets with
the related records at reasonable intervals and taking appropriate action with respect to any differences.
 Making available to management information it needs to carry out its responsibilities related to prevention or
timely detection of such unauthorized activities.
 Mechanisms to enable management to monitor the continued effective operation of such controls.
Controls over safeguarding of assets against unauthorized acquisition, use or disposition relate to the prevention
or timely detection of unauthorized transactions and unauthorized access to assets that could result in losses
that are material to the financial statements, for example, when unauthorized expenditures or investments are
made, unauthorized liabilities are incurred, inventory is stolen, or assets are converted to per sonal use. Such
controls are designed to help ensure that use of and access to assets are in accordance with management's
authorization. Authorization includes approval of transactions in accordance with policies and procedures
established by management and the board of directors to safeguard assets, such as establishing and complying
with requirements for extending and monitoring credit or making investment decisions, and related
documentation.
Controls over safeguarding of assets from unauthorized acquisition, use or disposition are not designed to
protect against loss of assets arising from inefficiency or from management's operating decisions, such as
selling a product that proves to be unprofitable, incurring expenditures for equipment or material that proves to
be unnecessary or unsatisfactory, authorizing what proves to be unproductive research or ineffective advertising,
or accepting some level of merchandise pilferage by customers as part of operating a retail business. To the
extent such losses might occur, effective financial reporting controls should provide reasonable assurance that
they are properly reflected in the financial statements, thereby alerting users to consider the need for action.
Other concepts discussed in the COSO report — including the principle that because of limitations inherent in all
internal control systems, management and the board of directors can have no more than reasonable assurance
regarding achievement of specified objectives — also apply to these controls.
Reporting
The definitions of controls over safeguarding of assets against unauthorized acquisition, use or disposition, and
related discussion, provide a basis for management reporting thereon. COSO encourages managements that
Internal Use Only

report to external parties on controls over financial reporting to also cover controls over safeguarding of assets
against unauthorized acquisition, use or disposition. It further encourages managements to include specific
reference to those controls in the report. The following illustrative management report, patterned after the one on
page 139 of Reporting to External Parties, provides suggested wording:
XYZ Company maintains a system of internal control over financial reporting and‡ over safeguarding of assets
against unauthorized acquisition, use or disposition which is designed to provide reasonable assurance to the
Company's management and board of directors regarding the preparation of reliable published financial
statements and such asset safeguarding. The system contains self-monitoring mechanisms, and actions are
taken to correct deficiencies as they are identified. Even an effective internal control system, no matter how well
designed, has inherent limitations — including the possibility of the circumvention or overriding of controls — and
therefore can provide only reasonable assurance with respect to financial statement preparation and such asset
safeguarding. Further, because of changes in conditions, internal control system effectiveness may vary over
time.
The Company assessed its internal control system as of December 31, 19XX in relation to criteria for effective
internal control over financial reporting described in "Internal Control - Integrated Framework" issued by the
Committee of Sponsoring Organizations of the Treadway Commission. Based on this assessment, the Company
believes that, as of December 31, 19XX, its system of internal control over financial reporting and5 over
safeguarding of assets against unauthorized acquisition, use or disposition met those criteria.
Footnotes
‡ The FCPA requires issuers, among other things, to "devise and maintain a system of internal
accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in
accordance with management's general or specific authorization; (ii) transactions are recorded as
necessary... to maintain accountability for assets; (iii) access to assets is permitted only in accordance
with management's general or specific authorization; and (iv) the recorded accountability for assets is
compared with the existing assets at reasonable intervals and appropriate action is taken with respect
to any differences."
‡ Framework, page 37.
‡ The COSO report is designed to accommodate special-purpose definitions of internal control, within the
framework of the basic definitions, to meet the needs of different users.
Internal Use Only

‡ The relationship of the three basic control categories to the five components is depicted in Exhibit 2,
page 19, of Framework. In the context of that diagram, controls over safeguarding of assets against
unauthorized acquisition, use or disposition would be depicted by a vertical "slice" of the cube, typically
encompassing a segment of the financial reporting column, a segment of the operations column, or
both, depending on the circumstances discussed in the COSO report and quoted under "Introduction"
on page 153.
‡ In circumstances where all controls over safeguarding of assets against unauthorized acquisition, use
or disposition fall within the category of controls over financial reporting, "and" may be changed to
"including."
Evaluation Tools
Click here for a PDF version of the
Evaluation_Tools.pdf
Introduction
This volume contains a set of tools that may be useful in conducting an evaluation of an entity's internal control
system. The tools may be used in any of several ways:
 Individually, when evaluating a particular component, or together when evaluating all components.
 In evaluating controls related to one category of controls, such as reliability of financial reporting, or more than
one category.
 When focusing on certain activities, such as procurement or sales, or all activities.
The evaluation tools are presented as follows:
 A set of blank tools, organized by component, along with one to assist in assembling the results in making an
overall evaluation.
Internal Use Only

 A Reference Manual designed to assist the evaluator in completing the "Risk Assessment and Control Activities
Worksheet." Also presented is a generic business model which serves as the organizational basis for the
Reference Manual.
 Filled-in tools, depicting how they might be completed for a hypothetical company.
These evaluation tools are intended to provide guidance and assistance in evaluating internal control systems in
relation to criteria for effective internal control set forth in the Framework volume of this report. Accordingly,
users of these materials should be familiar with that volume.
These tools are presented for purely illustrative purposes. They are not an integral part of the Framework, and
their presentation here in no way suggests that all matters addressed in them need to be considered in
evaluating an internal control system, or that all such matters must be present in order to conclude that a system
is effective. Similarly, there is no suggestion that these tools are a preferred method to conduct and document
an evaluation. Because facts and circumstances vary between entities and industries, evaluation methodologies
and documentation techniques will also vary. Accordingly, entities may use different evaluation tools, or use
other methodologies utilizing different evaluative techniques. For those entities that do plan to use these tools in
some way, it is suggested that they be used only as a starting point, and be modified to reflect the particular
facts, conditions and risks relevant to their own circumstances.
These evaluation tools can be used by entities of any size. When used by small or mid-size entities, the tailoring
process should recognize that smaller entities tend to be less formal and less structured than large
organizations, that fewer organization levels will likely result in the CEO and other key managers communicating
more directly and continuously with lower level personnel, and that these factors will affect the way control is
exercised. That sample filled-in tools contained in this volume have been completed using a hypothetical mid-
size company and may provide guidance to companies of such size in completing the tools.
Blank Tools
Component Tools
Five evaluation tools are presented, one for each internal control component. A heading and brief introduction
identify each factor or significant element within a component.
Substantive issues to be addressed are contained under the column heading "points of focus." The points of
focus are identified by the symbol •, and represent some of the more important issues relevant to the
component. Not all points of focus are relevant to every entity, and additional issues will be relevant to some
entities. It is suggested that the evaluator tailor the points of focus to fit the entity's facts and circumstances by
adding, deleting or modifying those provided in the tool.
Internal Use Only

Included under each point of focus are examples of subsidiary issues that might be considered in addressing the
point of focus. It is important to recognize that only a few examples of such subsidiary issues are provided. Many
others usually are relevant. The examples provided are intended only to illustrate the types of items to consider.
The evaluator addresses each point of focus, considering the example subsidiary issues as well as others not
presented. Although one could record a response for each example subsidiary issue, it is suggested that a
response be provided only to the point of focus. The "description/comments" column provides space to record a
description of how matters addressed in the point of focus are applied in the entity, and to record relevant
comments. The response generally will not be a "yes" or "no" answer, but rather information on how the entity
addresses the matter.
At the end of each section is a space to record a conclusion on the effectiveness of the related controls, and any
actions that might need to be taken or considered. Space is provided at the end of each tool for similar
information on the entire component.
Risk Assessment and Control Activities Worksheet
As noted in the evaluation tools for Risk Assessment and Control Activities, management establishes objectives
for each significant activity; analyzes risks to their achievement; establishes plans, programs and other actions
to address the risks; and puts in place control activities to ensure that the actions are carried out. The tools for
Risk Assessment and Control Activities do not provide a vehicle to evaluate this process at the activity level. A
separate worksheet is provided to assist in this regard.
Management may or may not have already documented this process. If not, the worksheet (pages 42 and 43)
provides a vehicle to assist management in performing and documenting the process. An evaluator then can
review the completed worksheet. If management has no documentation, the evaluator might consider preparing
the worksheet (with the assistance of management) in order to evaluate the process and associated linkages.
The Reference Manual (beginning on page 49) is designed to assist in identifying activity-level objectives,
analyzing the risks, and determining what actions might be taken and what control activities put in place.
Overall Internal Control System Evaluation
An evaluation tool is provided to serve as a summary of the findings and conclusions for each of the components
and to facilitate review of the preliminary results by more senior executives and their addition of further
information. Space for an overall conclusion on the internal control system is provided.
Control Environment
Click here for the Word version of the
Internal Use Only

3_Control Environment.doc
Points of Focus Description Comments
Management must convey the message that integrity and

ethical values cannot be compromised, and employees must
receive and understand that message. Management must
continually demonstrate, through words and actions, a
commitment to high ethical standards.
 Existence and implementation of codes of conduct and

other policies regarding acceptable business practice,
conflicts of interest, or expected standards of ethical
and moral behavior. For example, consider whether:
 Codes are comprehensive, addressing conflicts of interest,

illegal or other improper payments, anticompetitive
guidelines, insider trading.
 Codes are periodically acknowledged by all employees.
 Employees understand what behavior is acceptable or

unacceptable, and know what to do if they encounter
improper behavior.
 If a written code of conduct does not exist, the management

culture emphasizes the importance of integrity and ethical
behavior. This may be communicated orally in staff
meetings, in one-on-one interface, or by example when
dealing with day-to-day activities.
Internal Use Only

 Establishment of the "tone at the top"—including
explicit moral guidance about what is right and wrong—
and extent of its communication throughout the
organization. For example, consider whether:
 Commitment to integrity and ethics is communicated

effectively throughout the enterprise, both in words and
deeds.
 Employees feel peer pressure to do the right thing, or cut

corners to make a "quick buck."
 Management appropriately deals with signs that problems

exist, e.g., potential defective products or hazardous wastes,
especially when the cost of identifying problems and dealing
with the issues could be large.
 Dealings with employees, suppliers, customers,

investors, creditors, insurers, competitors, and
auditors, etc. (e.g., whether management conducts
business on a high ethical plane, and insists that others
do so, or pays little attention to ethical issues). For
example, consider whether:
 Everyday dealings with customers, suppliers, employees

and other parties are based on honesty and fairness (e.g.,
customer's overpayment or a supplier's underbilling are not
ignored, no efforts are made to find a way to reject an
employee's legitimate claim for benefits, and reports to
lenders are complete, accurate and not misleading).
 Appropriateness of remedial action taken in response to

departures from approved policies and procedures or
violations of the code of conduct. Extent to which
Internal Use Only

remedial action is communicated or otherwise becomes
known throughout the entity. For example, consider
whether:
 Management responds to violations of behavioral standards.
 Disciplinary actions taken as a result of violations are widely

communicated in the entity. Employees believe that, if
caught violating behavioral standards, they'll suffer the
consequences.
 Management's attitude towards intervention or

overriding established controls. For example, consider
whether:
 Management has provided guidance on the situations and

frequency with which intervention may be needed.
 Management intervention is documented and explained

appropriately.
 Manager override is explicitly prohibited.
 Deviations from established policies are investigated and

documented.
 Pressure to meet unrealistic performance targets—

particularly for short-term results—and extent to which
compensation is based on achieving those performance
targets. For example, consider whether:
 Conditions such as extreme incentives or temptations exist

that can unnecessarily and unfairly test people's adherence
Internal Use Only

to ethical values.
 Compensation and promotions are based solely on

achievement of short-term performance targets.
 Controls are in place to reduce temptations that might

otherwise exist.
Conclusions/Actions Needed
Management must specify the level of competence needed for

particular jobs, and translate the desired levels of competence
into requisite knowledge and skills.
 Formal or informal job descriptions or other means of

defining tasks that comprise particular jobs. For
 Management has analyzed, on a formal or informal basis,

the tasks comprising particular jobs, considering such
factors as the extent to which individuals must exercise
judgment and the extent of related supervision.
 Analyses of the knowledge and skills needed to perform

jobs adequately. For example, consider whether:
 Management has determined to an adequate extent the

knowledge and skills needed to perform particular jobs.
 Evidence exists indicating that employees appear to have
Internal Use Only

the requisite knowledge and skills.
An active and effective board, or committees thereof, provides

an important oversight function and, because of management's
ability to override system controls, the board plays an important
role in ensuring effective internal control.
 Independence from management, such that necessary,

even if difficult and probing, ques-tions are raised. For
 The board constructively challenges management's planned

decisions, e.g., strategic initiatives and major transactions,
and probes for explanations of past results (e.g., budget
variances).
 A board that consists solely of an entity's officers and

employees (e.g., a small corporation) questions and
scrutinizes activities, presents alternative views and takes
appropriate action if necessary.
 Use of board committees where warranted by the need

for more in-depth or directed attention to particular
matters. For example, consider whether:
 Board committees exist.
 They are sufficient, in subject matter and membership, to
Internal Use Only

deal with important issues adequately.
 Knowledge and experience of directors. For example,

consider whether:
 Directors have sufficient knowledge, industry experience

and time to serve effectively.
 Frequency and timeliness with which meetings are held

with chief financial and/or accounting officers, internal
auditors and external auditors. For example, consider
whether:
 The audit committee meets privately with the chief

accounting officer and internal and external auditors to
discuss the reasonableness of the financial reporting
process, system of internal control, significant comments
and recommendations, and management's performance.
 The audit committee reviews the scope of activities of the

internal and external auditors annually.
 Sufficiency and timeliness with which information is

provided to board or committee members, to allow
monitoring of management's objectives and strategies,
the entity's financial position and operating results, and
terms of significant agreements. For example, consider
whether:
 The board regularly receives key information, such as

financial statements, major marketing initiatives, significant
contracts or negotiations.
Internal Use Only

 Directors believe they receive the proper information.
 Sufficiency and timeliness with which the board or audit

committee is apprised of sensitive information,
investigations and improper acts (e.g., travel expenses
of senior officers, significant litigation, investigations of
regulatory agencies, defalcations, embezzlement or
misuse of corporate assets, violations of insider trading
rules, political payments, illegal payments). For example,
consider whether:
 A process exists for informing the board of significant issues.
 Information is communicated timely.
 Oversight in determining the compensation of executive

officers and head of internal audit, and the appointment
and termination of those individuals. For example,
consider whether:
 The compensation committee approves all management

incentive plans tied to performance.
 The compensation committee, in joint consultation with the

audit committee, deals with compensation and retention
issues regarding the chief internal auditor.
 Role in establishing the appropriate "tone at the top."

For example, consider whether:
 The board and audit committee are involved sufficiently in

evaluating the effectiveness of the "tone at the top."
Internal Use Only

 The board takes steps to ensure an appropriate "tone."
 The board specifically addresses management's adherence

to the code of conduct.
 Actions the board or committee takes as a result of its

findings, including special investigations as needed. For
 The board has issued directives to management detailing

specific actions to be taken.
 The board oversees and follows up as needed.
The philosophy and operating style of management normally

have a pervasive effect on an entity. These are, of course,
intangibles, but one can look for positive or negative signs.
 Nature of business risks accepted, e.g., whether

management often enters into particularly high-risk
ventures, or is extremely conservative in accepting
risks. For example, consider whether:
 Management moves carefully, proceeding only after

carefully analyzing the risks and potential benefits of a
venture.
 Personnel turnover in key functions, e.g., operating,

accounting, data processing, internal audit. For example,
Internal Use Only

consider whether:
 There has been excessive turnover of management or

supervisory personnel.
 Key personnel have quit unexpectedly or on short notice.
 There is a pattern to turnover (e.g., inability to retain key

financial or internal audit executives) that may be an
indicator of the emphasis that management places on
control.
 Management's attitude toward the data processing and

accounting functions, and concerns about the reliability
of financial reporting and safeguarding of assets. For
 The accounting function is viewed as a necessary group of

"bean counters," or as a vehicle for exercising control over
the entity's various activities.
 The selection of accounting principles used in financial

statements always results in the highest reported income.
 If the accounting function is decentralized, operating

management "sign off" on reported results.
 Unit accounting personnel also have responsibility to central

financial officers.
 Valuable assets, including intellectual assets and

information, are protected from unauthorized access or use.
Internal Use Only

 Frequency of interaction between senior management
and operating management, particularly when operating
from geographically removed locations. For example,
consider whether:
 Senior managers frequently visit subsidiary or divisional

operations.
 Group or divisional management meetings are held

frequently.
 Attitudes and actions toward financial reporting,

including disputes over application of accounting
treatments (e.g., selection of conservative versus liberal
accounting policies; whether accounting principles
have been misapplied, important financial information
not disclosed, or records manipulated or falsified). For
 Management avoids obsessive focus on short-term reported

results.
 Personnel do not submit inappropriate reports to meet

targets (e.g., salespeople submitting orders to meet targets,
knowing customers will return goods in the next period).
 Managers do not ignore signs of inappropriate practices.
 Estimates do not stretch facts to the edge of reasonableness

and beyond.
Internal Use Only

The organizational structure shouldn't be so simple that it

cannot adequately monitor the enterprise's activities nor so
complex that it inhibits the necessary flow of information.
Executives should fully understand their control responsibilities
and possess the requisite experience and levels of knowledge
commensurate with their positions.
 Appropriateness of the entity's organizational structure,

and its ability to provide the necessary information flow
to manage its activities. For example, consider whether:
 The organizational structure is appropriately centralized or

decentralized, given the nature of the entity's operations.
 The structure facilitates the flow of information upstream,

downstream and across all business activities.
 Adequacy of definition of key managers'

responsibilities, and their understanding of these
responsibilities. For example, consider whether:
 Responsibilities and expectations for the entity's business

activities are communicated clearly to the executives in
charge of those activities.
 Adequacy of knowledge and experience of key

managers in light of responsibilities. For example,
consider whether:
 The executives in charge have the required knowledge,

experience and training to perform their duties.
Internal Use Only

 Appropriateness of reporting relationships. For example,
consider whether:
 Established reporting relationships—formal or informal,

direct or matrix—are effective, and they provide managers
information appropriate to their responsibilities and authority.
 The executives of the business activities have access to

communication channels to senior operating executives.
 Extent to which modifications to the organizational

structure are made in light of changed conditions. For
 Management periodically evaluates the entity's

organizational structure in light of changes in the business or
industry.
 Sufficient numbers of employees exist, particularly in

management and supervisory capacities. For example,
consider whether:
 Managers and supervisors have sufficient time to carry out

their responsibilities effectively.
 Managers and supervisors work excessive overtime, and

are fulfilling the responsibilities of more than one employee.
Internal Use Only

The assignment of responsibility, delegation of authority and
establishment of related policies provide a basis for
accountability and control, and set forth individuals' respective
roles.
 Assignment of responsibility and delegation of authority

to deal with organizational goals and objectives,
operating functions and regulatory requirements,
including responsibility for information systems and
authorizations for changes. For example, consider
whether:
 Authority and responsibility are assigned to employees

throughout the entity.
 Responsibility for decisions is related to assignment of

authority and responsibility.
 Proper information is considered in determining the level of

authority and scope of responsibility assigned to an
individual.
 Appropriateness of control-related standards and

procedures, including employee job descriptions. For
 Job descriptions, for at least management and supervisory

personnel, exist.
 They contain specific references to control-related

responsibilities.
 Appropriate numbers of people, particularly with

respect to data processing and accounting functions,
Internal Use Only

with the requisite skill levels relative to the size of the
entity and nature and complexity of activities and
systems. For example, consider whether:
 The entity has an adequate workforce—in numbers and

experience—to carry out its mission.
 Appropriateness of delegated authority in relation to

assigned responsibilities. For example, consider whether:
 There is an appropriate balance between authority needed

to "get the job done" and the involvement of senior
personnel where needed.
 Employees at the "right" level are empowered to correct

problems or implement improvements, and empowerment is
accompanied by appropriate levels of competence and clear
boundaries of authority.
Human resource policies are central to recruiting and retaining

competent people to enable the entity's plans to be carried out
so its goals can be achieved.
 Extent to which policies and procedures for hiring,

training, promoting and compensating employees are in
place. For example, consider whether:
 Existing personnel policies and procedures result in

recruiting or developing competent and trustworthy people
Internal Use Only

necessary to support an effective internal control system.
 The level of attention given to recruiting and training the right

people is appropriate.
 When formal documentation of policies and practices does

not exist, management communicates expectations about
the type of people to be hired or participates directly in the
hiring process.
 Extent to which people are made aware of their

responsibilities and expectations of them. For example,
consider whether:
 New employees are made aware of their responsibilities and

management's expectations of them.
 Supervisory personnel meet periodically with employees to

review job performance and suggestions for improvement.
 Appropriateness of remedial action taken in response to

departures from approved policies and procedures. For
 Management's response to failures to carry out assigned

responsibilities is appropriate.
 Appropriate corrective action is taken as a result of non-

adherence to established policies.
 Employees understand that ineffective performance will

result in remedial consequences.
Internal Use Only

 Extent to which personnel policies address adherence
to appropriate ethical and moral standards. For example,
consider whether:
 Integrity and ethical values is a criterion in performance

appraisals.
 Adequacy of employee candidate background checks,

particularly with regard to prior actions or activities
considered to be unacceptable by the entity. For
 Candidates with frequent job changes or gaps in

employment history are subjected to particularly close
scrutiny.
 Hiring policies require investigation for a criminal record.
 Adequacy of employee retention and promotion criteria

and information-gathering techniques (e.g.,
performance evaluations) and relation to the code of
conduct or other behavioral guidelines. For example,
consider whether:
 Promotion and salary increase criteria are detailed clearly so

that individuals know what management expects prior to
promotions or advancement.
 Criteria reflect adherence to behavioral standards.
Internal Use Only

Component Summary-Conclusions/Actions Needed
Risk Assessment
4_Risk Assessment.doc
Entity-Wide ObjectivesEntity-Wide Objectives
For an entity to have effective control, it must have established

objectives. Entity-wide objectives include broad statements of
what an entity desires to achieve, and are supported by related
strategic plans. Describe the entity-wide objectives and key
strategies that have been established.
 Extent to which the entity-wide objectives provide

sufficiently broad statements and guidance on what the
entity desires to achieve, yet which are specific enough
to relate directly to this entity. For example, consider
whether:
 Management has established entity-wide objectives.
 The entity-wide objectives are different than generic

objectives that could apply to any entity (e.g., generate
sufficient cash flow to service debt, or produce a reasonable
return on investment).
 Effectiveness with which the entity-wide objectives are
Internal Use Only

communicated to employees and board of directors. For
 Information on the entity-wide objectives is disseminated to

employees and the board of directors.
 Management obtains feedback from key managers, other

employees and the board signifying that communication to
employees is effective.
 Relation and consistency of strategies with entity-wide

objectives. For example, consider whether:
 The strategic plan supports the entity-wide objectives.
 It addresses high level resource allocations and priorities.
 Consistency of business plans and budgets with entity-

wide objectives, strategic plans and current conditions.
 Assumptions inherent in the plans and budgets reflect the

entity's historical experience and current conditions.
 Plans and budgets are at an appropriate level of detail for

each management level.
Activity-level objectives flow from and are linked with the entity-
Internal Use Only

wide objectives and strategies. Activity-level objectives are
frequently stated as goals with specific targets and deadlines.
Objectives should be established for each significant activity,
and those activity-level objectives should be consistent with
each other.
 Linkage of activity-level objectives with entity-wide

objectives and strategic plans. For example, consider
whether:
 Adequate linkage exists for all significant activities.
 Activity-level objectives are reviewed from time to time for

continued relevance.
 Consistency of activity-level objectives with each other.

 They are complementary and reinforcing within activities.
 They are complementary and reinforcing between activities.
 Relevance of activity-level objectives to all significant

business processes. For example, consider whether:
 Objectives are established for key activities in the flows of

goods and services and support activities.
 Activity-level objectives are consistent with past practices

and performances or with industry or functional analogues,
or the reasons for variance have been considered.
 Objectives are established for each significant activity.

These activities may include, among others (the activities
Internal Use Only
listed derive from a generic business model, pages 52 to 55;
illustrative objectives for each of these activities are
presented in the Reference Manual, pages 57 to 129):
Inbound
Operations
Outbound
Marketing and Sales
Service
Procurement
Technology Development
Human Resources
Manage the Enterprise
Manage External Relations
Provide Administrative Services
Manage Information Technology
Manage Risks (of accident or other
insurable loss)
Manage Legal Affairs
Plan
Process Accounts Payable
Process Accounts Receivable
Process Funds
Process Fixed Assets
Analyze and Reconcile
Process Benefits and Retiree
Information
Internal Use Only

Process Payroll
Process Tax Compliance
Process Product Costs
Provide Financial and Management
Reporting
 Specificity of activity-level objectives. For example,

consider whether:
 Objectives include measurement criteria.
 Adequacy of resources relative to objectives. For

 Management has identified the resources needed to achieve

the objectives.
 Plans exist for acquiring necessary resources (e.g.,

financing, personnel, facilities, technology).
 Identification of objectives that are important (critical

success factors) to achievement of entity-wide
objectives. For example, consider whether:
 Management has identified what must go right, or where

failure must be avoided, for entity-wide objectives to be
achieved.
 Capital spending and expense budgets are based on

management's analysis of the relative importance of
objectives.
Internal Use Only

 The objectives serving as critical success factors provide a
basis for particular management focus.
 Involvement of all levels of management in objective setting

and extent to which they are committed to the objectives.
 Managers participate in establishing activity objectives for

which they are responsible.
 Procedures exist to resolve disagreements.
 Managers support the objectives, and do not have "hidden

agendas."
Risks
An entity's risk-assessment process should identify and

consider the implications of relevant risks, at both the entity
level and the activity level. The risk-assessment process
should consider external and internal factors that could impact
achievement of the objectives, should analyze the risks, and
provide a basis for managing them.
 Adequacy of mechanisms to identify risks arising from

external sources. For example, consider whether
management considers risks related to:
 Supply sources
Internal Use Only

 Technology changes
 Creditor's demands
 Competitor's actions
 Economic conditions
 Political conditions
 Regulation
 Natural events
 Adequacy of mechanisms to identify risks arising from

internal sources. For example, consider whether
 Human resources, such as retention of key management

personnel or changes in responsibilities that can affect the
ability to function effectively.
 Financing, such as availability of funds for new initiatives or

continuation of key programs.
 Labor relations, such as compensation and benefit programs

to keep the entity competitive with others in the industry.
 Information systems, such as the adequacy of back-up

systems in the event of failure of systems that could
significantly affect operations.
Internal Use Only

 Identification of significant risks for each significant
activity-level objective. (Consider risks identified with
respect to each of the activities identified under "activity-
level objectives"; illustrative risks relative to common
objectives are presented in the Reference Manual, pages 57
to 129.)
 Thoroughness and relevance of the risk analysis

process, including estimating the significance of risks,
assessing the likelihood of their occurring and
determining needed actions. For example, consider
whether:
 Risks are analyzed through formal processes or informal

day-to-day management activities.
 The identified risks are relevant to the corresponding activity

objective.
 Appropriate levels of management are involved in analyzing

the risks.
Managing Change
Economic, industry and regulatory environments change and

entities' activities evolve. Mechanisms are needed to identify
and react to changing conditions.
 Existence of mechanisms to anticipate, identify and

react to routine events or activities that affect
achievement of entity or activity-level objectives
Internal Use Only

(usually implemented by managers responsible for the
activities that would be most affected by the changes).
 Routine changes are addressed as part of the normal risk

identification and analysis process, or through separate
mechanisms.
 Risks and opportunities related to the changes are

addressed at sufficiently high levels in the organization so
their full implications are identified and appropriate action
plans formulated.
 All activities within the entity significantly affected by the

change are brought into the process.
 Existence of mechanisms to identify and react to

changes that can have a more dramatic and pervasive
effect on the entity, and may demand the attention of
top management. For example, for each of the following
areas of potential change, consider whether:
 Changed operating environment:
 Market research or other programs identify major shifts in

customer demographics, preferences or spending patterns.
 The entity is aware of significant shifts in the workforce—

externally or internally—that could affect available skill
levels.
 Legal counsel periodically updates management on the

implications of new legislation.
Internal Use Only

 New personnel:
 Special action is taken to ensure new personnel understand

the entity's culture and perform accordingly.
 Consideration is given to key control activities performed by

personnel being moved.
 New or redesigned information systems:
 Mechanisms exist to assess the effects of new systems.
 Procedures are in place to reconsider the appropriateness of

existing control activities when new computer systems are
developed and go "live."
 Management knows whether systems development and

implementation policies are adhered to despite pressures to
"short-cut" the process.
 Attention is given to the effect of new systems on

information flows and related controls, and employee
training, including focus on employee resistance to change.
 Rapid growth:
 Systems capability is upgraded to handle rapidly increasing

volumes of information.
 Workforce in operations, accounting and data processing is

expanded as needed to keep pace with increased volume.
Internal Use Only

 A process for revising budgets or forecasts exists.
 A process exists for considering interdepartmental

implications of revised unit objectives and plans.
 New technology:
 Information on technological developments is obtained

through reporting services, consultants, seminars or perhaps
joint ventures with companies in the forefront of research
and development relevant to the entity.
 New technologies, or applications, developed by competitors

are monitored.
 Mechanisms exist for taking advantage, and controlling the

use, of new technology applications, incorporating them into
production processes or information systems.
 New lines, products, activities and acquisitions:
 The ability exists to reasonably forecast operating and

financial results.
 The adequacy of existing information systems and control

activities for the new line, product or activity is assessed.
 Plans are developed for recruiting and training people with

the requisite expertise to deal with new products or
activities.
 Procedures are in place to track early results, and to modify
Internal Use Only

production and marketing as needed.
 Financial reporting, legal and regulatory requirements are

identified and complied with.
 The effects on other company products, and on profitability,

are monitored.
 Overhead allocations are modified to reflect product

contribution accurately.
 Corporate restructuring:
 Staff reassignments or reductions are analyzed for their

potential effect on related operations.
 Transferred or terminated employees' control responsibilities

are reassigned.
 Impact on morale of remaining employees, after major

downsizing, considered.
 Safeguards exist to protect against disgruntled former

employees.
 Foreign operations:
 Management keeps abreast of the political, regulatory,

business and social culture of areas in which foreign
operations exist.
 Personnel are made aware of accepted customs and rules.
Internal Use Only

 Alternative procedures exist in case activities of or
communication mechanisms with foreign operations are
interrupted.
Control Activities
5_Control Activities.doc
Control activities encompass a wide range of policies and the

related implementation procedures that help ensure that
management's directives are effected. They help ensure that
those actions identified as necessary to address risks to
achieve the entity's objectives are carried out.
 Existence of appropriate policies and procedures

necessary with respect to each of the entity's activities.
All relevant objectives and associated risks for each

significant activity should have been identified in conjunction
with evaluating Risk Assessment. Reference may be made to
the Reference Manual (pages 57 to 129) which presents, for
common business activities, illustrative objectives, risks, and
"points of focus for actions/control activities." The listings in that
Internal Use Only
latter column may be useful in identifying what actions
management has directed to address the risks, and
considering the appropriateness of control activities the entity
applies to see that the actions are carried out. It should be
recognized that points of focus for general controls (or general
computer controls) are presented in the Reference Manual
under the activity "Manage Information Technology."
 Identified control activities in place are being applied

properly. For example, consider whether:
 Controls described in policy manuals are actually applied

and are applied the way that they're supposed to be.
 Appropriate and timely action is taken on exceptions or

information that requires follow-up.
 Supervisory personnel review the functioning of controls.

6_Info and Comm.doc
Information
Information is identified, captured, processed and reported by
Internal Use Only

information systems. Relevant information includes industry,
economic and regulatory information obtained from external
sources, as well as internally generated information.
 Obtaining external and internal information, and

providing management with necessary reports on the
entity's performance relative to established objectives.
 Mechanisms are in place to obtain relevant external

information—on market conditions, competitors' programs,
legislative or regulatory developments and economic
changes.
 Internally generated information critical to achievement of

the entity's objectives, including that relative to critical
success factors, is identified and regularly reported.
 The information that managers need to carry out their

responsibilities is reported to them.
 Providing information to the right people in sufficient

detail and on time to enable them to carry out their
responsibilities efficiently and effectively. For example,
consider whether:
 Managers receive analytical information that enables them

to identify what action needs to be taken.
 Information is provided at the right level of detail for different

levels of management.
 Information is summarized appropriately, providing pertinent

information while permitting closer inspection of details as
Internal Use Only

needed rather than just a "sea of data."
 Information is available on a timely basis to allow effective

monitoring of events and activities—internal and external—
and prompt reaction to economic and business factors and
control issues.
 Development or revision of information systems based

on a strategic plan for information systems—linked to
the entity's overall strategy—and responsive to
achieving the entity-wide and activity-level objectives.
 A mechanism (e.g., an information technology steering

committee) is in place for identifying emerging information
needs.
 Information needs and priorities are determined by

executives with sufficiently broad responsibilities.
 A long-range information technology plan has been

developed and linked with strategic initiatives.
 Management's support for the development of

necessary information systems is demonstrated by the
commitment of appropriate resources—human and
financial. For example, consider whether:
 Sufficient resources (managers, analysts, programmers with

the requisite technical abilities) are provided as needed to
develop new or enhanced information systems.
Internal Use Only

Communication
Communication is inherent in information processing.

Communication also takes place in a broader sense, dealing
with expectations and responsibilities of individuals and groups.
Effective communication must occur down, across and up an
organization and with parties external to the organization.
 Effectiveness with which employees' duties and control

responsibilities are communicated. For example,
consider whether:
 Communication vehicles—formal and informal training

sessions, meetings and on-the-job supervision—are
sufficient in effecting such communication.
 Employees know the objectives of their own activity and how

their duties contribute to achieving those objectives.
 Employees understand how their duties affect, and are

affected by, duties of other employees.
 Establishment of channels of communication for people

to report suspected improprieties. For example, consider
whether:
 There's a way to communicate upstream through someone

other than a direct superior, such as an ombudsman or
corporate counsel.
 Anonymity is permitted.
Internal Use Only

 Employees actually use the communication channel.
 Persons who report suspected improprieties are provided

feedback, and have immunity from reprisals.
 Receptivity of management to employee suggestions of

ways to enhance productivity, quality or other similar
improvements. For example, consider whether:
 Realistic mechanisms are in place for employees to provide

recommendations for improvement.
 Management acknowledges good employee suggestions by

providing cash awards or other meaningful recognition.
 Adequacy of communication across the organization

(for example, between procurement and production
activities) and the completeness and timeliness of
information and its sufficiency to enable people to
discharge their responsibilities effectively. For example,
consider whether:
 Salespeople inform engineering, production and marketing

of customer needs.
 Accounts receivable personnel advise the credit approval

function of slow payers.
 Information on competitors' new products or warranties

reach engineering, marketing and sales personnel.
 Openness and effectiveness of channels with

customers, suppliers and other external parties for
Internal Use Only

communicating information on changing customer
needs. For example, consider whether:
 Feedback mechanisms with all pertinent parties exist.
 Suggestions, complaints and other input are captured and

communicated to relevant internal parties.
 Information is reported upstream as necessary and follow-up

action taken.
 Extent to which outside parties have been made aware

of the entity's ethical standards. For example, consider
whether:
 Important communications to outside parties are delivered

by management level commensurate with the nature and
importance of the message (e.g., senior executive
periodically explains in writing the entity's ethical standards
to outside parties).
 Suppliers, customers and others know the entity's standards

and expectations regarding actions in dealing with the entity.
 Such standards are reinforced in routine dealings with

outside parties.
 Improprieties by employees of external parties are reported

to the appropriate personnel.
 Timely and appropriate follow-up action by management

resulting from communications received from
customers, vendors, regulators or other external
Internal Use Only

parties. For example, consider whether:
 Personnel are receptive to reported problems regarding

products, services or other matters, and such reports are
investigated and acted upon.
 Errors in customer billings are corrected, and the source of

the error is investigated and corrected.
 Appropriate personnel—independent of those involved with

the original transactions— process complaints.
 Appropriate actions are taken and there is follow-up

communication with the original sources.
 Top management is aware of the nature and volume of

complaints.
Monitoring
7_Monitoring.doc
Internal Use Only

Ongoing Monitoring
Ongoing monitoring occurs in the ordinary course of

operations, and includes regular management and supervisory
activities, and other actions personnel take in performing their
duties that assess the quality of internal control system
performance.
 Extent to which personnel, in carrying out their regular

activities, obtain evidence as to whether the system of
internal control continues to function. For example,
consider whether:
 Operating management compares production, inventory,

sales or other information obtained in the course of their
daily activities to systems-generated information.
 Integration or reconciliation of operating information used to

manage operations with data generated by the financial
reporting system.
 Operating personnel are required to "sign off" on the

accuracy of their units' financial statements, and are held
responsible if errors are discovered.
 Extent to which communications from external parties

corroborate internally generated information, or indicate
problems. For example, consider whether:
 Customers implicitly corroborate billing data by paying their

invoices, or customer complaints about billings—indicating
system deficiencies in the processing of sales
transactions—are investigated for their underlying causes.
Internal Use Only

 Communications from vendors and monthly statements of
accounts payable are used as a control monitoring
technique.
 Suppliers' complaints of unfair practices by purchasing

agents are fully investigated.
 Regulators communicate information to the entity regarding

compliance or other matters that reflect on the functioning of
 Controls that should have prevented or detected the

problems are reassessed.
 Periodic comparison of amounts recorded by the

accounting system with physical assets. For example,
consider whether:
 Inventory levels are checked when goods are taken from

inventory storage for shipment, and differences between
recorded and actual amounts are corrected.
 Securities held in trust are counted periodically and

compared with existing records.
 Responsiveness to internal and external auditor

recommendations on means to strengthen internal
controls. For example, consider whether:
 Executives with proper authority decide which of the

auditors' recommendations will be implemented.
 Desired actions are followed up to verify implementation.
Internal Use Only

 Extent to which training seminars, planning sessions
and other meetings provide feedback to management
on whether controls operate effectively. For example,
consider whether:
 Relevant issues and questions raised at training seminars

are captured.
 Employee suggestions are communicated upstream and

acted on as appropriate.
 Whether personnel are asked periodically to state

whether they understand and comply with the entity's
code of conduct and regularly perform critical control
activities. For example, consider whether:
 Personnel are required periodically to acknowledge

compliance with the code of conduct.
 Signatures are required to evidence performance of critical

control functions, such as reconciling specified amounts.
 Effectiveness of internal audit activities. For example,

consider whether:

consider whether:
 Their position within the organization is appropriate.
 They have access to the board of directors or audit

committee.
Internal Use Only

 Their scope, responsibilities and audit plans are appropriate
to the organization's needs.
It is useful to take a fresh look at the internal control system

from time to time, focusing directly on system effectiveness.
The scope and frequency of separate evaluations will depend
primarily on an assessment of risks, and ongoing monitoring
procedures.
 Scope and frequency of separate evaluations of the

internal control system. For example, consider whether:
 Appropriate portions of the internal control system are

evaluated.
 The evaluations are conducted by personnel with the

requisite skills.
 The scope, depth of coverage and frequency are adequate.
 Appropriateness of the evaluation process. For example,

consider whether:
 The evaluator gains a sufficient understanding of the entity's

activities.
 An understanding is obtained of how the system is

supposed to work and how it actually does work.
Internal Use Only

 An analysis is made, using the evaluation results as
measured against established criteria.
 Whether the methodology for evaluating a system is

logical and appropriate. For example, consider whether:
 Such methodology includes checklists, questionnaires or

other tools.
 The evaluation team is brought together to plan the

evaluation process and ensure a coordinated effort.
 The evaluation process is managed by an executive with

requisite authority.
 Appropriateness of the level of documentation. For

 Policy manuals, organization charts, operating instructions

and the like are available.
 Consideration is given to documenting the evaluation

process.
Internal control deficiencies should be reported upstream with

certain matters reported to top management and the board.
 Existence of mechanism for capturing and reporting

identified internal control deficiencies. For example,
Internal Use Only

consider whether means exist for obtaining reports on
deficiencies:
 From both internal sources and external sources (e.g.,

customers, suppliers, auditors, regulators).
 Resulting from ongoing monitoring or separate evaluations.
 Appropriateness of reporting protocols. For example,

consider whether:
 Deficiencies are reported to the person directly responsible

for the activity and to a person at least one level higher.
 Specified types of deficiencies are reported to more senior

management and to the board.
 Appropriateness of follow-up actions. For example,

consider whether:
 The transaction or event identified is corrected.
 The underlying causes of the problem are investigated.

Internal Use Only

8_Activities Worksheet.doc
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
Internal Use Only

Control Activities/ Objectives Evaluation and
Comments Affected Conclusion
Internal Use Only

Click here for the Word version of the Overall Internal
9_System Evaluation.doc
Internal Control Components Preliminary Conclusions/ Additional Considerations
Actions Needed
(see individual
evaluation tools)
Control Environment—Does
management adequately convey the
message that integrity cannot be
compromised? Does a positive
control environment exist, whereby
there is an attitude of control
consciousness throughout the
organization, and a positive "tone at
the top"? Is the competence of the
entity's people commensurate with
their responsibilities? Are
management's operating style, the
way it assigns authority and
responsibility and organizes and
develops its people appropriate?
Does the board provide the right
level of attention?
Risk Assessment—Are entity-wide

objectives and supporting activity-
level objectives established and
linked? Are the internal and external
risks that influence the success or
Internal Use Only
failure of the achievement of the
objectives identified and assessed?
Are mechanisms in place to identify
changes affecting the entity's ability
to achieve its objectives? Are
policies and procedures modified as
needed?
Control Activities—Are control

activities in place to ensure
adherence to established policy and
the carrying out of actions to address
the related risks? Are there
appropriate control activities for each
of the entity's activities?
Information and Communication—

Are information systems in place to
identify and capture pertinent
information-financial and
nonfinancial, relating to external and
internal events-and bring it to
personnel in a form that enables
them to carry out their
responsibilities? Does
communication of relevant
information take place? Is it clear
with respect to expectations and
responsibilities of individuals and
groups, and reporting of results? And
does communication occur down,
across and upward in the entity, as
well as between the entity and other
parties?
Monitoring—Are appropriate
Internal Use Only

procedures in place to monitor on an
ongoing basis, or to periodically
evaluate the functioning of the other
components of internal control? Are
deficiencies reported to the right
people? Are policies and procedures
modified as needed?
Overall Conclusion
Reference Manual
This Reference Manual is designed to assist an evaluator in completing the "Risk Assessment and Control
Activities Worksheet" (pages 42 and 43 of the Blank Tools).
The Reference Manual, starting on page 57, presents, for common business activities, illustrative objectives,
risks and "points of focus for actions/control activities." The listings in this last column may be useful in
identifying actions addressing the risks, and related control activities that help ensure the actions are carried out.
This last column also includes performance indicators that may be particularly useful in effecting control. The
second, "O, F, C" column indicates the category into which the objectives fall (O—operations, F—financial
reporting, and C—compliance). These categorizations are not precise, and may vary with circumstances.
The manual does not purport to list every activity-level objective, risk or point of focus. It may, however, be
helpful in identifying relevant items.
Generic Business Model
The activities covered in the Reference Manual are based on a generic model of a business enterprise (pages
52 to 55). The generic business model depicts major activities, and is organized in levels, from a high level view
of an enterprise to increasingly more detailed views.
Exhibit 1, the context level, is the highest level. At this level, the model depicts the interactions of an enterprise
with external parties:
 Vendors and candidates for employment provide resources used to bring goods and services to market.
 A number of other external parties influence the enterprise, including other sources of consumption, public
bodies, collaborators, investors and competitors.
Internal Use Only

Exhibit 2, the activity level, depicts major activities within the enterprise, comprising five basic value chain
activities, supported by four infrastructure activities. Each activity receives, performs operations on and transmits
goods, services or information. Between vendors and buyers, value chain activities include (page references are
to the location in which these activities are addressed in the Reference Manual):
Page
Inbound Activities 57-61
Operations 62-65
Outbound Activities 66-70
Marketing and Sales 71-74
Service 75-77
Infrastructure activities—supporting the value chain activities—include:
Page
Administration (this activity is broken down into its subactivities in Exhibit 3)
Human Resources 85-88
Technology Development 83-84
Procurement 78-82
Exhibit 3 focuses on the administration activity, depicting its subactivities. These are:
Page
Manage Finance (this activity is broken down further into Control, Treasury,Tax and Audit;
the Control unit is depicted in further detail in Exhibit 4)
Manage the Enterprise 89-90
Manage External Relations 91
Internal Use Only

Provide Administrative Services 92
Manage Information Technology 93-98
Manage Risks (of accident or other insurable loss) 99-100
Manage Legal Affairs 101-102
Plan 103-104
Exhibit 4 depicts the various administration controllership subactivities:
Page
Process Accounts Payable 105-106
Process Accounts Receivable 107-108
Process Funds 109-114
Process Fixed Assets 115-116
Analyze and Reconcile 117
Process Benefits and Retiree Information 118-119
Process Payroll 120-122
Process Tax Compliance 123-124
Process Product Costs 125-127
Provide Financial and Management Reporting 128-129
The generic business model serves two purposes. As noted, it provides a structure for the Reference Manual.
The activities, transactions and information flows depicted in the model form the basis for the manual.
The generic business model can also be used as a starting point for an evaluator to understand an entity's
activities and their relationships to one another and to outside parties, and the information that is generated and
used to help control those activities. When used in this way, the generic business model should be tailored to fit
Internal Use Only

the entity being evaluated. It should be modified or augmented with additional information particular to the entity,
such as systems flowcharts, to better understand the entity's activities and information flows. This understanding
can, in turn, facilitate an analysis of the risks associated with each activity, and can help to identify points in the
system where control should be effected. Those risks, and the entity's related control activities, can be used to
help management complete the "Risk Assessment and Control Activities Worksheet."
Exhibit 1 -- Generic Business Model-Context Level
Exhibit 2 -- Generic Business Model-Activity Level
Internal Use Only

Exhibit 3 -- Generic Business Model--Administration Activities
Internal Use Only

Exhibit 4--Generic Business Model-Administration Activities
Internal Use Only

Reference Manual
Activity: INBOUND
Objectives O,F,C Risks Points of Focus for
Actions/Control Activities
Manage Logistics
1. Ensure that materials O,F Plans and schedules are Specify on plans and schedules
received and related not communicated to what materials are needed, and
information are inbound activities, or do not when they are needed
processed and clearly identify when or
Communicate all plans and
promptly made where materials are needed
schedules to inbound activities
available to production,
Summarize material requirements
stores or other
and submit them to receiving
departments
periodically
Internal Use Only

Maintain material routing procedures
for received items
Provide inbound activities with

nonroutine material routing
instructions
Monitor production problems related

to unavailable materials and parts
(performance indicator)
Consider implementing Just-in-Time

or a similar inventory and production
management philosophy
Information on materials Maintain procedures for promptly

received is not entered into updating inventory records
the information system
Match dates on receiving information
accurately or on a timely
and inventory information and follow
basis
up as appropriate
Periodically verify that pre-numbered

receiving documents have been
entered in the information system
2. Ensure purchase O Purchase orders are lost or Purchase orders are prenumbered
orders not filled on a not forwarded to inbound and missing documents are
timely basis are activities investigated
investigated
Due date information is not Maintain open purchase order
available information in a manner that
facilitates identification of purchase
orders remaining un-filled past the
due date
3. Completely and O,F Lost receiving reports or lost Prenumber documents and
accurately document shipping records investigate missing documents
goods received and
goods returned
Internal Use Only

Receive
4. Accept only items O Purchase order information Compare materials received,

that were properly is not made available to including verification of quantities
ordered inbound activities received, to properly approved
purchase orders. Do not accept
materials not properly ordered
Monitor instances of invoices

presented for payment when
materials were accepted without a
valid purchase order (performance
indicator)
5. Accept only O Purchase order Maintain current lists of

materials that meet specifications are unclear specifications to be used in
purchase order inspecting and testing goods
specifications
Verify specifications with purchasing

or other appropriate personnel

to substandard materials
Materials are not tested for Establish testing procedures, as

specification compliance appropriate, for all materials ordered

to substandard materials and parts
6. Ensure that all O,F Transfer procedures do not Require appropriate documentation
materials trans-ferred require preparation of of materials transferred from
from the receiving supporting documentation receiving to other business activities
activity to other
Transfer documentation Prenumber documents and
activities are recorded
Internal Use Only

may be lost investigate missing documents
Periodically count materials on hand

and reconcile with perpetual records;
investigate any differences
7. Safeguard goods O,F Inadequate physical Maintain physical security over

received security over goods goods received
received
Segregate custodial and record-
keeping functions
8. Ensure that vendor, O,F Receiving information may Prenumber receiving documents and
inventory and purchase be lost investigate missing documents
order information is
Periodically identify and investigate
accurately updated to
open purchase orders
reflect receipts
Periodically count inventory and
reconcile with perpetual inventory
records; investigate differences
Receiving information may Periodically verify accuracy of

be entered inaccurately in vendor, inventory and open
the information system, or purchase order information
may not be timely
Periodically ensure information is
being entered into the information
system on a timely basis
9. Return rejected O Inadequate or untimely Maintain appropriate procedures for

items promptly inspection of items received inspecting items received
10. Completely and O,F Incomplete or inaccurate Transfer documentation

accurately document all information regarding accompanies all transfers; stores or
transfers to and from materials transferred to/ other activities personnel verify
storage from storage materials and quantities received
Internal Use Only

Transfer documents may be Prenumber transfer documents and
lost investigate missing documents
Periodically count materials and

reconcile with perpetual records.
Investigate differences (performance
indicator)
11. Appropriately O,F Inadequate transfer or Transfer materials only on the basis
requisition all goods to requisition procedures of a properly approved requisition
be transferred to
operations
12. Properly transfer all O,F,C Requisitions may be lost Prenumber requisitions and
materials requisitioned investigate missing documents
Materials not requisitioned Verify that material received

are transferred complies with approved requisition
13. Maintain safe C Inadequate safety Maintain relevant policies consistent

working conditions and considerations with Occupational Safety and Health
storage of hazardous Administration (OSHA) and other
materials pertinent laws and regulations,
approved by technical and legal
personnel, and monitor compliance
Follow up on reported safety

concerns
Maintain appropriate procedures for

handling and storing hazardous
materials
Activity: OPERATIONS
Internal Use Only

Manage and Schedule Operation
1. Schedule operations O Poor communication with Use standard documents to prepare

to minimize inventory marketing regarding sales and communicate sales forecasts
and to ensure sufficient forecasts
Ensure that production personnel
availability of
receive all sales forecasts
completed products in
Compare production schedules to
a timely manner
sales forecasts to ensure scheduled
timing and production quantities are
appropriate
Several products compete Determine production priorities

for concurrent production based on established criteria or
management judgment
Evaluate adequacy of production

capacity
Approve all production schedules
Insufficient or excess raw Use formalized communication

materials due to poor channels to inform procurement of
communication with material requirements, including
procurement, or inaccurate quantities and dates materials are
or untimely material required
requirement forecasts
Compare material requirement

forecasts with production schedule
and product bills of materials;
consider effect of lead times
required to obtain materials
Establish and adhere to accurate

and realistic production schedules
Consider the costs/benefits of
Internal Use Only

establishing a Just-in-Time system,
or similar production and inventory
Monitor instances of insufficient or

excessive raw materials inventory
2. Minimize production O Poorly maintained, misused Maintain equipment in accordance

downtime or obsolete equipment with an established preventative
maintenance program
Periodically evaluate production

equipment in light of repairs and
maintenance cost, capacity,
breakdowns, obsolescence and
other factors. Consider the
costs/benefits of acquiring new
equipment
Train employees in the proper use of

equipment
Monitor instances of production

downtime due to equipment failure
Inadequate skilled labor Train existing employees to perform

various tasks
Natural or other disasters Maintain and update contingency

and natural disaster plans
Periodically test such plans
Perform Operations
3. Produce product in O Quantities to be produced Use standardized documents to
Internal Use Only

appropriate quantities are not communicated prepare and communicate
and in accordance with clearly production plans and directives
specifications and
Inappropriate or unclear Use standardized documents to
production schedules
specifications communicate product specifications
Excessive work steps/ Consider methods to simplify

operations production, such as implementation
of Just-in-Time principles
4. Comply with O,C Pressure to meet production Upper management supports, in

Occupational Safety deadlines statements and actions, safety
and Health considerations
Administration (OSHA)
Enforce disciplinary action on
laws and regulations
employees who violate safety
procedures
Monitor safety violations

Lack of awareness of laws Conduct periodic training sessions

and regulations
Post laws, regulations and company

policy in conspicuous locations
Assure Quality
5. Product is produced O Production processes do Integrate quality assurance

in accordance with not include procedures procedures into production
quality control designed to ensure quality processes
standards production
Standardize production processes to
the extent practicable
Product is difficult to Design product with appropriate

produce consideration given to potential
production difficulties
Internal Use Only

Inadequate product testing Test sufficient quantities of each
production run to ensure compliance
with quality control standards
Monitor defect rates (performance

indicator)
Quality problems are not Test products using personnel

discovered or appropriately independent of production
reported during the processes
production process
Monitor customer quality-related
returns and complaints (performance
indicator)
Activity: OUTBOUND
Process Orders
1. Process orders only O Incomplete, untimely or Credit authorization systems that

for customers who are inaccurate credit information provide accurate and timely
authorized for credit customer information regarding
approved credit limits, current
balances due, age of receivable
balance and other pertinent
information
2. Process orders O Inaccurate or untimely Use current pricing and inventory

accurately and pricing and inventory information
expeditiously information
Untimely processing of Prenumber order forms and

order information periodically follow up on those not
processed in a reasonable time
Internal Use Only

frame
Customer order information Verify customer order information

may be unclear, inaccurate with appropriate marketing/sales
or incomplete personnel; contact customer if
necessary
3. Process only valid O,F Customer orders may not Verify appropriate marketing/ sales
customer orders be authorized personnel approved customer order
4. Process all approved O Order documentation is lost Prenumber order forms; investigate
orders missing documents
Store Product
5. Protect products O Employee carelessness Monitor damage caused by

from damage employee carelessness
Handling and storage Store products in containers and

procedures, including facilities designed with consideration
storage containers, facilities for product features and legal and
and maintenance, are regulatory requirements
inappropriate for the nature
of the products
Create appropriate maintenance

procedures and schedules for the
nature of the storage facility
Employees are not familiar Communicate handling and storage

with handling and storage policies and procedures clearly to
requirements or procedures store's employees
Monitor compliance with handling

and storage policies and procedures
Internal Use Only

6. Store products to O Improper organization of Design and maintain efficient
facilitate timely order storage facility warehouse layout to facilitate order
processing fulfillment
Insufficient storage capacity Minimize product inventory while

enabling timely order fulfillment
Identify the appropriate number and

location of warehouses
7. Materials are C Employees may not be Legal counsel, or other qualified

handled and stored in aware of applicable laws personnel, provide information
compliance with and regulations regarding applicable laws and
applicable laws and regulations
regulations
Periodic training regarding legal and
regulatory requirements
Inappropriate handling and Review of handling and storage

storage policies and procedures by legal counsel or other
procedures qualified personnel
Monitor accidents or problems due

to inappropriate handling or storage
policies or procedures (performance
indicator)
8. Maintain complete O,F Product moved into or out of Product transfer documents are
and accurate records of storage may not be required for movements of product
product stored and documented or recorded into or out of storage. Such
available for shipment documents are prenumbered, and
missing documents are investigated
Product may be moved into Physical security measures to

or out of storage without prevent unauthorized addition to or
proper authorization removal of product from storage
Periodically count product in storage
Internal Use Only

and reconcile to perpetual records.
Investigate differences between
physical count and accounting
records
Ship Product
9. Obtain proper O Improper products or Compare products and quantities

products and quantities improper quantities are retrieved from storage with the
from storage retrieved from storage customer order and/or product
requisition
Product is unavailable in Maintain perpetual product inventory

sufficient quantity records. Notify operations or other
appropriate personnel when
inventory drops below a
predetermined level
10. Ensure product is O Packing materials, Use packing materials, containers or

packed properly to containers or procedures procedures that were designed
minimize damage are inappropriate for the giving consideration to the nature of
nature of the product or the product and method of shipment
method of shipment
11. Ship only those O Incomplete or inaccurate Compare documents authorizing

products that are information from order product shipment with customer
authorized for shipment processing order
Compare documents Compare products to customer order

authorizing product prior to shipment
shipment with customer
Monitor customer returns or billing
order
disputes relating to products
delivered but not ordered
12. Deliver products in O Disruption of normal Identify alternative shipping

the most efficient shipping channels arrangements
Internal Use Only

manner
Inaccurate or incomplete Review shipping documents for

shipping documents completeness and compare to
customer order for accuracy before
shipment
Use of inefficient shipping Periodically review shipping

methods alternatives and identify the most
efficient alternative
13. All shipments are O,F Incorrect information is Compare shipping document
accurately entered on shipping information with customer order
documented, and such documentation information before shipment
documentation is
Independent verification of shipping
forwarded to accounts
document information before
receivable on a timely
shipment
basis
Shipping documents are Prenumber shipping documents and

lost investigate missing documents
14. Ensure timely O Order or shipping Prenumber order and shipping

shipment of customer documentation may be lost documents; investigate missing
order documents
Activity: MARKETING AND SALES
Manage Marketing Activities
1. Design marketing O,C Inadequate information Retain marketing personnel

strategies giving regarding factors that may experienced in the entity's industry
consideration to influence the entity's
Retain marketing personnel
competitive, regulatory, marketing strategy
experienced in the entity's industry
business environment
Internal Use Only

or other factors that Promote active membership in
may influence the industry, trade or professional
entity's marketing associations
activities, and potential
Monitor legal and regulatory
changes in those
initiatives that may affect the entity
factors
Conduct market research, and
monitor and analyze economic,
customer and industry trends
2. Identify potential and O Inaccurate, untimely or Conduct market research

existing customers, and unavailable information
Evaluate pricing strategies vis-a-vis
develop marketing regarding pricing, products,
competitors' products and pricing
strategies to influence actual or potential
Evaluate the effectiveness of
those parties to customers, advertising and
advertising and promotion
purchase the entity's promotion
products or services
Communication of product
capabilities, enhancements or new
products from technology
development personnel
3. Maintain delivery O Limited number of Identify and evaluate alternative

capabilities for delivery appropriate distributors distribution arrangements
of products to
Poor performance of Communicate appropriate customer
customers on a timely
distributors information to distributors to ensure
basis at the least
timely delivery
distribution cost
Monitor distributors' performance in

the context of the entity's overall
marketing strategy
4. Address market O Lack of or inaccurate Conduct market research, including

needs for product, information regarding existence of competitive products,
including introduction of competitive products or products under development and
new products, and
Internal Use Only
continuance, changes potential new products customer preferences
to or discontinuance of
Promote active membership in
existing products
industry, trade or professional
associations
Products become obsolete Conduct market research, focusing

on competitors' technical innovations
and customers' acceptance of or
preference for such innovations
Lack of product demand Monitor the trend of product sales by

the entity and the industry
Evaluate advertising and promotion

effectiveness
Conduct market research
Lack of information Communicate information needs to

regarding profit margins accounting, management
and/or sales prices information systems and other
appropriate personnel
Monitor profit margins and sales

prices for signs of competitive price
pressures
Manage Sales Activities
5. Implement marketing O Sales personnel are Communicate marketing strategies

strategies effectively unaware of marketing to sales personnel
strategies
Sales personnel disregard Establish sales quotas, commissions

marketing strategies and other compensation, or other
performance criteria in such a
manner that failure to implement
marketing strategies results in
Internal Use Only
substandard performance
evaluations and compensation, and
positive implementation of strategies
results in increased compensation
and recognition
6. Meet or exceed O Sales personnel are Communication of market research

sales targets in an unaware of potential results from marketing to sales
efficient manner customers personnel
Salespeople lack Provide product awareness training

knowledge about product
Retain qualified and experienced
features or benefits
sales staff
Incomplete or inaccurate Maintain customer information

customer information system, including name, address,
phone number, contact, size,
locations, history of previous orders,
plans to expand or change the
business, or other information that
could be useful in marketing the
entity's products or services
Periodically verify the accuracy of

customer information
Salespeople perform poorly Retain qualified and experienced

salespeople
Organize salesforce and align

territories in most efficient manner
7. Forward all sales O Sales orders are lost Prenumber sales orders and
orders to outbound investigate missing documents
activities and service in
a timely manner
Internal Use Only

Activity: SERVICE
Provide Customer Service
1. Handle customer O Inadequate information Maintain accurate and timely product

inquiries expe-ditiously systems and customer information
and efficiently
Untrained staff Provide staff with initial and periodic

product and customer service
training
Customer service representatives

present favorable image to
customers and are knowledgeable
about products
Poor organization of Organize customer service

customer service department in most efficient manner
department (e.g., along product lines,
geographical lines, etc.)
2. Satisfy customer O Lack of awareness of sales Customer service representatives

service needs so as to and marketing objectives understand the objectives common
further sales and to marketing, sales and customer
marketing objectives service
Install
3. Make authorized O Untrained staff Provide installers with initial and

installations correctly, periodic training regarding
efficiently and on a installation techniques and product
timely basis features
Monitor customer complaints

regarding product installation
Internal Use Only

Product unavailability Coordinate scheduled installations

with operations' production schedule
and shippings' delivery schedule
Inaccurate or unavailable Compare installation authorization

customer information documents with customer orders to
verify information accuracy and
review such documents for
completeness
Prenumber installation authorization

documents and investigate missing
documents
Unavailability of service Schedule installations and staff

personnel utilization to minimize costs
Provide Warranty Service
4. Warranty policies are O Inaccurate market Make certain that market information
consistent with information developed by marketing is
marketing and financial considered when establishing
strategies warranties
5. Investigate and O Insufficient staff Forecast staffing level requirements

respond to requests for
Monitor adequacy of staffing,
service on a timely
overtime, workloads
basis and in
accordance with
warranties
Uncommunicated changes Communicate changes in product

in warranty policies warranty policies to appropriate
personnel
Provide Post-Warranty Service
Internal Use Only

6. Customer service O Unavailable or inaccurate Update pricing information on order
representatives use up- information processing systems on a daily basis
to-date pricing and
Provide customer representatives
other product
access to order processing systems
information
7. Investigate and O Insufficient number of Maintain proper staffing levels and

respond to requests for customer service organize the customer service
services in the most representatives or service department in the most efficient
efficient manner and on personnel manner
a timely basis
Improperly trained service Properly train staff
personnel
Activity: PROCUREMENT
Select Vendor
1. Identify and O Inadequate vendor Investigate and periodically update

purchase from vendors screening, including vendor capabilities regarding
capable of meeting the periodic requalification of production quality and capacity,
entity's needs existing vendors, relating to price (including volume or cash
vendors' abilities to meet: discounts and payment terms), order
lead-time requirements, current and
 Technical specifications
former customer satisfaction,
 Quantity requirements
financial condition, management
 Price
stability, possible legal restrictions
 Delivery dates/lead
on providing the materials required
time
and pending litigation
 Service
Periodically update vendor

information based on vendor
performance in meeting terms and
Internal Use Only

specifications of contracts or
purchase orders (e.g., timely
delivery of acceptable items,
correction of errors or problems, and
service)
Appropriate review of purchase

orders

to out-of-stock materials and to
material specifications (performance
indicator)
Monitor frequency of returned

purchases (performance indicator)
Develop data on alternative vendors

and periodically reevaluate vendor
selection decisions
Specify procedures for notification

by vendors of potential performance
problems and for appropriate
investigation and follow-through
2. Purchase items only O,C Unavailable or inaccurate Maintain updated vendor information
from legally qualified information about fraudulent
Review and approve purchase
vendors and in acts or other improper
orders
conformity with activities of vendors
Institute and monitor code of
applicable laws,
conduct
regulations and
contracts
Consider ways to simplify vendor

investigation procedures
3. Ensure adequate O Poor communication of Timely communication to
Internal Use Only

supply of materials operations' or other procurement of operations' or other
activities' needs activities' needs
Vendors' inability to provide Utilize forward contracts

needed quantities due to
Identify alternate vendors
other higher-priority orders
Utilize long-term needs analysis
or an interruption in their
own supplies
Purchase
4. Order items that O Inappropriate production Review existing and revised

meet appropriate specifications specifications by technical personnel
specificationsD
Monitor and analyze production

problems related to material
specifications (performance
indicator); examples of performance
indicators include comparing
current-period data on production
stoppages and slow-downs, rush
orders, spoilage, and material price
and quantity variances to prior-
period data, peer or industry data,
budgets, or other pre-established
goals
Communicate production
specifications to procurement
personnel
Appropriate review and approval of

contracts and purchase orders
5. Pay appropriate O Out-of-date or incomplete Obtain competitive bids for each

prices price information acquisition periodically
Internal Use Only

Consider volume purchases by
determining total usage of similar
materials; combine orders to obtain
volume discount

orders
Monitor material price variances

Use hedging or forward contracts
6. Order appropriate O Unavailable or inaccurate Maintain accurate perpetual

quantities at information on inventory inventory records
appropriate times levels or production needs
Match periodic production schedules
to inventory information and order
lead-time requirements

orders
Use forecasts
Consider implementing Just-in-Time

or a similar inventory and production
7. Update vendor O Information on issued Route copies of purchase orders to

information completely purchase orders is not appropriate personnel
and accurately to clearly or completely
reflect open purchase communicated
orders
Purchase orders are not Prenumber purchase orders and

entered into the system on periodically verify their entry into the
a timely basis system. Investigate unusual time
delays in entering data
Internal Use Only

8. Receive items O Unavailable or inaccurate Specify shipment mode and delivery
ordered on a timely information on items date on purchase orders
basis (see also ordered but not received
Prenumber and account for
objective no. 2 of
purchase orders
Inbound activities)
Match receiving information with

purchase order information and
promptly follow through on
outstanding orders
Monitor vendor performance in

terms of timely delivery; follow up in
cases of poorly performing vendors
9. Record authorized O,F Purchase orders may be Prenumber and account for
purchase orders lost purchase orders
completely and
accurately
10. Prevent unautho- O,F Inadequate policies and Prenumber and account for
rized use of purchase procedures to prevent purchase orders
orders unauthorized use
Maintain physical security of

purchase orders
Approve purchase orders
Notify vendors of company

personnel purchase orders
Activity: TECHNOLOGY DEVELOPMENT
1. Identify existing O Product or processes needs Clear communication of needs and
Internal Use Only

technology or develop are not effectively opportunites to Technology
new tech-nology to communicated to Tech- Development
satisfy product needs nology Development
Identify needs by appropriate
as identified by
Technology Develop-ment activities
marketing, or operating
personnel do not have
Retain personnel who are
or management proc-
technical ability to identify or
adequately qualified to fulfill their
esses needs as
develop appropriate
responsiblities
identified by other
technology
activities
2. Maintain a high level O,C Management does not have Monitor business, technical and
of knowledge regarding access to information industry literature
current technological relating to current
Attend technical seminars,
developments that may technological developments
conferences, trade meetings,
affect the entity
expositions and similar meetings
Periodically summarize
technological developments and
distribute to appropriate personnel
Technology Develop-ment Regularly communicate information,

personnel may acquire or including nature of the program,
have knowledge that would status, manager, anticipated use of
be useful in a development technology and any other pertinent
program other than that with information regarding ongoing or
which they are associated planned research or development
programs
3. Ensure that C Technology may not be Detailed technology specifications,

developed technology adequately defined plans, drawings, schematics or other
does not violate technical data are created, to the
existing patents extent possible, in the concept or
early stages of development, and
are modified as necessary
throughout the project
Relevant patents may not Communicate technical data to legal
Internal Use Only

be identified counsel for use when conducting
patent searches
Existing patents may be Appropriate management review

disregarded and approval of all technology
projects
4. Commit resources to O Technology development Appropriate technology project

those projects projects do not support review and approval
anticipated to have the entity-wide objectives or
greatest expected strategies
return for the entity
Technology development Clear and complete communication

management are unaware from management regarding
of project priorities priorities
Activity: HUMAN RESOURCES
Manage Human Resource Programs
1. Comply with C Management or supervisory Require supervisory and

applicable laws, personnel are unaware of management personnel to attend
regulations and legal and regulatory training on labor laws and
company policies requirements and company regulations and company personnel
policies policies
Management or supervisory Periodic review of policies and

personnel ignore legal and procedures by legal counsel for
regulatory requirements or compliance with applicable legal and
company policies regulatory requirements
Encourage personnel to report

suspected violations of laws,
Internal Use Only

regulations or company policies
Take appropriate disciplinary actions

for violations of legal or regulatory
requirements
2. Maintain records that C Human resource personnel Human resource personnel are
demonstrate are unaware of the records subject to periodic training regarding
compliance with that must be retained to legal and regulatory requirements
applicable laws and demonstrate compliance
Human resource personnel have
regulations with applicable laws and
appropriate training and experience
regulations
prior to being hired
Records are lost or File and retain human resource

prematurely destroyed records in accordance with laws,
regulations and good business
practice
Logs, checklists or other appropriate

tools are used to ensure appropriate
records are received and retained
Access to human resource records

is restricted to authorized personnel
Review and approve all files

selected for disposition
Inaccurate or incomplete Review validity, accuracy and

information is acquired and completeness of information
retained received and retained in the form of
records
Record-keeping Take appropriate disciplinary or

requirements are other action when legal or regulatory
disregarded requirements or company policies
are disregarded
Internal Use Only

3. Maintain O,C Human resource records Restrict access to human resource
confidentiality of human are not subject to proper records to authorized personnel
resource information security procedures
Require proper security codes to
gain access to confidential records
maintained on electronic media;
change such access codes
frequently
Monitor personnel accessing human

resource records
Human resource personnel Subject individuals who provide

divulge confidential confidential information to
information unauthorized persons to disciplinary
actions
Restrict access to confidential

information to those persons who
need such information to discharge
their responsibilities
4. Maintain employee O Compensation and benefits Review and evaluate compensation

turnover at an are less than offered by and benefits on a regular basis
acceptable level other companies
Compare compensation and benefits
with those offered by other
companies within the industry and
within the local geographical area
Seek employee feedback about their

needs
Employees may not feel Periodic, standardized performance

their efforts are noticed or evaluations and career counseling
appreciated
Institute compensation programs

that reflect past performance and
Internal Use Only
capacity for future development
Plan and Acquire Personnel
5. Acquire sufficient O Over- or underqualified Maintain appropriate candidate

number of candidates may be hired identification, screening and hiring
appropriately qualified practices
personnel
Maintain adequate job descriptions

and hiring criteria that can be used
to measure and compare
candidates' qualifications with job
requirements
Lack of awareness of Investigate and review potential

entity's current human candidates inside the entity before
resources considering external candidates
Lack of qualified candidates Identify and retrain qualified

personnel currently performing other
job functions
Establish networks and candidate

sources outside of the local
geographical area
The entity may be unaware Regularly update future staffing

of its future staffing needs requirements as part of ongoing
business planning
Labor organizations may Continually identify union demands

call for strikes or work and issues and take reasonable
slowdowns steps to avoid labor disputes
Identify viable alternative sources of

labor in the event of a labor dispute
Internal Use Only

Train and Develop Employees
6. Ensure employees O Training requirements may Solicit opinions and ideas of

receive adequate not be adequately identified management, supervisors and
training to discharge employees to identify training needs
their responsibilities
Monitor performance or other
effectively
problems that may indicate training
deficiencies
7. Ensure staff receive O Staff are not evaluated on Periodically evaluate performance
adequate feedback regular or timely basis and provide career counseling
regarding their
performance and
career development
Activity: MANAGE THE ENTERPRISE
1. Design and imple- O Incomplete or inaccurate Develop a strategic plan that

ment strategies that information regarding incorporates senior management's
allow achievement of changes affecting the entity, vision for the company
entity-wide objectives such as competition,
Periodically evaluate direction and
products, customer
priorities set by senior management
preferences, or legal and
to make certain they are still valid
regulatory changes
Communicate information regarding

competitors, products, customers,
and legal and regulatory changes to
all relevant activities
Establish communication, down, up

and across the organization, to allow
prompt identification and resolution
of problems that impede
Internal Use Only
achievement of strategic objectives
Lack of understanding of Identify and analyze critical success

critical success factors factors from an industry and entity
standpoint
Insufficient or inappropriate Identify and maintain adequate

resources supply of internal resources and
ensure availability of external
resources
Inadequate attention to Effectively communicate with

relationships with shareholders, investors and other
shareholders, investors or outside parties
other outside parties
2. Maintain systems O,F Information is too specific to Establish an executive management

that allow timely be usable reporting system that focuses on key
communication of information for managing the
accurate internal and business
external information to
relevant personnel
Out-of-date systems Regularly review information

systems to ensure that they meet
the changing needs of the company
Inaccurate or untimely Institute information system that

information ensures the accuracy and timeliness
of internal and external information
3. Ensure entity O,C Lack of Code of Conduct Implement and monitor compliance
personnel are aware of with Code of Conduct
acceptable actions and
behavior
Employees do not Requirements of the Code of

understand the Code of Conduct are reviewed with all new
Internal Use Only

Conduct employees, and periodically with all
employees
Employees ignore the Code Appropriate disciplinary action for

of Conduct violations of the Code of Conduct to
clearly communicate the message
that violations will not be tolerated
Dishonest employees Hiring policies and procedures

require reference checks on
employment candidates
Employees found violating laws are

subject to appropriate disciplinary
action and are reported to the
authorities for prosecution
Activity: MANAGE EXTERNAL RELATIONS
1. Attempt to legally O Lack of understanding of Employ personnel experienced in

influence govern-ment government policies government affairs as they relate to
policies and regulations the entity
that have an impact on
Monitor and communicate regulatory
the entity's objectives
and other government information
Join industry or trade organizations

that lobby legislative or regulatory
bodies
2. Actively participate in O Participation dependent on Establish reputation as industry

standard-making appointment leader
bodies
Limited number of positions Make certain that entity officials are

visible spokespeople on issues that
Internal Use Only
affect the entity
3. Participate in O Lack of information on and Encourage staff to support civic

community activities awareness of community endeavors
that enhance the public issues
image of the company
Activity: PROVIDE ADMINISTRATIVE SERVICES
1. Provide quality O Lack of or excess staff Estimate service usage to ensure

services that are appropriate staffing levels
delivered on a timely
basis at the least cost
Lack of planning procedures Where appropriate, evaluate the

that incorporate objectives value of using outside service
of administrative services companies rather than providing
service in-house
Inadequate accounting Accurately capture costs and

systems for allocating costs distribute such costs on an equitable
basis
Activity: MANAGE INFORMATION TECHNOLOGY
1. Use information O,F,C Insufficient interaction of Develop IT strategic plan that

technology (IT) to carry information technology, optimizes entity-wide investment in
out the entity's strategic financial and operating and use of IT, and ensure that IT
plans management in developing initiatives support entity's long-range
strategic plans plans
Internal Use Only

Involve users in the development
and maintenance of the strategic IT
plan
Use an IT steering committee
2. Capture, process O,F,C Systems are not designed Use a systems development life
and maintain according to user needs or cycle, which includes the following
information completely are not properly key aspects or phases:
and accurately and implemented
 Request for systems design
provide it to the
 Feasibility study
appropriate people to
 General system design
enable them to carry
 Detailed systems specifications
out their responsibilities
 Program development and
testing
 System testing
 Conversion
 System acceptance and
approval
Use project management

procedures to ensure proper
management of systems
development activities
Involve users in review and approval

to ensure systems are designed to
meet user requirements
System and program Use well-controlled system and

modifications are program change procedures,
implemented incorrectly including:
 Properly approved system/

program change requests
 Approved changes are tracked
throughout change process
Internal Use Only
 Review and approve final design
of changes by users
 All changes, including those
initiated in data processing, are
subject to appropriate testing,
and test results are reviewed
and approved by user and data
processing management
 Approve implementation of
tested changes by requester
 Notify data processing
departments affected by
changes
 Prepare/update documentation
(such as operations runbooks,
user manuals, program
narratives and system
description)
Computer operations fail to Prepare and adhere to a production

use correct programs, files job schedule; document and
and procedures approve departures from the
schedule
Establish adequate job set-up and

execution procedures over:
 Setting up of batch jobs

 Loading on-line application
systems
 Loading system software
Use control statements and

parameters in processing that are in
accordance with approved
Internal Use Only

procedures
Require written approval, including

user involvement where appropriate,
for departures from authorized set-
up and execution procedures
Establish adequate procedures for

identifying, reporting and approving
operator actions, such as:
 Initial loading of system and

application software
 System failures
 Restart and recovery
 Emergency situation
 Any other unusual situations
Data files are subjected to Establish a security policy stating

unauthorized access senior management's commitment
on information security; demonstrate
such commitment through
appropriate actions
Establish standards, procedures and

guidelines that translate the security
policy into rules and compliance
criteria; these standards and
procedures normally address such
matters as:
 The information classification

scheme for information stored
on computers and outside of
data processing, including
security categories (e.g.,
research, accounting,
Internal Use Only

marketing) and security levels
(e.g., top secret, confidential,
internal use only, unclassified)
 The data in each information
class and the individuals or
functions authorized to use the
data and the control and
protection requirements
 The types of classes of
sensitive assets and for each:
 Potential threats
 Protection requirements.
 The responsibilities of
management, security
administration, resource (data,
programs or assets) owners,
computer operations, system
users and internal auditors,
with respect to:
 Ownership of resources
 Procedures for granting
access
 Procedures for
establishing users' and
access privileges
 Required authorizations
 Security monitoring
 The consequences of non-
compliance with policy,
standards and procedures
 The security
implementation plan, if
Internal Use Only

applicable
Programs are subjected to Consider the development of an

unauthorized modification information security risk assessment
Use a security or access control

software package to enhance the
protection of data fields and system
and program libraries
Use proper system software controls

to ensure that system software is
properly implemented, maintained
and protected from unauthorized
changes
Maintain proper physical security

over computer hardware and
software and information stored
outside of data processing
3. Information systems O,F,C Lack of or poor business Establish and maintain a

are available as continuation planning commitment by senior management
needed for business contingencies
Develop and maintain a business

continuation plan
Assess the impact of new or

modified systems on business
continuation procedures
Establish alternative processing

arrangements
Poor back-up and recovery Regularly back up critical data files,

procedures systems and program libraries and
Internal Use Only

store offsite
Inadequate safeguarding of Regularly test business continuation

IT resources procedures
Activity: MANAGE RISKS (of accident or other insurable loss)
1. Prevent and reduce O Certain jobs, activities or Identify hazardous jobs, activities or
potential for accidents locations are hazardous locations
Implement policies, procedures or

precautions to enhance workers'
safety
Monitor workers' compensation or

related insurance claims and
compare with industry averages
Identify causes of accidents and

implement appropriate, cost-
effective safeguards
Out-of-date production Ensure that capital expansion plans

facilities address safety objectives
Ineffective safety and Provide appropriate safety and

employee training programs training programs to all new
employees
Provide periodic updates on such

programs to existing employees
Poorly maintained or Establish a maintenance program

that ensures equipment is
Internal Use Only
inadequate equipment adequately maintained. Investigate
and resolve employee reports of
malfunctioning equipment
Employees ignore safety Appropriately discipline violators of

policies or procedures safety policies or procedures
2. Ensure compliance C Lack of knowledge Retain competent legal counsel to

with applicable regarding OSHA laws and advise the entity on OSHA
Occupational Safety regulations requirements. Ensure legal counsel
and Health periodically reviews applicable
Administration (OSHA) policies, procedures and safety
laws and regulations precautions
3. Minimize insurance O Inaccurate, insufficient or Ensure that all accidents or other

claims and other risk- untimely information incidents that could give rise to an
related costs while regarding risk-related costs insurance claim are reported to
maintaining adequate or accidents or incidents appropriate personnel
insurance coverage that could give rise to an
Ensure information systems provide
insurance claim
information on all risk-related costs,
including insurance premiums, self-
insured losses, risk management
personnel costs and other related
costs
Ensure that all significant risks

pertaining to all activities have been
identified and appropriately
addressed, for example: product
liability, property and casualty,
business interruption and loss of key
personnel
Evaluate insurance coverages and

consider opportunities to limit costs
through self-insurance, captive or
Internal Use Only

off-shore insurance companies, or
other techniques
Lack of knowledge of risk Retain personnel or advisors with

management cost risk management training and
containment techniques experience
Activity: MANAGE LEGAL AFFAIRS
1. Ensure the entity C Management is unaware of Retain legal counsel with applicable
complies with all laws legal and regulatory industry experience
and regulations requirements
Legal counsel periodically
communicates with management
about legal and regulatory
requirements
Legal counsel is unaware of Review of all significant contracts

all activities taking place and agreements by legal counsel
within the entity
Review of subsidiary, division or unit

annual business plans by legal
counsel
Legal counsel attends management

meetings, visits business locations
away from the executive offices or
otherwise establishes adequate
communication with subsidiary,
division or unit management to gain
a thorough understanding of
enterprise activities
Internal Use Only

Encourage regular communication
between legal counsel and the
internal and independent auditors,
and with the board of directors and
its various committees
Changing legal and Legal counsel monitors new laws,

regulatory requirements regulations, court decisions or other
events that could impact the entity
2. Ensure contracts and O Legal counsel does not Review and approval of all
agreements are clear, review contracts or significant contracts and agreements
fair to the entity and agreements by legal counsel
legally enforceable
Limit personnel authorized to

execute contracts or agreements to
responsible officials at an
appropriate management level
3. Minimize litigation O Nonlegal personnel are Implement training programs for

costs and settlements unaware that certain appropriate nonlegal personnel that
circumstances could address situations requiring
potentially lead to litigation communication with legal personnel
Include a clause in all contracts and

agreements requiring copies of all
legal notices or correspondence
from other parties be sent to legal
counsel
Inaccurate information or Monitor costs of current and

estimates regarding costs of previous litigation
litigation or anticipated
Gather information on recent
settlements
settlements or awards in similar
litigation
Internal Use Only

Activity: PLAN
1. Develop long- and O Lack of awareness of entity- Establish a planning approach that
short-range plans that wide objectives uses as its foundation entity-wide
are in accordance with objectives
entity-wide objectives
Communicate entity-wide objectives

to appropriate personnel involved in
the planning process
Insufficient information Join industry and trade associations

regarding available
opportunities
Attend seminars or other informative

sessions offered by outside parties
Retain experienced and competent

management
2. Develop plans in a O Inadequate management Establish information systems that

format that allows information systems present plan information in the same
management to format as historical information
manage the business
and measure progress
on a timely basis
Plan formats are ineffective Monitor and evaluate the

in providing necessary effectiveness of plans. Enhance plan
benchmarks against which formats to emphasize critical
performance can be success factors
measured
3. Develop plans using O Inadequate and outdated Require agreement on entity-wide

an efficient approach objectives before specific plans are
Internal Use Only
planning systems developed. When allocating
resources, prioritization should be
made in accordance with entity-wide
objectives
Develop and maintain planning

system and communicate to all
relevant departments. Conduct
training when appropriate
Gather information for plans in

accordance with the business focus
used for managing the business
Develop and follow timetable for

gathering, analyzing and
consolidating planning information
4. Develop plans that O Incorrect information and Review and test the validity of
are realistic assumptions assumptions
Consider all operational support

activities when developing plans
Appropriate staff are involved in

developing plans
Activity: PROCESS ACCOUNTS PAYABLE
1. Accurately record O,F Missing documents or Prenumber and account for

invoices on a timely information purchase orders and receiving
basis for all accepted reports
purchases that have
Match invoice, receiving and
been authorized and
purchase order information and
Internal Use Only

only for such follow up on missing or inconsistent
purchases information
Follow up on unmatched open

purchase orders, receiving reports
and invoices and resolve missing,
duplicate or unmatched items, by
individuals independent of
purchasing and receiving functions
Inaccurate input of data Use of control totals or one-for-one

checking
Invalid accounts payable Restrict ability to modify data

fraudulently created for
Reconcile vendor statements to
unauthorized or non-
accounts payable items
existent purchases
2. Identify available O Missing or untimely receipt Investigate unmatched information

discounts of documents before due date
Maintain accounts payable ledger by

discount date
3. Accurately record F Missing documents or Prenumber and account for shipping

returns and allowances information orders for returned goods
for all authorized
Match shipping orders for returned
credits, and only for
goods with vendors' credit memos
such credits
Follow up on unmatched shipping

orders for returned goods and
related receiving reports and
invoices and resolve missing,
duplicate or unmatched items, by
individuals independent of accounts
payable function
Internal Use Only

Review vendor correspondence
authorizing returns and allowances
Inaccurate input of data Reconcile accounts payable records

with vendor statements
Use of control totals or one-for-one

checking
4. Ensure O,F Unauthorized input for Reconcile accounts payable

completeness and nonexistent returns subsidiary ledger with purchase and
accuracy of accounts cash disbursement transactions
payable
Unauthorized additions to Resolve differences between the

accounts payable accounts payable subsidiary ledger
and the accounts payable control
account
5. Safeguard accounts O,F Unauthorized access to Restrict access to accounts payable

payable records accounts payable records and files used in processing
and stored data payables
Restrict access to mechanical check

signers and signature plates
Activity: PROCESS ACCOUNTS RECEIVABLE
1. All goods shipped O Missing documents or Use standard shipping or contract

are accurately billed in incorrect information terms
the proper period
Communicate nonstandard shipping

or contract terms to accounts
receivable
Internal Use Only

Verify shipping or contract terms
before invoice processing
Improper cutoff of Identify shipments as being before

shipments at the end of a or after period-end by means of a
period shipping log and prenumbered
shipping documents
Reconcile goods shipped to goods

billed
2. Accurately record O,F Missing documents or Prenumber and account for shipping
invoices for all incorrect information documents and sales invoices
authorized shipments
Match orders, shipping documents,
and only for such
invoices and customer information,
shipments
and follow through on missing or
inconsistent information
Mail customer statements

periodically and investigate and
resolve disputes or inquiries, by
individuals independent of the
invoicing function
Monitor number of customer

complaints regarding improper
invoices or statements (performance
indicator)
3. Accurately record all O,F Missing documents or Authorize credit memos by

authorized sales incorrect information individuals independent of accounts
returns and allowances receivable function
and only such returns
Prenumber and account for credit
and allowances
memos and receiving documents
Match credit memos and receiving

documents and resolve unmatched
Internal Use Only
items by individuals independent of
the accounts receivable function
Inaccurate input of data Mail customer statements

periodically and investigate and
resolve disputes or inquiries, by
individuals independent of the
invoicing function
4. Ensure continued O,F Unauthorized input for Review correspondence authorizing

completeness and nonexistent returns, returns and allowances
accuracy of accounts allowances and writeoffs
Reconcile accounts receivable
receivable
subsidiary ledger with sale and cash
receipts transactions
Resolve differences between the

accounts receivable subsidiary
ledger and the accounts receivable
control account
5. Safeguard accounts O,F Unauthorized access to Restrict access to accounts

receivable records accounts receivable records receivable files and data used in
and stored data processing receivables
Activity: PROCESS FUNDS
1. Accurately forecast O Inaccurate, untimely or Information systems identify all

cash balances to unavailable information sources of cash and dates cash is
maximize short-term regarding cash inflows and due or expected to be collected
investment income and outflows (such sources include accounts
to avoid cash receivable collections, customer
"shortfalls" deposits, sale of assets, loan
proceeds and other cash sources)
Internal Use Only

Information systems identify all cash
requirements and dates cash is
needed (such requirements include
accounts payable, loan payments,
payrolls, dividends or other cash
requirements)
Identify all internal sources of

information
Compare information used to

prepare cash forecasts with
supporting records or underlying
documents to verify information is
internally consistent
2. Ensure necessary O Lack of awareness Retain financial personnel

financing is available in regarding financing experienced in obtaining financing
the event of a cash alternatives for similar entities
"shortfall"
Identify professional advisors who

can assist in locating alternative
sources of financing and consult
those advisors as appropriate
Failure to establish or Establish relationships with financing

maintain appropriate sources before financing is needed.
relationships with financing Maintain proper and current
sources relationships to facilitate access to
cash as the need arises
3. Optimize return on O Lack of knowledge Retain financial personnel

temporary cash regarding investment experienced in short-term
investments alternatives investments
Use professional investment
Internal Use Only

advisors
4. Accelerate cash O Handling cash receipts Consider "lock-box" arrangements

collections internally can delay deposit whereby payments are remitted to a
of such receipts post office box and the bank collects
and deposits such remittances
Customers delay remittance Factor accounts receivable
Honor bank credit cards
Offer discounts for timely remittance
Establish and enforce collection

policies
Monitor accounts receivable for

overdue balances; implement
collection procedures on a timely
basis
Excessive accounts Establish and enforce a credit policy

receivable collection that reflects an appropriate balance
problems between risk of credit loss and sales
volume
5. Record cash receipts O,F Cash received is diverted, Assign opening of mail to an
on accounts receivable lost or otherwise not individual with no responsibility for or
completely and reported accurately to access to files or documents
accurately accounts receivable pertaining to accounts receivable or
cash accounts; compare listed
receipts to credits to accounts
receivable and bank deposits
Consider use of lock-box or other

arrangements to accelerate deposits
Consider ability to have customers
Internal Use Only

transfer funds electronically to the
entity's bank account, and notify the
entity of payment through Electronic
Data Interchange (EDI)
Receipts are for amounts Send periodic statements to

different than invoiced customers and investigate customer-
amounts, or are not noted differences (performance
identifiable indicator)
Reconcile general ledger with

accounts receivable subsidiary
records; investigate differences
Contact payor to determine reasons

for payment, or payment different
than amounts invoiced
6. Manage timing of O Inaccurate, untimely or Information system identifies all cash

cash disbursements unavailable information requirements and dates cash is
regarding payment due needed
dates
Use accounts payable aging
analysis
Bills are paid before due Delay check preparation or signature

dates until the due date
Release check at the latest possible

time and at the end of a day or
week, if possible
Checks clear the bank Consider check-clearing time when

quickly selecting a bank
7. Minimize cash O Information system does not Information system identifies

disbursements identify available discounts payment dates related to available
and related required discounts
Internal Use Only

payment dates
8. Disburse cash only O,F Fictitious documentation is Examine supporting documents,

for authorized created payments approved by individuals
purchases independent of procurement,
receiving and accounts payable
Reuse of supporting Cancel supporting documents to

documents prevent resubmission for payment
9. Remit disbursements O,F Inaccurate, untimely or Detailed comparison of actual

to vendors and others, unavailable information versus budgeted disbursements
such as for dividends, regarding amounts or due
Compare payment amounts and
debt service, and tax or dates of payments
recipients with source documents,
other payments, in a
such as vendor invoices, purchase
timely and accurate
orders, tax returns, dividend
manner
computations, loan repayment
schedules or other appropriate
documentation; verify accuracy of
supporting documents
Establish a "tickler file" to identify

payment due dates
Modify information systems as

necessary to provide payment
information
10. Record cash O,F Missing documents or Match disbursement records against
disbursements information accounts payable/open invoice files
completely and
accurately
Prenumber and account for checks
Reconcile bank statements to cash

accounts and investigate long-
outstanding checks by individuals
Internal Use Only
independent of accounts payable
and cash disbursement functions
11. Safeguard cash O,F Inadequate physical Segregate custodial and record-
and the related security over cash and keeping functions
accounting records documents that can be used
Reconcile bank accounts by
to transfer cash
individuals without responsibility for
cash receipts, disbursements or
custody
Receive and prelist cash by

individuals independent of recording
cash receipts
Restrictively endorse checks on

receipt
Deposit receipts intact daily
Restrict access to accounts

receivable files and files used in
processing cash receipts
Mail checks by individuals

independent of recording accounts
payable
Authorized check signers are

independent of cash receipts
functions
Physically protect mechanical check

signers and signature plates
Restrict access to accounts payable

files and files used in processing
cash disbursements
Internal Use Only

Activity: PROCESS FIXED ASSETS
1. Completely and O,F Acquisition documentation Prenumber individual capital

accurately record fixed may be lost or otherwise not expenditure authorizations and
asset transfers, communicated to proper investigate missing documents
acquisitions, personnel
Route copy of purchase orders for
dispositions and related
capital expenditures to personnel
depreciation
who process fixed assets;
investigate purchase orders not
matched with receiving
documentation after anticipated
receipt date
Reconcile fixed asset additions with

capital expenditure authorizations
Acquired assets may not be Inquire of purchasing or other

adequately described personnel to clarify asset description
or function
Establish clear definitions for asset

categories
Asset disposals or transfers Dispose of or transfer fixed assets

may not be communicated only with proper authorization, a
to proper personnel copy of which is provided to
appropriate personnel
Prenumber fixed asset disposal and

transfer authorization forms and
investigate missing documents
Count fixed assets periodically,

reconcile count with fixed asset
Internal Use Only

records and investigate differences
Incorrect depreciation lives Establish policies regarding

or methods may be used depreciation lives and methods,
communicate them to appropriate
personnel, and periodically review
them to ensure continued
appropriateness
Review depreciation detail for

accuracy and compliance with
policies and procedures
2. Safeguard fixed O Inadequate physical Restrict access to facilities during

assets from loss security over fixed assets non-working hours
through theft
Affix an identification plate and

number to office furniture and
fixtures, equipment and other
portable fixed assets
Develop, implement and

communicate safeguarding policies
Activity: ANALYZE AND RECONCILE
1. Compare operating O Pre-established standards Periodically establish operating

results with pre- are not determined standards, such as quarterly or
established standards, annual budgets
Lack of or inaccurate
such as budgets or
information needed to Specify information needed to
prior-period results.
compare actual results with identify and explain variances,
Identify variances,
pre-established standards trends or unusual changes
trends or unusual
Internal Use Only

changes and their
causes
Design information systems to

communicate necessary information
to appropriate people on a timely
basis
2. Reconcile books and O,F (Note: Risks for this

records to ensure their objective vary, depending
internal consistency on the reconciliation
procedures and the nature
of the information being
reconciled. Accordingly,
reconciliation procedures
are identified, where
appropriate, in other
sections of this Reference
Manual)
Activity: PROCESS BENEFITS AND RETIREE INFORMATION
1. Ensure all eligible O,C Program eligibility Train and update appropriate
individuals, and only requirements are not clearly personnel regarding plan eligibility
such individuals, are communicated to requirements and amendments
included in benefit appropriate personnel thereto
programs
Inaccurate employee Compare information to employee
information is provided to personnel file or otherwise verify its
benefits personnel accuracy
Limit access to employee data base
Eligible employees are Periodically match participant list to

improperly excluded from employee and/or retiree list and to
Internal Use Only
participation documentation of employees'
elections not to participate
Nonexistent employees are Periodically compare participant list

entered as program to employee and/or retiree list
participants or beneficiaries
Approval by an authorized official of

all additions to participant data base
Verify existence and status of

participant
2. Accurately calculate O,C Plan benefit provisions are Ensure plan documents describe
benefits due to each unclear or complex benefit provisions clearly and include
participant sample calculations
Amend plan as necessary to clarify

benefit computations
Consult legal, actuarial or other

professionals as needed to clarify
benefit provisions
Errors are made in Standardize forms or programs for

calculating benefits calculating benefits
Review benefit calculations
Inaccurate information Limit access to information and data

used in calculating benefits
Approve all changes to data bases

used to calculate benefits
3. Summarize and track O Lost or misplaced Reconcile various related reports

benefit information information
Internal Use Only

Use logs or other devices to ensure
completeness of processing
4. Comply with C Personnel are unaware of Train human resource or other

applicable laws and applicable laws and personnel on applicable laws and
regulations regulations regulations
Review and approve all plan

documents and policies by legal
counsel experienced in employee
and retiree benefit programs
5. Generate and O Lack of adequate systems Ensure that report generation

distribute benefits systems process information
reports in an accurate accurately and satisfy reporting
and timely manner deadlines
Lack of understanding of Implement and monitor training

reporting requirements programs
Activity: PROCESS PAYROLL
1. Pay employees in O System is not designed to Implement payment schedule that

accordance with wage reflect payment schedule reflects wage contracts and agreed-
contracts and other included in collective upon payment schedules
established policies bargaining agreements or
individual agreements with
employees
2. Calculate and record O,F Pay rates or deductions are Review and approve initial pay and
payroll (including not properly authorized or any subsequent additions or
payroll deductions) are inaccurate changes
accurately and
Periodically verify payroll data base
completely for all
Internal Use Only

services actually information
performed and
Review and approve initial
approved, and only for
deductions/benefit elections
such services
Use standard forms for making

changes to payroll information
Review and approve all nonstandard

items such as sick, vacation and
bonus pay
Review payroll register and checks

for reasonableness
Security controls that limit access to

payroll data base
Hours are not authorized or Review and approve time records for
are inaccurate unusual or nonstandard hours and
for overtime
Time cards or other source Use standardized policies and

information is submitted for procedures when hiring employees
nonexistent employees
Security procedures relating to

additions and deletions of
employees to or from the data base
Maintain logs or other

documentation supporting or
tracking changes to payroll data
base
Where practical, require valid

identification and employee
signature to receive paycheck
Internal Use Only

Prohibit payment of wages in cash,
except in prescribed circumstances
Use direct deposit systems
Lack or loss of information Verify that source documents such

or documents as timecards are received for all
employees
Maintain back-up records of

employees' time in case source
documents are lost
Reconcile the employee subsidiary

ledger to the general ledger control
accounts; investigate any
differences
Compare total hours and number of

employees input with the totals in
the payroll register
3. Restrict access to O Unauthorized personnel Access to information stored on

payroll data information may gain access to payroll electronic media is restricted by
to only those information frequently changed passwords
individuals who need
Payroll processing systems and
such information to
written information are subject to
discharge duties
physical security
4. Provide payroll O Management information Identify how payroll information can

information to relevant needs with respect to satisfy other management objectives
personnel to satisfy payroll are not defined and link information sources
management
information needs
Activity: PROCESS TAX COMPLIANCE
Internal Use Only

1. Accurately process, F,C Inadequate information Employ competent tax

prepare and file about, or understanding of, professionals—either in-house or
required tax documents filing requirements and outside the entity—to identify and
on a timely basis applicable laws and prepare filings
regulations
Subscribe to tax services and/or

maintain membership in appropriate
industry, trade or professional
organizations to identify emerging
tax requirements or opportunities
Establish a system, such as a

"tickler file," to identify tax filing due
dates
Incomplete or inaccurate Identify information necessary to

information used as the prepare tax documents; ensure
basis for document information systems are designed to
preparation accurately provide such information
on a timely basis
2. Reduce tax liabilities O,C Inadequate information Ensure tax professionals are fully
to the legal minimum regarding tax-savings informed of all aspects of the entity's
opportunities operations, including routine and
nonroutine transactions, and any
changes in the entity's business
lines or methods of conducting
business
Periodically review tax filings and

status to specifically identify tax-
savings opportunities
Internal Use Only

3. Record the effect of F,C Inadequate information Employ personnel who understand
all tax transactions or about, or understanding of, financial reporting for taxes
economic events financial reporting of tax
Subscribe to technical service and/or
completely and transactions or economic
maintain memberships in
accurately events
appropriate industry, trade or
professional organizations that
identify and explain new or existing
financial reporting requirements
Journal entries related to Journal entries related to taxes are

tax transactions or approved by authorized and
economic events are not knowledgeable officials
properly approved or posted
Each journal entry is compared with
to the general ledger
the general ledger to ensure proper
posting
Activity: PROCESS PRODUCT COSTS
1. Develop standard O,F Inadequate or inaccurate Identify information necessary to

costs of producing information develop standard product costs;
products, including ensure information systems
costs at each stage of accurately provide such information
the production process on a timely basis (this information
may include such items as units
planned to be produced, budgeted
labor hours and costs, budgeted
overhead costs and estimated
material costs; it should take into
account the impact of technology on
the manufacturing process and
consider the proper basis on which
to allocate costs)
Internal Use Only

Periodically evaluate the production
process and estimate the costs
associated with each stage of the
process
Poorly organized production See the Operations section of this

process Reference Manual
Inability to identify the stage Clearly define and organize each

of production stage of production; appropriately
document such stages
Establish systems to routinely

identify stage of completion;
periodically verify system is
functioning properly
2. Record actual costs O,F Inaccurate, untimely or Prenumber and account for the
incurred completely unavailable information numerical sequence of requisitions
and accurately regarding actual costs of materials and component parts
incurred issued to and returned from
production; investigate missing or
duplicate (unmatched) items by
people independent of the materials
handling function
Reconcile records of labor and

overhead charges to payrolls and
overhead cost incurred; investigate
differences
Prenumber and account for the

numerical sequence of production
reports or other records of finished
production and transfers within work-
in-process; reconcile those reports
to quantities recorded; investigate
Internal Use Only

missing documents and differences
Review and approve monthly

summarizing entries
Maintain perpetual inventory records
Periodically balance the raw

materials, work-in-process and
finished goods records (previous
balance plus additions less transfers
out, compared with the current total)
Periodically count raw materials,

work-in-process and finished goods
inventories and compare with the
perpetual records; investigate
differences
Reconcile the perpetual records to

the general ledger control accounts,
and approve adjustments, by
personnel other than those
responsible for maintaining related
perpetual records or for
safeguarding inventories
3. Determine variances O,F Variances are computed or Compute variances for each
from standard costs recorded inaccurately appropriate product; verify
and their effect on completeness by comparison to
inventory and cost of product list or other appropriate
sales document
Verify variance accuracy by re-

computation or other appropriate
methods
Internal Use Only

Review general ledger or other
records to ensure variances are
recorded accurately
Activity: PROVIDE FINANCIAL AND MANAGEMENT REPORTING
1. Provide timely and O Information needs of Identify user information needs and
accurate information management or others is update such needs periodically
needed by unknown or not clearly
Communicate information needs
management and communicated
from users to preparers of
others to discharge
management reports
their responsibility
Due dates and relative Determine due dates for all

priorities of management management reports, whether
reports are not clarified or routine or nonroutine
communicated
Establish relative priorities for all

management reports, whether
routine or nonroutine
Communicate management report

due dates and priorities to report
preparers and users
Establish "tickler files" or other

system to ensure due dates are
routinely identified
Information systems are Identify information that the system

incapable of providing is incapable of generating; identify
necessary information necessary modifications to the
system
Internal Use Only

2. Prepare external F,C Information systems cannot Identify and implement necessary
financial reports on a provide necessary systems changes
timely basis and in information in a timely
Retain competent personnel who are
compliance with manner
knowledgeable of, and have
applicable laws,
Personnel are unaware of experience with, applicable laws,
regulations, rules or
applicable laws, regulations, regulations or rules affecting the
contractual agreements
rules or contractual entity's external financial reporting
agreements
Review of significant contractual

agreements by management or
supervisory personnel responsible
for preparation of external financial
reports
3. Maintain O,C Unauthorized personnel Restrict report or information

confidentiality of have access to financial distribution to authorized personnel;
financial information information periodically review and update
distribution lists
Sample Filled-in Tools

This section presents the evaluation tools presented in blank form earlier, filled-in for ABC Company, a
hypothetical medium-size aerospace parts manufacturer. ABC Company recently acquired Laker Parts, a
smaller company in the same industry. The italicized entries illustrate how an evaluator might complete these
tools.
Control Environment
Management must convey the message that integrity and

ethical values cannot be compromised, and employees must
receive and understand that message. Management must
Internal Use Only

continually demonstrate, through words and actions, a
commitment to high ethical standards.
 Existence and implementation of codes of conduct and The company does not have a formal code of
other policies regarding acceptable business practice, conduct, but expectations of employee conduct
conflicts of interest, or expected standards of ethical are included in a manual. This is provided to all
and moral behavior. For example, consider whether: new employees
 Codes are comprehensive, addressing conflicts of interest,

illegal or other improper payments, anticompetitive
guidelines, insider trading.
 Codes are periodically acknowledged by all employees.
 Employees understand what behavior is acceptable or

unacceptable, and know what to do if they encounter
improper behavior.
 If a written code of conduct does not exist, the management

culture emphasizes the importance of integrity and ethical
behavior. This may be communicated orally in staff
meetings, in one-on-one interface, or by example when
dealing with day-to-day activities.
 Establishment of the "tone at the top"—including Management expects all employees to maintain
explicit moral guidance about what is right and wrong— high moral and ethical standards, and to conduct
and extent of its communication throughout the themselves accordingly. Management is
organization. For example, consider whether: conscious of setting an example through words
and actions. This is done anecdotally and
sporadically. Management's expectations are
communicated to all employees in the manual,
and expected to be reinforced by supervisors and
workers alike.
Internal Use Only

 Commitment to integrity and ethics is communicated
effectively throughout the enterprise, both in words and
deeds.
 Employees feel peer pressure to do the right thing, or cut

corners to make a "quick buck."
 Management appropriately deals with signs that problems

exist, e.g., potential defective products or hazardous wastes,
especially when the cost of identifying problems and dealing
with the issues could be large.
 Dealings with employees, suppliers, customers, Management maintains a high degree of integrity
investors, creditors, insurers, competitors, and in its dealings, and requires its employees and
auditors, etc. (e.g., whether management conducts agents to maintain similar levels. Departures
business on a high ethical plane, and insists that from this requirement are dealt with quickly and
others do so, or pays little attention to ethical severely; there are examples on file of actions
issues). For example, consider whether: taken with individuals and with regard to general
communications. Few complaints alleging
 Everyday dealings with customers, suppliers,
misconduct have been received from customers
employees and other parties are based on honesty
or others. Periodically, the CEO speaks with key
and fairness (e.g., customer's overpayment or a
customers and suppliers regarding their views of
supplier's underbilling are not ignored, no efforts are
treatment by company personnel, and receives
made to find a way to reject an employee's legitimate
positive reactions.
claim for benefits, and reports to lenders are complete,
accurate and not misleading).
 Appropriateness of remedial action taken in response to Departures that surface from policies and
departures from approved policies and procedures or procedures or violations of behavior expectations
violations of the code of conduct. Extent to which are immediately dealt with in a manner
remedial action is communicated or otherwise becomes commensurate with the infraction. Such remedial
known throughout the entity. For example, consider actions range from oral reminders of company
whether: policy to termination.
Internal Use Only

 Management responds to violations of behavioral standards.
 Disciplinary actions taken as a result of violations are widely

communicated in the entity. Employees believe that, if
caught violating behavioral standards, they'll suffer the
consequences.
 Management's attitude towards intervention or Management has not attempted to override or

overriding established controls. For example, consider bypass controls improperly. Employees are
whether: encouraged to report attempts to override
controls, and management has supported
 Management has provided guidance on the situations
individuals who have done so by recognizing this
and frequency with which intervention may be needed.
on their appraisals.
 Management intervention is documented and explained

appropriately.
 Manager override is explicitly prohibited.
 Deviations from established policies are investigated and

documented.
 Pressure to meet unrealistic performance targets— Executives are salaried, and usually receive an
particularly for short-term results—and extent to additional cash bonus approximating 20% of
which compensation is based on achieving those salary largely related to achieving specific
performance targets. For example, consider whether: personal or activity objectives. As a result,
management's compensation is based primarily
 Conditions such as extreme incentives or temptations
on their individual and joint performance and that
exist that can unnecessarily and unfairly test people's
of the activity in which they work. Management
adherence to ethical values.
believes that this compensation plan encourages
 Compensation and promotions are based solely on
individual initiative and teamwork. Because short-
achievement of short-term performance targets.
term compensation is only indirectly based on
profitability, management has little incentive to
manipulate operations or financial statements to
Internal Use Only

improve operating results.
 Controls are in place to reduce temptations that might

otherwise exist.
Management has demonstrated its commitment to integrity and ethical behavior and has communicated that
commitment to all employees. The message is continual but anecdotal. Management should consider a more
planned program.
Management must specify the level of competence needed for

particular jobs, and translate the desired levels of competence
into requisite knowledge and skills.
 Formal or informal job descriptions or other means of The Company has formal written job descriptions
defining tasks that comprise particular jobs. For for all supervisory personnel and, for jobs
example, consider whether: involving only few specific tasks, job duties are
clearly communicated.
 Management has analyzed, on a formal or informal basis,

the tasks comprising particular jobs, considering such
factors as the extent to which individuals must exercise
judgment and the extent of related supervision.
 Analyses of the knowledge and skills needed to The job descriptions specify the knowledge and
perform jobs adequately. For example, consider skills needed, either generally or in terms of the
whether: nature and extent of education, training and
experience required. The human resources
 Management has determined to an adequate extent
department uses these descriptions in hiring,
the knowledge and skills needed to perform particular
training and promotion decisions.
jobs.
Internal Use Only

 Evidence exists indicating that employees appear to have
the requisite knowledge and skills.
The existence of written job descriptions with defined tasks and parameters (e.g., education, training)
demonstrates clear management commitment to competence. Management should consider more formal job
descriptions for non-supervisory personnel.
An active and effective board, or committees thereof, provides

an important oversight function and, because of management's
ability to override system controls, the board plays an important
role in ensuring effective internal control.
 Independence from management, such that The board of directors consists of four outside
necessary, even if difficult and probing, ques-tions directors and three senior officers of the
are raised. For example, consider whether: company. Two of the outside directors are
business associates of the CEO and chairman.
 The board constructively challenges management's
The secretary and other board meeting guests
planned decisions, e.g., strategic initiatives and major
report lively discussions between management
transactions, and probes for explanations of past
and certain outside directors.
results (e.g., budget variances).
 A board that consists solely of an entity's officers and

employees (e.g., a small corporation) questions and
scrutinizes activities, presents alternative views and takes
appropriate action if necessary.
 Use of board committees where warranted by the need The board has an audit committee, composed of
for more in-depth or directed attention to particular three outside directors, and a compensation
matters. For example, consider whether: committee, composed of the four outside
directors.
Internal Use Only

 Board committees exist.
 They are sufficient, in subject matter and membership, to

deal with important issues adequately.
 Knowledge and experience of directors. For example, Most board members are experienced
consider whether: businesspeople. One, who owns 12% of the
outstanding common stock, is a physician who
 Directors have sufficient knowledge, industry
lacks direct management experience. All board
experience and time to serve effectively.
members who are also officers of the company
have extensive aerospace industry experience,
as does one of the outside directors.
 Frequency and timeliness with which meetings are The company's internal audit manager, a recent
held with chief financial and/or accounting officers, hire, meets quarterly with the audit committee.
internal auditors and external auditors. For example, The audit committee meets with the external
consider whether: auditors at least twice each year-during audit
planning and upon completion of the audit. The
 The audit committee meets privately with the chief
CFO is a director, and has frequent interaction
accounting officer and internal and external auditors to
with other directors.
discuss the reasonableness of the financial reporting
process, system of internal control, significant
comments and recommendations, and management's
performance.
 The audit committee reviews the scope of activities of the

internal and external auditors annually.
 Sufficiency and timeliness with which information is The board members are provided monthly
provided to board or committee members, to allow financial statements-including a comparison of
monitoring of management's objectives and current-year actual results to budget and the prior
strategies, the entity's financial position and year-as well as certain operating statistics and
operating results, and terms of significant analyses. These are given by the fifteenth of
agreements. For example, consider whether: each month in sufficient detail to allow
meaningful analysis prior to the Board meetings.
 The board regularly receives key information, such as
Internal Use Only

financial statements, major marketing initiatives, Board meetings are held on the last Friday of
significant contracts or negotiations. each month. Board approval is required for
 Directors believe they receive the proper information. expenditures over $250,000, and to accept any
sales orders over $1,000,000. Board approval of
sales orders is normally received during special
meetings conducted by telephone.
 Sufficiency and timeliness with which the board or Company policy dictates that the board be
audit committee is apprised of sensitive information, notified, by certified mail, within three business
investigations and improper acts (e.g., travel days of any litigation deemed likely to result in
expenses of senior officers, significant litigation, loss of over $100,000, any regulatory
investigations of regulatory agencies, defalcations, investigation, or defalcation, embezzlement or
embezzlement or misuse of corporate assets, other improper act of any employee or officer at
violations of insider trading rules, political payments, or above the manager level. Any such act by an
illegal payments). For example, consider whether: employee below the manager level that results in
a company loss in excess of $2,000 is reported
 A process exists for informing the board of significant
to the board. Officer expense accounts and perks
issues.
are reviewed by the board semiannually.
 Information is communicated timely.
 Oversight in determining the compensation of executive The compensation committee annually

officers and head of internal audit, and the appointment determines the compensation of the CEO and
and termination of those individuals. For example, the head of internal audit.
consider whether:
 The compensation committee approves all management

incentive plans tied to performance.
 The compensation committee, in joint consultation with the

audit committee, deals with compensation and retention
issues regarding the chief internal auditor.
 Role in establishing the appropriate "tone at the top." The board encourages management to establish
For example, consider whether: and enforce high ethical and moral standards.
Internal Use Only

 The board and audit committee are involved The outside directors do not actively participate
sufficiently in evaluating the effectiveness of the "tone in establishing those standards, though they do
at the top." monitor management's compliance with those
standards.
 The board takes steps to ensure an appropriate "tone."
 The board specifically addresses management's adherence

to the code of conduct.
 Actions the board or committee takes as a result of its The board ordinarily leaves follow-up to
findings, including special investigations as needed. For management's discretion, and rarely conducts
example, consider whether: special investigations.
 The board has issued directives to management detailing

specific actions to be taken.
 The board oversees and follows up as needed.
The board of directors and audit committee contribute meaningfully to the effectiveness of the control
environment. Management should strive, however, to involve the board more closely in special investigations.
The philosophy and operating style of management normally

have a pervasive effect on an entity. These are, of course,
intangibles, but one can look for positive or negative signs.
 Nature of business risks accepted, e.g., whether Management is relatively risk averse, being
management often enters into particularly high-risk conservative in its business practices. The
ventures, or is extremely conservative in accepting company's debt to equity ratio is among the
risks. For example, consider whether: lowest in the industry; business acquisitions are
Internal Use Only

 Management moves carefully, proceeding only after researched thoroughly, evidenced by the plan
carefully analyzing the risks and potential benefits of a developed for the Laker Parts acquisition, which
venture. analyzed competition, markets, pricing structure
and vendor and customer relationships. Capital
acquisitions are financed initially through existing
bank credit lines with permanent financing
provided by collateralized long-term borrowings.
The company recently retained outside
consultants to consider how to better control
medical plan and workers' compensation costs.
 Personnel turnover in key functions, e.g., operating, Personnel turnover has been at satisfactory
accounting, data processing, internal audit. For levels for many years. There was greater
example, consider whether: turnover at Laker Parts immediately prior to
acquisition; such turnover was apparently related
 There has been excessive turnover of management or
to the pending sale of the company, and was not
supervisory personnel.
considered a problem by management because it
did not involve key skills.
 Key personnel have quit unexpectedly or on short notice.
 There is a pattern to turnover (e.g., inability to retain key

financial or internal audit executives) that may be an
indicator of the emphasis that management places on
control.
 Management's attitude toward the data processing The information systems department consists of
and accounting functions, and concerns about the 10 full-time employees, including two
reliability of financial reporting and safeguarding of experienced managers who report to the CFO,
assets. For example, consider whether: with a current budget of $3 million-sufficient for
its needs.
 The accounting function is viewed as a necessary
group of "bean counters," or as a vehicle for exercising Project estimates, such as costs to complete
control over the entity's various activities. open contract jobs, are prepared by
 The selection of accounting principles used in financial knowledgeable personnel and reviewed and
statements always results in the highest reported approved by appropriate operating and financial
Internal Use Only

income. management.
 If the accounting function is decentralized, operating
All financial reports are reviewed by the
management "sign off" on reported results.
controller, the CFO and the CEO before release.
Annual financial statements are reviewed by the
board of directors before release.
 Unit accounting personnel also have responsibility to central

financial officers.
 Valuable assets, including intellectual assets and

information, are protected from unauthorized access or use.
 Frequency of interaction between senior Senior management and operating management

management and operating management, particularly have frequent interaction in both formal and
when operating from geographically removed informal settings, such as weekly management
locations. For example, consider whether: meetings and informal lunches. ABC has only
one location.
 Senior managers frequently visit subsidiary or
divisional operations.
 Group or divisional management meetings are held

frequently.
 Attitudes and actions toward financial reporting, Management wants financial reports to be
including disputes over application of accounting accurate and fairly presented. Occasional
treatments (e.g., selection of conservative versus disagreements arise between operating and
liberal accounting policies; whether accounting financial management and between the company
principles have been misapplied, important financial and the external auditors, but management and
information not disclosed, or records manipulated or the auditors work together to determine proper
falsified). For example, consider whether: accounting treatments. Such disagreements do
not result in an adversarial relationship with the
 Management avoids obsessive focus on short-term
auditors.
reported results.
 Personnel do not submit inappropriate reports to meet
Internal Use Only

targets (e.g., salespeople submitting orders to meet targets,
knowing customers will return goods in the next period).
 Managers do not ignore signs of inappropriate practices.
 Estimates do not stretch facts to the edge of reasonableness

and beyond.
Management's philosophy and operating style are conducive to effective internal control.
The organizational structure shouldn't be so simple that it

cannot adequately monitor the enterprise's activities nor so
complex that it inhibits the necessary flow of information.
Executives should fully understand their control responsibilities
and possess the requisite experience and levels of knowledge
commensurate with their positions.
 Appropriateness of the entity's organizational The organizational structure of the company has
structure, and its ability to provide the necessary recently been modified to accommodate the
information flow to manage its activities. For example, divestiture of the defense division and the
consider whether: acquisition of Laker Parts. Management believes
the new structure is appropriate. However, the
 The organizational structure is appropriately
new structure has not been in place long enough
centralized or decentralized, given the nature of the
to evaluate its effectiveness.
entity's operations.
 The structure facilitates the flow of information upstream,

downstream and across all business activities.
 Adequacy of definition of key managers' Key managers' responsibilities have been

responsibilities, and their understanding of these redefined recently in conjunction with the new
Internal Use Only
responsibilities. For example, consider whether: organizational structure. Such responsibilities
appear adequate for the company's needs, but
 Responsibilities and expectations for the entity's
have not been tested over an extended period.
business activities are communicated clearly to the
Managers' performance indicates they
executives in charge of those activities.
understand their responsibilities, which are
reviewed with them annually.
 Adequacy of knowledge and experience of key All officers have been with the company for at
managers in light of responsibilities. For example, least five years, except for one former Laker
consider whether: executive, and all are highly knowledgeable of
the industry and their responsibilities. Certain
 The executives in charge have the required
managers (i.e., controller and director of
knowledge, experience and training to perform their
manufacturing) at Laker Parts joined the
duties.
company within the last six months, but held
similar positions with other companies in the
aerospace industry.
 Appropriateness of reporting relationships. For Reporting relationships are logical, and each
example, consider whether: activity manager reports to the proper company
officer. Reporting relationships ensure effective
 Established reporting relationships—formal or
communication between employees, supervisors,
informal, direct or matrix—are effective, and they
managers and officers.
provide managers information appropriate to their
responsibilities and authority.
 The executives of the business activities have access to

communication channels to senior operating executives.
 Extent to which modifications to the organizational The organizational structure is assessed on an

structure are made in light of changed conditions. For as-needed basis. For example, after the
example, consider whether: acquisition of Laker Parts, modifications such as
integrating administrative functions and
 Management periodically evaluates the entity's
consolidating purchasing activities were made to
organizational structure in light of changes in the
streamline operations.
business or industry.
 Sufficient numbers of employees exist, particularly in Because of the recent merger with Laker Parts,
Internal Use Only
management and supervisory capacities. For ABC has more employees than needed. Layoffs
example, consider whether: are occurring, but management carefully
considers who is terminated and the effect the
 Managers and supervisors have sufficient time to carry
layoffs may have on control. Management
out their responsibilities effectively.
evaluates employees' workload, particularly
 Managers and supervisors work excessive overtime,
those with supervisory and key control
and are fulfilling the responsibilities of more than one
responsibilities, to ensure they are able to
employee.
discharge their responsibilities effectively.
The company's organizational structure and reporting relationships are logical and fit the company's activities.
However, the recent changes require close monitoring of the effectiveness and appropriateness of the structure in
the near term. Pending layoffs as a result of the Laker Parts acquisition must be monitored for effects on
supervisory and key control responsibilities.
The assignment of responsibility, delegation of authority and

establishment of related policies provide a basis for
accountability and control, and set forth individuals' respective
roles.
 Assignment of responsibility and delegation of Management delegates authority based on the

authority to deal with organizational goals and individual's job responsibilities, knowledge, skill
objectives, operating functions and regulatory and past performance. For example, only the
requirements, including responsibility for information CFO has the perspective necessary to determine
systems and authorizations for changes. For example, if requested program changes to information
consider whether: systems are feasible and required. Accordingly,
only he can authorize such changes. In sales,
 Authority and responsibility are assigned to employees
only experienced personnel are assigned to
throughout the entity.
service the large aircraft manufacturers. They are
 Responsibility for decisions is related to assignment of
given significant, but not absolute, authority to
authority and responsibility.
negotiate contracts, make concessions or take
 Proper information is considered in determining the
other actions they deem necessary to ensure
level of authority and scope of responsibility assigned
Internal Use Only

to an individual. customer satisfaction. All significant assignment
of responsibility and delegation of authority are
reviewed by appropriate senior officers.
 Appropriateness of control-related standards and Job standards and control responsibilities are
procedures, including employee job descriptions. For reviewed annually by each vice president and
example, consider whether: activity manager. The CEO annually considers
the appropriateness of reporting relationships
 Job descriptions, for at least management and
through the activity manager level.
supervisory personnel, exist.
 They contain specific references to control-related

responsibilities.
 Appropriate numbers of people, particularly with Because of the recent acquisition of Laker Parts,
respect to data processing and accounting functions, there are more accounting personnel than
with the requisite skill levels relative to the size of the necessary. Management is planning to
entity and nature and complexity of activities and consolidate the accounting activities and is
systems. For example, consider whether: currently evaluating personnel requirements. The
information systems department consists of two
 The entity has an adequate workforce—in numbers
managers, four programmers and four operators,
and experience—to carry out its mission.
all of whom are well-trained and competent. This
staffing appears adequate for future needs
 Appropriateness of delegated authority in relation to Job responsibilities are commensurate with

assigned responsibilities. For example, consider needs and skills. Decision making is pushed
whether: down to reasonable levels, with sufficient
involvement of superiors as needed.
 There is an appropriate balance between authority
needed to "get the job done" and the involvement of
senior personnel where needed.
 Employees at the "right" level are empowered to correct

problems or implement improvements, and empowerment is
accompanied by appropriate levels of competence and clear
boundaries of authority.
Internal Use Only

Authority and responsibility are appropriately established and reviewed by senior management.
Human resource policies are central to recruiting and retaining

competent people to enable the entity's plans to be carried out
so its goals can be achieved.
 Extent to which policies and procedures for hiring, The human resources department has
training, promoting and compensating employees are established policies and procedures for hiring,
in place. For example, consider whether: training, promoting and compensating
employees. Such policies and procedures are
 Existing personnel policies and procedures result in
reviewed and modified, as needed, at least
recruiting or developing competent and trustworthy
annually. Also, the VP-Human Resources is
people necessary to support an effective internal
responsible for monitoring compliance with the
control system.
established human resource policies and
 The level of attention given to recruiting and training
procedures throughout the company and reports
the right people is appropriate.
on compliance annually to the Board.
 When formal documentation of policies and practices does

not exist, management communicates expectations about
the type of people to be hired or participates directly in the
hiring process.
 Extent to which people are made aware of their All new supervisory employees are provided
responsibilities and expectations of them. For written job descriptions which explain their
example, consider whether: responsibilities. Additionally, they are evaluated
annually, and performance goals for the following
 New employees are made aware of their
year are established. Their responsibilities are
responsibilities and management's expectations of
reviewed with them during this evaluation.
them.
Supervisors communicate job duties to personnel
 Supervisory personnel meet periodically with
who report to them.
employees to review job performance and suggestions
Internal Use Only

for improvement.
 Appropriateness of remedial action taken in response Departures from policies and procedures or
to departures from approved policies and violations of behavioral expectations are dealt
procedures. For example, consider whether: with in a manner commensurate with the
infraction. Remedial actions can range from oral
 Management's response to failures to carry out
reminders of company policy to additional
assigned responsibilities is appropriate.
training to termination.
 Appropriate corrective action is taken as a result of non-

adherence to established policies.
 Employees understand that ineffective performance will

result in remedial consequences.
 Extent to which personnel policies address Adherence to ethical standards is a factor

adherence to appropriate ethical and moral specifically addressed on the annual
standards. For example, consider whether: performance evaluation form, and must be
considered in the evaluation process.
 Integrity and ethical values is a criterion in
performance appraisals.
 Adequacy of employee candidate background For all prospective employees, at least three
checks, particularly with regard to prior actions or references, business and personal, are
activities considered to be unacceptable by the contacted. Employees hired at a supervisor or
entity. For example, consider whether: higher level are interviewed by an industrial
psychologist.
 Candidates with frequent job changes or gaps in
employment history are subjected to particularly close
scrutiny.
 Hiring policies require investigation for a criminal record.
 Adequacy of employee retention and promotion All employees must comply with the company's
criteria and information-gathering techniques (e.g., behavioral expectations to retain their jobs.
performance evaluations) and relation to the code of Candidates for promotion to supervisor or higher
Internal Use Only
conduct or other behavioral guidelines. For example, level must have demonstrated a commitment to
consider whether: ethical standards through their own actions, and
by setting an example for other employees.
 Promotion and salary increase criteria are detailed
Information is accumulated primarily through the
clearly so that individuals know what management
performance evaluation process, and less
expects prior to promotions or advancement.
formally through memos or comments submitted
 Criteria reflect adherence to behavioral standards.
by supervisors or peers. Comments indicating
departure from behavioral standards are
investigated before being considered in retention
or promotion decisions.
Personnel policies and practices are appropriate.
Management has a commitment to integrity, ethical behavior and competence. The board's involvement in the
company's activities is generally appropriate, though it could be more involved in special investigations.
Management's philosophy and operating style are appropriate as are the organizational structure and assignment
of authority and responsibility. Management must continue to monitor the effects of the acquisition of Laker Parts,
especially the revised organizational structure and pending layoffs. Personnel policies and practices are adequate.
Risk Assessment
Entity-Wide ObjectivesEntity-Wide Objectives
For an entity to have effective control, it must have established The objectives, as documented in ABC's
objectives. Entity-wide objectives include broad statements of business plan and confirmed by management,
what an entity desires to achieve, and are supported by related are:
strategic plans. Describe the entity-wide objectives and key
Operations—Become a leader in providing high-
strategies that have been established.
quality aerospace parts critical to flight-safety.
Internal Use Only
Within five years, reach a 2 percent share of the
domestic market and a 10 percent share of the
foreign market.
 Earn an 18 percent return on total investment.

 Provide employees challenging opportunities
and stable employment.
Financial Reporting—Issue timely financial

statements that comply with generally accepted
accounting principles.
Compliance—Comply with the letter and the spirit

of all applicable laws and regulations.
 Extent to which the entity-wide objectives provide These objectives state what this company wants
sufficiently broad statements and guidance on what to achieve in terms of quality, market, market
the entity desires to achieve, yet which are specific share and return on investment. These are
enough to relate directly to this entity. For example, necessarily broad statements, yet tailored to this
consider whether: company. They provide direction and guidance
for management and employees.
 Management has established entity-wide objectives.
 The entity-wide objectives are different than generic
objectives that could apply to any entity (e.g., generate
sufficient cash flow to service debt, or produce a
reasonable return on investment).
 Effectiveness with which the entity-wide objectives These objectives are included in our annual
are communicated to employees and board of business plan, distributed to employees and
directors. For example, consider whether: discussed at the annual employees' meeting and
in various departmental and unit meetings. The
 Information on the entity-wide objectives is
board of directors helps to establish entity-wide
disseminated to employees and the board of directors.
objectives and approves the business plan.
 Management obtains feedback from key managers, other

employees and the board signifying that communication to
employees is effective.
Internal Use Only

 Relation and consistency of strategies with entity- Strategic plans (driving at producing to strict
wide objectives. For example, consider whether: tolerances in a total quality program, and
directing marketing resources to key players and
 The strategic plan supports the entity-wide objectives.
influencers) support the operations objectives.
 It addresses high level resource allocations and priorities.
 Consistency of business plans and budgets with The company's five-year business plan is
entity-wide objectives, strategic plans and current updated annually by management and is
conditions. For example, consider whether: approved by the board. It reflects implementation
strategies for achieving the stated company-wide
 Assumptions inherent in the plans and budgets reflect
objectives. Part of the annual updating of the
the entity's historical experience and current
business plan includes identifying departmental
conditions.
and unit objectives, and establishing detailed
 Plans and budgets are at an appropriate level of detail
operating and capital expenditure budgets.
for each management level.
Depart-mental and unit managers are actively
involved in establishing objectives and budgets.
All plans and budgets are reviewed and
approved by senior management, assuring that
plans and budgets are consistent with one
another, and reflect historical experience and
current economic industry conditions.
The company-wide objectives and strategies are set at an appropriate level and are linked, addressing what the
entity is to achieve and how it will be achieved.
Activity-level objectives flow from and are linked with the entity-
wide objectives and strategies. Activity-level objectives are
frequently stated as goals with specific targets and deadlines.
Objectives should be established for each significant activity,
and those activity-level objectives should be consistent with
Internal Use Only

each other.
 Linkage of activity-level objectives with entity-wide Activity-level objectives are based on and flow
objectives and strategic plans. For example, consider from the entity-wide objectives and strategic
whether: plans. Unit heads present activity objectives to
their vice president who ensures the linkage with
 Adequate linkage exists for all significant activities.
the entity-wide objectives. For instance, with
 Activity-level objectives are reviewed from time to time
emphasis on producing high quality parts critical
for continued relevance.
to flight-safety, vendor qualification requirements
were modified to high-light quality considerations;
and receiving department procedures, employee
head count, training requirements and equipment
acquisitions were all modified to reflect the
increased importance of material testing.
Production processes were altered, and
additional quality assurance personnel hired.
 Consistency of activity-level objectives with each Activity-level objectives are designed to support
other. For example, consider whether: achievement of entity-wide objectives. To ensure
consistency, senior management reviews
 They are complementary and reinforcing within
objectives of all activities for which they are
activities.
responsible. The CEO also reviews activity-level
 They are complementary and reinforcing between
objectives to provide a broad perspective and to
activities.
ensure consistency.
 Relevance of activity-level objectives to all significant Supervised by the appropriate vice president,
business processes. For example, consider whether: each department annually reviews its
participation in business processes to ensure
 Objectives are established for key activities in the
they support activity-level objectives. Specific
flows of goods and services and support activities.
attention is devoted to adequacy of information
 Activity-level objectives are consistent with past
and to the appropriateness of each employee's
practices and performances or with industry or
activities. Activity-level objectives are consistent
functional analogues, or the reasons for variance have
with the company's objectives and practices of
been considered.
the last four years. Companies within the industry
 Objectives are established for each significant activity.
share similar objectives and practices.
These activities may include, among others (the
activities listed derive from a generic business model, Each department or unit develops objectives in
Internal Use Only
pages 52 to 55; illustrative objectives for each of these conjunction with the annual business plan
activities are presented in the Reference Manual, update. See pages 182 to 199 for analysis of
pages 57 to 129): "Inbound" activities. [Similar analyses for other
activities are not shown.]
Inbound
Operations
Outbound
Marketing and Sales
Service
Procurement
Technology Development
Human Resources
Manage the Enterprise
Manage External Relations
Provide Administrative Services
Manage Information Technology
Manage Risks (of accident or other
insurable loss)
Manage Legal Affairs
Plan
Process Accounts Payable
Process Accounts Receivable
Process Funds
Process Fixed Assets
Analyze and Reconcile
Process Benefits and Retiree
Information
Internal Use Only

Process Payroll
Process Tax Compliance
Process Product Costs
Provide Financial and Management
Reporting
 Specificity of activity-level objectives. For example, Activity-level objectives are as specific as

consider whether: possible. They are defined in a manner that
makes determination of objective achievement a
 Objectives include measurement criteria.
fairly simple matter.
 Adequacy of resources relative to objectives. For Business plans and budgets are based on and
example, consider whether: drive needs and allocations. They also serve as a
"reality check" on new initiatives. For instance,
 Management has identified the resources needed to
the business plan for developing a line of
achieve the objectives.
navigational equipment indicated that the
 Plans exist for acquiring necessary resources (e.g.,
necessary financial and management resources
financing, personnel, facilities, technology).
could be obtained only at unacceptably high cost
and risk. Accordingly, the plan was discarded.
 Identification of objectives that are important (critical The company has prioritized activity-level
success factors) to achievement of entity-wide objectives into three categories-critical, important
objectives. For example, consider whether: and supportive. These prioritizations are
reviewed regularly and whenever a changed
condition requires modification of objectives or
how the company does business.
 Management has identified what must go right, or where

failure must be avoided, for entity-wide objectives to be
achieved.
 Capital spending and expense budgets are based on

management's analysis of the relative importance of
objectives.
Internal Use Only

 The objectives serving as critical success factors provide a
basis for particular management focus.
 Involvement of all levels of management in objective All managers are involved in establishing entity-
setting and extent to which they are committed to the wide objectives. Final decisions are made by
objectives. For example, consider whether: senior management (CFO, manufacturing and
marketing vice presidents), after considering the
 Managers participate in establishing activity objectives
manager's input. Modifications to activity-level
for which they are responsible.
objectives are discussed by the appropriate vice
 Procedures exist to resolve disagreements.
president and unit manager. Unresolved issues
 Managers support the objectives, and do not have
are addressed by the CEO. Unit plans are
"hidden agendas."
modified as necessary based on the final
objectives.
Activity-level objectives are linked to the entity-wide objectives. Managers' involvement in developing the activity-
level objectives contributes to establishing achievable goals.
Risks
An entity's risk-assessment process should identify and

consider the implications of relevant risks, at both the entity
level and the activity level. The risk-assessment process
should consider external and internal factors that could impact
achievement of the objectives, should analyze the risks, and
provide a basis for managing them.
 Adequacy of mechanisms to identify risks arising Management obtains input on entity risks from
from external sources. For example, consider whether industry consultants and analysts, lawyers,
management considers risks related to: external auditors and board members.
Management's assessment of key risks follows:
 Supply sources
 Technology changes Risk: Vendor's inability to supply materials that
consistently meet the Company's production
Internal Use Only

specifications.
 Creditor's demands The Company has an effective quality control

 Competitor's actions function and monitors each vendor's
 Economic conditions performance. Procedures at the Inbound Activity
 Political conditions level are adequate to address this risk.
 Regulation
Risk: Insufficient vendor production capacity to
 Natural events
meet the Company's demand for materials.
Several major vendors are available to meet the

Company's supply needs. Appears to be little
exposure to a shortage of suppliers. The
Company's Purchasing Activity monitors
available vendors.
Risk: Significant jump in material costs due to

changes in demand or economic conditions.
Material costs do fluctuate periodically in

response to changes in commodities prices.
Company should consider using futures contracts
for certain materials to hedge cost increases.
Risk: Federal Trade Commission investigation of

Laker Parts acquisition for possible restraint of
trade.
The Company projects having a 2% and 10%

share of the domestic and foreign markets,
respectively. An unfavorable ruling is unlikely.
Risk: Assessments from the Internal Revenue

Service's examination of "open" federal income
tax returns.
Tax returns for the three previous years are open

for IRS examination. The Company maintains
conservative tax practices and has established
Internal Use Only

reserves for possible tax assessments.
Risk: FAA may place further onerous

requirements on production of replacement parts
used in the airline industry.
It is likely that the FAA will require replacement

parts to be more durable. Research and
development is currently considering alternative
production processes and materials. We are
probably slightly ahead of competitors in this
regard.
Risk: A major competitor's penetration of foreign

markets as a result of its recent acquisition of a
German company, jeopardizing ABC's achieving
a 10% share of the foreign market within five
years.
Sales and Marketing Activities are considering

this factor in developing strategies to penetrate
foreign markets and achieve the Company's
growth objectives.
Risk: Pentagon cutbacks on defense spending

could result in excess production capacity.
ABC has a 3-year backlog of government

contracts. No immediate impact of government
spending reductions.
Risk: Economic and political conditions could

curb commercial airline travel and reduce
demand for new aircraft.
Airline travel may fall during the next several

years but demand for parts should remain strong,
due to a large backlog for new aircraft and an
aging airline fleet. No significant impact is
Internal Use Only

expected.
Risk: An unstable U.S. dollar coupled with

increased sales to foreign companies could result
in foreign currency exchange losses.
Consider hedging foreign currency transactions.
Risk: ABC's major competitors have modernized

production processes and reduced their labor
force by 15%. The Company has been slow to do
likewise.
This needs immediate attention, or there could

be a risk of losing business.
 Adequacy of mechanisms to identify risks arising Risks from internal sources are evaluated.
from internal sources. For example, consider whether Management's assessment of such risks follows:
Risk: The Company may experience short-term
 Human resources, such as retention of key cash flow problems because of its recent
management personnel or changes in responsibilities acquisition of Laker Parts and its plans to
that can affect the ability to function effectively. increase cash dividends to shareholders.
 Financing, such as availability of funds for new initiatives or Projections show that combining Laker Parts and
continuation of key programs. ABC will result in annual cash savings of
 Labor relations, such as compensation and benefit programs approximately $2.8 million per year, starting third
to keep the entity competitive with others in the industry. quarter this year. Cash flow from operations of
 Information systems, such as the adequacy of back-up approximately $2.5 million is sufficient to service
systems in the event of failure of systems that could the acquisition debt. Capital expenditures are
significantly affect operations. being financed through long-term collateralized
financing. The Company has additional
borrowing capacity, as evidenced by an unused
$4.5 million revolving line of credit. No further
actions are necessary to control this risk.
Risk: Profit margins on certain product lines are

shrinking.
Internal Use Only

ABC is shifting the emphasis on certain product
lines, moving away from lower-margin products
to higher-margin, flight-safety-critical parts. In
addition, expanding markets in Europe offer new
opportunities. The business plan addresses
these issues, and performance to plan should be
closely monitored. No additional actions are
necessary.
Risk: Labor strife.
ABC foresees no labor problems. The union

workforce is fully staffed with experienced and
capable people. Relations with the Company's in-
house labor bargaining unit are good. The union
contract is scheduled to be renegotiated in 1992.
No action needed.
Risk: Because of the recent acquisition of Laker

Parts, selected administrative positions have
been eliminated, creating uncertainty among
some employees about long-term job security.
Management has taken steps to limit fallout from

these layoffs:
 Management has communicated why the

layoffs were necessary, and provided
evidence that they relate solely to the
acquisition and not to long-term business
problems.
 Terminated employees were given generous
severance packages.
 Supervisory personnel are monitoring
employee morale.
Risk: Integrating the operations and information
Internal Use Only

systems of Laker Parts could disrupt existing
operations (e.g., manufacturing, quality
assurance and marketing).
The Vice President-Operations has been

charged with the responsibility of integrating the
Laker Parts operation. The integration plan,
approved by the CEO, includes deadlines and
performance measures. The status of integration
and any deviation from schedule are reported
weekly.
 Identification of significant risks for each significant Business plans and budgets for key activities
activity-level objective. (Consider risks identified with relate activity-level objectives to risks and action
respect to each of the activities identified under "activity- plans. See pages 182 to 199. [Similar analyses
level objectives"; illustrative risks relative to common for other activities are not shown.]
objectives are presented in the Reference Manual, pages 57
to 129.)
 Thoroughness and relevance of the risk analysis As noted, the business planning and budgeting
process, including estimating the significance of risks, process includes analyzing risks that might affect
assessing the likelihood of their occurring and the company. Senior management also has
determining needed actions. For example, consider monthly meetings to discuss recent events and
whether: how the company might be affected.
 Risks are analyzed through formal processes or informal

day-to-day management activities.
 The identified risks are relevant to the corresponding activity

objective.
 Appropriate levels of management are involved in analyzing

the risks.
Internal Use Only

The company's process for identifying and analyzing risk is adequate based on the nature of the company's
operations. Items identified as needing attention include:
— Consider techniques to hedge cost increases for certain materials.
— Immediately assess progress on modernizing production processes.
— Monitor integration and market/product-shift projects.
Managing Change
Economic, industry and regulatory environments change and

entities' activities evolve. Mechanisms are needed to identify
and react to changing conditions.
 Existence of mechanisms to anticipate, identify and Functional managers identify routine events or
react to routine events or activities that affect changing conditions affecting their spheres of
achievement of entity or activity-level objectives responsibility. Management holds semimonthly
(usually implemented by managers responsible for meetings where identified changes are discussed
the activities that would be most affected by the and action plans are formulated. Follow-up
changes). For example, consider whether: occurs at subsequent meetings, with decisions
made regarding the need for new controls.
 Routine changes are addressed as part of the normal
risk identification and analysis process, or through
separate mechanisms.
 Risks and opportunities related to the changes are

addressed at sufficiently high levels in the organization so
their full implications are identified and appropriate action
plans formulated.
 All activities within the entity significantly affected by the

change are brought into the process.
 Existence of mechanisms to identify and react to Management uses a variety of mechanisms to

changes that can have a more dramatic and identify events or activities that may affect
pervasive effect on the entity, and may demand the achievement of objectives. These include
Internal Use Only
attention of top management. For example, for each of reviewing business and industry publications,
the following areas of potential change, consider whether: participation in industry associations, and use of
consultants and other professionals to acquire
 Changed operating environment:
specific information. Outside counsel monitors
 Market research or other programs identify
legal developments that could affect the
major shifts in customer demographics,
company. Top management monitors changes in
preferences or spending patterns.
the national economy and the health of the
 The entity is aware of significant shifts in the
aircraft industry (e.g., new orders, backlogs,
workforce—externally or internally—that could
types of aircraft being ordered, changing
affect available skill levels.
technologies, employment levels) through an
 Legal counsel periodically updates management
industry reporting service. Activities of
on the implications of new legislation.
competitors are monitored through trade
association affiliations, frequent interaction with
the aircraft manufacturers and analysis of
competitor proposal bids.
 New personnel: Management uses a variety of mechanisms to

identify events or activities that may affect
 Special action is taken to ensure new personnel
achievement of objectives. These include
understand the entity's culture and perform
reviewing business and industry publications,
accordingly.
participation in industry associations, and use of
 Consideration is given to key control activities
consultants and other professionals to acquire
performed by personnel being moved.
specific information. Outside counsel monitors
 New or redesigned information systems: legal developments that could affect the
company. Top management monitors changes in
 Mechanisms exist to assess the effects of new
the national economy and the health of the
systems.
aircraft industry (e.g., new orders, backlogs,
 Procedures are in place to reconsider the
types of aircraft being ordered, changing
appropriateness of existing control activities when new
technologies, employment levels) through an
computer systems are developed and go "live."
industry reporting service. Activities of
 Management knows whether systems development
competitors are monitored through trade
and implementation policies are adhered to despite
association affiliations, frequent interaction with
pressures to "short-cut" the process.
the aircraft manufacturers and analysis of
competitor proposal bids.
The company has had little turnover, especially in
Internal Use Only

key control functions. All new employees or
executives (e.g., from Laker Parts) in such key
positions are carefully supervised initially to
ensure the appropriateness of their actions and
focus.
 Attention is given to the effect of new systems on The Vice President of Engineering/Research
information flows and related controls, and employee monitors new technologies that can be
training, including focus on employee resistance to change. incorporated in the company's products, or are
being developed by competitors. Such
 Rapid growth: technologies are brought to the attention of
 Systems capability is upgraded to handle rapidly senior management and the board. The Vice
increasing volumes of information. President of Operations monitors technological
 Workforce in operations, accounting and data developments that could be used in the
processing is expanded as needed to keep pace with manufacturing process, and the CFO and
increased volume. Information Systems manager identify new

technologies that can be incorporated in the
company's information systems. Implementation
plans are developed by department or activity
managers and senior management, and
approved by the board of directors.
 A process for revising budgets or forecasts exists. When considering development of new product
 A process exists for considering interdepartmental lines, considerable attention is given to customer
implications of revised unit objectives and plans. demand, production capabilities, profitability
implications, information systems needs, etc. The
"new product development" form provides the
discipline for focusing on these issues.
 New technology: Staff reassignments or reductions as a result of

the Laker Parts acquisition are approved by the
 Information on technological developments is obtained
vice president responsible for each activity.
through reporting services, consultants, seminars or
Managers and supervisors have been told to be
perhaps joint ventures with companies in the forefront
particularly sensitive to signs of possible morale
of research and development relevant to the entity.
problems. Management has held employee
meetings to explain the reasons for the
Internal Use Only

reductions and to emphasize the strength and
stability of ABC, Inc. Unit managers meet
individually with their V.P. to decide what action
might be needed to alleviate morale problems.
 New technologies, or applications, developed by competitors Because the company plans on expanding its
are monitored. penetration of the European market, we have
 Mechanisms exist for taking advantage, and controlling the hired local personnel with substantial aviation
use, of new technology applications, incorporating them into experience to lead operations in key countries,
production processes or information systems. including the U.K., Germany and France. Their
responsibilities include monitoring changes in the
industry and business community, focusing
particularly on the unification of the European
Community.
 New lines, products, activities and acquisitions:
 The ability exists to reasonably forecast operating and

financial results.
 The adequacy of existing information systems and control

activities for the new line, product or activity is assessed.
 Plans are developed for recruiting and training people with

the requisite expertise to deal with new products or
activities.
 Procedures are in place to track early results, and to modify

production and marketing as needed.
 Financial reporting, legal and regulatory requirements are

identified and complied with.
 The effects on other company products, and on profitability,
Internal Use Only

are monitored.
 Overhead allocations are modified to reflect product

contribution accurately.
 Corporate restructuring:
 Staff reassignments or reductions are analyzed for their

potential effect on related operations.
 Transferred or terminated employees' control responsibilities

are reassigned.
 Impact on morale of remaining employees, after major

downsizing, considered.
 Safeguards exist to protect against disgruntled former

employees.
 Foreign operations:
 Management keeps abreast of the political, regulatory,

business and social culture of areas in which foreign
operations exist.
 Personnel are made aware of accepted customs and rules.
 Alternative procedures exist in case activities of or

communication mechanisms with foreign operations are
interrupted.
Internal Use Only

Controls to identify and react to changes are adequate.
Continue to watch for potential morale weakness from former Laker Parts employees. Consider having human
resources periodically survey attitudes and monitor performance.
The procedures for linking company-wide objectives with activity-level objectives are appropriate. Manager
involvement at all levels contributes to establishing achievable goals. Risk assessment processes for identifying
and analyzing risks are appropriate, as are the mechanisms to monitor changing conditions.
Management should consider techniques to mitigate risk of price fluctuation for certain materials. Management
should also determine how to speed progress in modernizing plant facilities. Morale weakness from the Laker
Parts acquisition should continue to be monitored.
Control Activities
Control activities encompass a wide range of policies and the

related implementation procedures that help ensure that
management's directives are effected. They help ensure that
those actions identified as necessary to address risks to
achieve the entity's objectives are carried out.
 Existence of appropriate policies and procedures Unit managers develop controls relevant to their
necessary with respect to each of the entity's particular activity's plans and programs. Controls
activities. for critical success factors are reviewed by the
respective Vice Presidents. See pages 182 to
All relevant objectives and associated risks for each
199 for control activities related to the inbound
significant activity should have been identified in
activity. [Similar analyses for other activities are
conjunction with evaluating Risk Assessment. Reference
not shown.]
may be made to the Reference Manual (pages 57 to 129)
which presents, for common business activities,
illustrative objectives, risks, and "points of focus for
Internal Use Only

actions/control activities." The listings in that latter column
may be useful in identifying what actions management
has directed to address the risks, and considering the
appropriateness of control activities the entity applies to
see that the actions are carried out. It should be
recognized that points of focus for general controls (or
general computer controls) are presented in the
Reference Manual under the activity "Manage Information
Technology."
 Identified control activities in place are being applied ABC's policies require, and training programs
properly. For example, consider whether: emphasize the importance of, following up on
deviations from expected results or plans to
 Controls described in policy manuals are actually
determine the cause for the deviation.
applied and are applied the way that they're supposed
Employees are evaluated on their follow-up
to be.
actions.
 Appropriate and timely action is taken on exceptions or

information that requires follow-up.
 Supervisory personnel review the functioning of controls.
The company's process for identifying control activities is based on its objectives and risks, and appears to be
effective.
Control activities are in place for significant plans and programs. They are responsive to management's needs.
Actions needed with respect to inbound activities:
 Policies and procedures must be developed to improve the flow of large quantities of materials through receiving
and testing.
 Consideration should be given to eliminating any overlap in the use of engineering personnel in initial testing.
 Management should consider establishing policies to control situations where personnel place undue pressure on
receiving to accept materials.
Internal Use Only

 Management should consider providing training on laws and regulations relating to hazardous materials.

Information
Information is identified, captured, processed and reported by

information systems. Relevant information includes industry,
economic and regulatory information obtained from external
sources, as well as internally generated information.
 Obtaining external and internal information, and The entity-wide strategic plan, developed by
providing management with necessary reports on the management, identifies the internally and
entity's performance relative to established externally generated information required to
objectives. For example, consider whether: analyze and monitor the entity-wide objectives.
Information derived from external sources, such
 Mechanisms are in place to obtain relevant external
as Dun & Bradstreet, trade association
information—on market conditions, competitors'
publications and outside counsel, includes
programs, legislative or regulatory developments and
industry, economic and regulatory data for
economic changes.
analysis of market and industry trends, safety
 Internally generated information critical to achievement
records, market share information and
of the entity's objectives, including that relative to
compliance with aviation standards. Internally
critical success factors, is identified and regularly
generated information includes reports of gross
reported.
margins on various product lines and service
quality offered by the Company. (See also Risk
Assessment.)
 The information that managers need to carry out their

responsibilities is reported to them.
 Providing information to the right people in sufficient Project groups, in liaison with the Information
detail and on time to enable them to carry out their Systems Steering Committee, identify information
Internal Use Only

responsibilities efficiently and effectively. For required by users to run the Company's
example, consider whether: operations effectively, and are responsible for
ensuring that any deficiencies in the current
 Managers receive analytical information that enables
information systems are addressed by the
them to identify what action needs to be taken.
information system initiatives.
 Information is provided at the right level of detail for different Information due dates have been clearly defined
levels of management. and agreed upon by management. Actual
 Information is summarized appropriately, providing pertinent performance, including availability and response
information while permitting closer inspection of details as times, is monitored weekly and reported to the
needed rather than just a "sea of data." CFO.
 Information is available on a timely basis to allow effective

monitoring of events and activities—internal and external—
and prompt reaction to economic and business factors and
control issues.
 Development or revision of information systems The strategic plan for information systems is
based on a strategic plan for information systems— developed by the Information Systems Steering
linked to the entity's overall strategy—and Committee, comprising management
responsive to achieving the entity-wide and activity- representatives from each user activity area. The
level objectives. For example, consider whether: plan is updated annually in conjunction with
revisions of the Company's business plan, and
 A mechanism (e.g., an information technology steering
on an interim basis whenever significant
committee) is in place for identifying emerging
revisions are made to the business plan, to
information needs.
ensure that information systems continue to
support the entity's needs.
 Information needs and priorities are determined by

executives with sufficiently broad responsibilities.
 A long-range information technology plan has been

developed and linked with strategic initiatives.
 Management's support for the development of Management established the Information
Internal Use Only

necessary information systems is demonstrated by the Systems Steering Committee, whose members
commitment of appropriate resources—human and devote substantial time to evaluating the
financial. For example, consider whether: adequacy of existing systems and developing
recommended system enhancements.
 Sufficient resources (managers, analysts, programmers with

the requisite technical abilities) are provided as needed to
develop new or enhanced information systems.
Information systems provide management with the information it wants, and on a timely basis, to manage the
company effectively.
Communication
Communication is inherent in information processing.

Communication also takes place in a broader sense, dealing
with expectations and responsibilities of individuals and groups.
Effective communication must occur down, across and up an
organization and with parties external to the organization.
 Effectiveness with which employees' duties and Following issuance of the annual report, the CEO
control responsibilities are communicated. For holds a meeting with employees to review the
example, consider whether: year's results. He also discusses the company-
wide objectives for the coming year, and how
 Communication vehicles—formal and informal training
management intends to achieve those objectives.
sessions, meetings and on-the-job supervision—are
Following that meeting, departmental vice
sufficient in effecting such communication.
presidents meet with unit personnel to explain
 Employees know the objectives of their own activity
how the activities of that unit relate to achieving
and how their duties contribute to achieving those
the company-wide objectives.
objectives.
 Employees understand how their duties affect, and are As part of initial training, all employees are
affected by, duties of other employees. provided with information regarding their duties
and how those duties impact other employees in
their own and other units. Many employees are
Internal Use Only
cross-trained, which further strengthens this
understanding. Each employee receives an
annual evaluation, during which his or her
responsibilities are discussed, to ensure he or
she fully understands them.
 Establishment of channels of communication for The employee handbook states that suspected
people to report suspected improprieties. For violations of company policies or behavioral
example, consider whether: standards should be reported to a vice president,
as described above. Such reports can be made
 There's a way to communicate upstream through
anonymously.
someone other than a direct superior, such as an
ombudsman or corporate counsel. Employees have utilized existing communication
 Anonymity is permitted. channels to report suspected improprieties.
 Employees actually use the communication channel. Additionally, employees from time to time ask
their supervisors for policy interpretations and for
guidance when proper actions or behavior is not
clearly evident.
 Persons who report suspected improprieties are provided The company does not provide feedback to
feedback, and have immunity from reprisals. employees who report suspected improprieties,
except to thank them for their concern.
Employees who report suspected improprieties
are immune from reprisals, unless it is
discovered (as occurred once) that the report
was fabricated and filed with malicious intent.
Management encourages employees to report
suspected improprieties and has investigated all
such reports.
 Receptivity of management to employee suggestions Senior management is receptive to constructive

of ways to enhance productivity, quality or other suggestions regardless of their source. On
similar improvements. For example, consider whether: several occasions, cash awards have been made
for particularly good suggestions. Several
 Realistic mechanisms are in place for employees to
department managers are not receptive to such
provide recommendations for improvement.
suggestions, and are being encouraged to be
Internal Use Only

more open to them.
 Management acknowledges good employee suggestions by

providing cash awards or other meaningful recognition.
 Adequacy of communication across the organization Communication between departments or units is

(for example, between procurement and production generally good. Employees are evaluated on how
activities) and the completeness and timeliness of well they work with other activities. Also many
information and its sufficiency to enable people to functions are integrated for purposes of bonus
discharge their responsibilities effectively. For computations. Sales, procurement, inbound and
example, consider whether: manufacturing, for example, are all evaluated
based on a number of factors, including profit-
 Salespeople inform engineering, production and
ability.
marketing of customer needs.
 Accounts receivable personnel advise the credit approval

function of slow payers.
 Information on competitors' new products or warranties

reach engineering, marketing and sales personnel.
 Openness and effectiveness of channels with Salespeople actively seek feedback from
customers, suppliers and other external parties for customers as it relates to complaints, design
communicating information on changing customer improvement, repair needs, and the like. Input is
needs. For example, consider whether: communicated to the appropriate personnel (e.g.,
engineering and production) at the biweekly joint
 Feedback mechanisms with all pertinent parties exist.
departmental meetings. Sales and operating
 Suggestions, complaints and other input are captured
management meet with key customers and
and communicated to relevant internal parties.
suppliers periodically to obtain firsthand input.
 Information is reported upstream as necessary and follow-up

action taken.
 Extent to which outside parties have been made Management does not formally notify outside
aware of the entity's ethical standards. For example, parties of ethical standards and expectations.
Internal Use Only

consider whether: However, the entity has a well-known reputation
within the community and the industry of being
 Important communications to outside parties are
honest and ethical, and its reputation is
delivered by management level commensurate with
reinforced in dealings with outside parties.
the nature and importance of the message (e.g.,
Letters received by the CEO, as well as input
senior executive periodically explains in writing the
received in discussions with key customers and
entity's ethical standards to outside parties).
suppliers, evidence appropriate behavior.
 Suppliers, customers and others know the entity's standards

and expectations regarding actions in dealing with the entity.
 Such standards are reinforced in routine dealings with

outside parties.
 Improprieties by employees of external parties are reported

to the appropriate personnel.
 Timely and appropriate follow-up action by Management follows up quickly on

management resulting from communications communications from outside parties that
received from customers, vendors, regulators or indicate problems within the internal control
other external parties. For example, consider whether: system, or that employees may have acted
inappropriately. These external sources are
 Personnel are receptive to reported problems
viewed as valuable indicators of potential
regarding products, services or other matters, and
problems that need to be addressed. Customer
such reports are investigated and acted upon.
complaints and related follow-up actions are
 Errors in customer billings are corrected, and the
reported formally to the CEO. Management
source of the error is investigated and corrected.
requires a response to all external
communications, indicating the investigation
results, and thanking the initiator for his or her
time and effort.
 Appropriate personnel—independent of those involved with

the original transactions— process complaints.
 Appropriate actions are taken and there is follow-up
Internal Use Only

communication with the original sources.
 Top management is aware of the nature and volume of

complaints.
Generally, communication within the company, and between the company and external parties, is effective. The
following items will be considered to enhance effective communication further:
 Develop a formal corporate code of conduct.

 Further encourage department managers to solicit and consider constructive suggestions from personnel at all
levels.
Information and communication policies and procedures are effective. Management should consider developing a
formal corporate code of conduct and encouraging department managers to solicit and consider constructive
suggestions from personnel.
Monitoring
7_Monitoring.doc
Ongoing Monitoring
Ongoing monitoring occurs in the ordinary course of

operations, and includes regular management and supervisory
Internal Use Only

activities, and other actions personnel take in performing their
duties that assess the quality of internal control system
performance.
 Extent to which personnel, in carrying out their Senior management is actively involved in all
regular activities, obtain evidence as to whether the operations of the company, and has direct
system of internal control continues to function. For contact with customers, suppliers, production
example, consider whether: activities, bankers, inventory control, etc.
Management frequently challenges financial and
 Operating management compares production,
management reports that are inconsistent with its
inventory, sales or other information obtained in the
knowledge.
course of their daily activities to systems-generated
information. Many of the reports used to manage activities are
 Integration or reconciliation of operating information integrated with the financial reporting system and
used to manage operations with data generated by the with reports used by other activities. Because of
financial reporting system. the integrated nature of the company's
 Operating personnel are required to "sign off" on the information systems, significant differences or
accuracy of their units' financial statements, and are inconsistencies are likely to be detected quickly.
held responsible if errors are discovered. Operating personnel are expected to identify and
report significant inaccuracies, or identify reports
they believe may be inaccurate. The Controller's
staff also analyzes operating reports and
investigates apparent inconsistencies with
financial reports.
 Extent to which communications from external Management follows up on all communications

parties corroborate internally generated information, from outside parties that indicate a problem may
or indicate problems. For example, consider whether: exist within the company. Particular attention is
given to communications from customers, and
 Customers implicitly corroborate billing data by paying
government agencies, such as the FAA. Monthly
their invoices, or customer complaints about billings—
vendor statements are reconciled to the recorded
indicating system deficiencies in the processing of
accounts payable, and accounts receivable
sales transactions—are investigated for their
balances are confirmed, on a test basis, at least
underlying causes.
once a year. Problems are investigated and
 Communications from vendors and monthly
resolved. Recently, several sales-tax exempt
statements of accounts payable are used as a control
customers complained they were inappropriately
monitoring technique.
Internal Use Only

 Suppliers' complaints of unfair practices by purchasing charged sales tax. Their accounts were
agents are fully investigated. corrected, and investigation discovered a flaw in
a software update that did not recognize certain
exempt codes. The software was fixed, and the
program change controls are being reviewed.
 Regulators communicate information to the entity regarding

compliance or other matters that reflect on the functioning of
 Controls that should have prevented or detected the

problems are reassessed.
 Periodic comparison of amounts recorded by the Physical inventory counts are made
accounting system with physical assets. For example, semiannually, and actual amounts are compared
consider whether: with perpetual inventory records. Differences are
investigated. Fixed assets are counted and
 Inventory levels are checked when goods are taken
compared with asset listings on a cycle basis, no
from inventory storage for shipment, and differences
less than every three years.
between recorded and actual amounts are corrected.
 Securities held in trust are counted periodically and

compared with existing records.
 Responsiveness to internal and external auditor Internal and external auditor recommendations
recommendations on means to strengthen internal are reviewed by senior management and the
controls. For example, consider whether: audit committee. Appropriate follow-up actions
are taken and are communicated to the full
 Executives with proper authority decide which of the
board, as are the reasons any recommendations
auditors' recommendations will be implemented.
are not acted upon.
 Desired actions are followed up to verify implementation.
 Extent to which training seminars, planning sessions Management has found that training sessions
and other meetings provide feedback to management and other meetings occasionally provide
Internal Use Only

on whether controls operate effectively. For example, feedback on control effectiveness and
consider whether: participants' understanding of their control
responsibility. Appropriate follow-up action is
 Relevant issues and questions raised at training
taken.
seminars are captured.
 Employee suggestions are communicated upstream and

acted on as appropriate.
 Whether personnel are asked periodically to state The company has not developed a formal code
whether they understand and comply with the entity's of conduct. However, expectations of behavior
code of conduct and regularly perform critical control are outlined in the employee manual, and
activities. For example, consider whether: management regularly reinforces these
expectations in both word and action.
 Personnel are required periodically to acknowledge

compliance with the code of conduct.
 Signatures are required to evidence performance of critical

control functions, such as reconciling specified amounts.
 Effectiveness of internal audit activities. For example, The company recently established an internal
consider whether: audit function, headed by an experienced internal
auditor with Fortune 500 company experience.
He has one staff person at this time.
consider whether:
 Their position within the organization is appropriate. The audit manager reports to the CFO, and has
 They have access to the board of directors or audit access to all activities of the company. The audit
committee. manager has access to the audit committee, with
 Their scope, responsibilities and audit plans are appropriate whom he meets quarterly. If he desires, he may
to the organization's needs. meet with them privately. Internal audit salaries
are determined by the CFO, based on his
evaluation of their performances, abilities, etc.,
with the audit committee's approval.
Internal Use Only

Internal control monitoring is appropriate and sufficient. Management will consider the benefit of formalizing a
code of conduct and requiring periodic employee affirmation that they understand and comply with the code.
However, employee compliance with the behavior expectations outlined in the employee manual is high. The
internal audit function is new, and is expected to grow and become more effective over time.
It is useful to take a fresh look at the internal control system

from time to time, focusing directly on system effectiveness.
The scope and frequency of separate evaluations will depend
primarily on an assessment of risks, and ongoing monitoring
procedures.
 Scope and frequency of separate evaluations of the The Information Systems Steering Committee
internal control system. For example, consider whether: assesses information system effectiveness on a
high level. The board focuses on the control
 Appropriate portions of the internal control system are
environment and monitoring functions, obtaining
evaluated.
input from the CFO and the auditors.
 The evaluations are conducted by personnel with the

requisite skills.
 The scope, depth of coverage and frequency are adequate.
 Appropriateness of the evaluation process. For The evaluation process is informal. It includes
example, consider whether: steps for understanding of and analyzing key
controls in place.
 The evaluator gains a sufficient understanding of the
entity's activities.
 An understanding is obtained of how the system is

supposed to work and how it actually does work.
Internal Use Only

 An analysis is made, using the evaluation results as
measured against established criteria.
 Whether the methodology for evaluating a system is The process is informal.

logical and appropriate. For example, consider whether:
 Such methodology includes checklists, questionnaires or

other tools.
 The evaluation team is brought together to plan the

evaluation process and ensure a coordinated effort.
 The evaluation process is managed by an executive with

requisite authority.
 Appropriateness of the level of documentation. For Limited documentation exists in meeting minutes
example, consider whether: of the Board and the Information Systems
Steering Committee.
 Policy manuals, organization charts, operating
instructions and the like are available.
 Consideration is given to documenting the evaluation

process.
Consideration should be given to formalizing the evaluation process, and considering its scope of coverage over
time. The new internal auditor plans to perform an initial review of the established evaluation process.
Internal control deficiencies should be reported upstream with

certain matters reported to top management and the board.
Internal Use Only

 Existence of mechanism for capturing and reporting Policies exist for the capturing and reporting of
identified internal control deficiencies. For example, deficiencies. For example, the marketing
consider whether means exist for obtaining reports on department communicates customer complaints
deficiencies: upstream to ensure the proper department (e.g.,
shipping, production) is made aware and takes
 From both internal sources and external sources (e.g.,
follow-up actions. Reaction to external auditor
customers, suppliers, auditors, regulators).
reporting of deficiencies is well structured.
 Resulting from ongoing monitoring or separate evaluations.
 Appropriateness of reporting protocols. For example, Policies clearly identify to whom discovered
consider whether: deficiencies should be reported. Generally, it is to
the senior manager of the department under
 Deficiencies are reported to the person directly
evaluation, regardless of the level of controls
responsible for the activity and to a person at least one
being evaluated.
level higher.
 Specified types of deficiencies are reported to more senior

management and to the board.
 Appropriateness of follow-up actions. For example, Follow-up actions are monitored and reported
consider whether: back to the senior manager.
 The transaction or event identified is corrected.
The policies and procedures in place for reporting deficiencies are appropriate.
Component Summary—Conclusions/Actions Needed
Internal Use Only

Ongoing monitoring procedures are adequate. Management should consider formalizing a code of conduct. The
process for separate evaluations of the internal control system could be formalized. Policies for reporting
deficiencies appear to be appropriate.

Risk Analysis
Manage Logistics
1.Materials are to be O Receipt of large quantities of Medium-High

tested, and either materials may delay the
accepted and moved receiving and testing
to storage, or activities.
rejected and
returned for credit on
a timely basis.
2.Accurately process O,F Information is not entered Medium

all information accurately or on a timely
related to goods basis.
received, and make
such information
available to
appropriate activities
on a timely basis.
Information needs of various Low

production units are not
clearly identified.
Internal Use Only

NOTE: This evaluation tool is filled in for one activity (inbound) of ABC Company. When evaluating the risk
assessment and control activities company-wide, this tool would be completed for all significant activities.
Actions/ Other Evaluation
Control Activities/ Objectives and
1.Production provides a weekly Policies and procedures are

report of those items most critically insufficient for timely processing.
needed to continue efficient and Policies and procedures must be
uninterrupted production. The developed to detail how materials
Director of Procurement/Receiving should flow through receiving and
reviews materials to be tested and testing, in the event of large
prioritizes such materials based on amounts of material being received,
the weekly report. and how achievement of the
objective is to be monitored.
Additionally, using engineering
personnel to test materials may
create conflicts between testing and
engineering, especially if such use
negatively affects achievement of
engineering objectives.
2.Certain engineering personnel

have been trained and are available
for short-term use in testing certain
types of materials.
3.Receiving reports are Controls are sufficient to achieve the

prenumbered, and missing objective.
documents are investigated twice
weekly.
4.Information from receiving

documents is matched to open
purchase orders and, subse-
quently, to the vendor invoice.
Internal Use Only

5.Information needs of each activity
are reviewed semi-annually, and
communicated to information
technology personnel. Systems and
reports are modified as necessary.
Risk Analysis
3.Ensure purchase O Purchase orders are lost or Medium

orders are filled on a not forwarded to inbound
timely basis. activities.
Due-date information is not Medium

available.
4.All materials O,F Actual quantities received Medium-High

received are may not equal the quantities
accurately recorded. indicated on the purchase
order or vendor shipping
documents.
6.When the purchase order is Controls are sufficient to achieve the

generated, the system automatically objective.
updates open purchase order
records. A hard copy of the
prenumbered form is sent to
receiving, which reviews open
purchase orders weekly, and
Internal Use Only
missing documents are investigated.
The electronic records are
periodically reviewed to verify their
accuracy.
7.The system provides the option to

sort open purchase orders several
ways, including by due date. A
weekly report of open purchase
orders due is prepared.
8.Goods received are counted, Production #10 Controls are sufficient to achieve the
weighed or otherwise verified as to objective.
[Not shown]
quantity.
9.Receipts are subject to second

count, on a random basis, by a
receiving department supervisor.
10.Quantities received according to

the receiving report are matched to
the vendor's shipping
documentation and to the purchase
order. Material shortages are noted
on the receiving documentation, and
any excess material is refused. In
the case of excess material,
documentation is signed by the
transportation company
representative for return to the
vendor. Documentation is forwarded
to accounts payable for further
processing and control activities.
Risk Analysis
Internal Use Only

Receiving documentation Low
may not be prepared by
receiving personnel, or it
may be lost.
5.Only materials O,F Receiving employees may Low

actually received prepare erroneous receiving
and accepted are reports for materials not
recorded. actually received.
6.All materials O,F Material return Low-Medium

returned for vendor documentation may be lost.
credit are accurately
recorded.
11.Receiving documents are

sequentially prenumbered, and
missing documents are investigated
weekly
12.Warehouse personnel will not

accept material without a copy of
appropriate receiving
documentation. Material remaining
in the receiving department for more
than one day is investigated by a
receiving supervisor.
13.Vendor invoices will not be

processed unless matched with
proper receiving documentation.
Unmatched invoices are
investigated promptly.
Internal Use Only
14.Receiving reports are subject to Controls are sufficient to achieve the
verification by the receiving objective.
department supervisor.
15.Receiving reports must be

matched to a material transfer
document signed by the authorized
party who accepted the materials
from the receiving department.
Unmatched receiving reports are
investigated weekly.
16.Material return forms are Controls are sufficient to achieve the

prenumbered, and missing objective.
documents are promptly
investigated.
Risk Analysis
Material return Low

documentation may not be
prepared.
Material return Low

documentation may be
inaccurate.
Receive
7.Only materials O Employees may lack Low

properly ordered are information regarding
accepted. properly ordered goods.
8.Only materials O Material received from Medium

which comply with vendors may not comply
purchase order with specifications.
Internal Use Only

specifications are
accepted.
17.If material is returned without

preparation of receiving
documentation, open purchase
orders will be investigated. If
receiving documentation is
prepared, it will not be matched with
material transfer documentation.
Such unmatched receiving reports
are promptly followed up, as
described in #I 15 above.
18.Material return documentation

must be approved by a receiving
supervisor who verifies the return
document information.
19.Common carriers (i.e., trucking

companies, UPS, etc.) verify
materials being returned and sign
documentation indicating their
acceptance of such materials.
20. No materials are accepted Controls are sufficient to achieve the

without a properly authorized objective.
purchase order on file in the
receiving department.
21.Materials received are tested for Policies and procedures appear

compliance with contract or adequate to achieve the objective.
purchase order specifications. All However, consideration should be
Internal Use Only

tests are documented in accordance given to situations where personnel
with prescribed procedures and are may place undue pressure on
reviewed by the receiving receiving to accept materials (for
department supervisor. instance, in cases where shortages
of certain key materials threaten the
efficiency of or ability to continue
production).
Risk Analysis
Inbound activity personnel Low

do not understand the
specifications due to poor
communication with
procurement.
Testing procedures may Low

become obsolete.
O Testing equipment may Medium-High

become obsolete or
inaccurate.
Inbound activities personnel Low

may not test materials, or
may not test them properly.
22.Receiving is provided a copy of

the contractor purchase order with
Internal Use Only

specifications clearly indicated.
Specifications are matched to
vendor documentation and test
results before material is forwarded
to another department.
23.Testing procedures are reviewed

and updated annually by the
Director of Procurement and the
Engineering Manager. The
procedures are reviewed and
approved by the Vice President—
Operations.
24.Testing equipment is checked

and recalibrated every 30 days, or
upon the request of the equipment
operator, whichever is more
frequent.
25.Testing equipment is reviewed

and recommendations for new
equipment are made in conjunction
with the review of testing
procedures noted in control #I 23.
Approval of new equipment is
required of the Vice President—
Operations.
26.Test documentation is reviewed Production #10 [Not

by supervisory personnel. Materials shown]
used to manufacture parts critical to
flight safety are subject to random
retesting. Discrepancies noted in
retesting
Risk Analysis
Internal Use Only

9.Ensure that O,F Proper documentation is not Low

materials transferred prepared.
Medium
from receiving to
Information may be
other activities are
inaccurate or incomplete.
completely and
accurately recorded.
Information may be input Medium

inaccurately.
10.Precious metals O Precious metals may be High

are handled and stolen.
stored in a secure
manner to prevent
unauthorized
access.
are investigated and appropriate follow-

up action is taken (retraining, termination if
high number of discrepancies are noted and
training fails to resolve the problem, etc.).
27.Production personnel monitor

problems related to materials failing
to meet engineering specifications,
and report such results to
procurement and appropriate follow-
up action is taken.
28.Material cannot be transferred Controls are sufficient to achieve the

without transfer documents. objective.
Internal Use Only

29.Transfer documents must be
signed by both the receiving
employee and the employee
accepting the transfer. Both
employees verify its completeness
and accuracy.
30.Inventory is counted quarterly.

The physical count is compared with
perpetual inventory records.
Differences are investigated.
31.Record-keeping of precious Controls are sufficient to achieve the

metals is performed by an individual objective.
independent of those employees
responsible for handling and storage
of the metals.
Risk Analysis
11.Properly transfer O,F Inadequate requisition Medium

all materials procedures.
requisitioned, and
only such materials.
Improper materials are Medium

transferred.
12.Completely and O,F Incomplete or inaccurate Medium

accurately record all information.
transfers to and from
storage.
Internal Use Only

32.The precious metals are stored in

a locked and guarded location.
Surveillance cameras continuously
record all entrances and exits of the
storage area.
33.All packages, briefcases, etc.,

removed from the facility by
employees are subject to inspection
by security personnel.
34.Physical counts of precious

metals are made monthly by
individuals with no responsibility for
record-keeping or storage of the
metals. The counts are reconciled
with the perpetual records, and
differences investigated.
35.Stores personnel transfer Controls are sufficient to achieve the

materials to operations only on the objective.
authority of a properly approved
requisition.
36.Both stores and operations

personnel verify that proper
materials are transferred and both
sign transfer documentation.
37.Transfer documentation is signed Controls are sufficient to achieve the

by both stores and operations objective.
personnel, who verify its accuracy.
38.Inventory is counted quarterly.

Differences from perpetual records
are investigated and resolved.
Internal Use Only

Risk Analysis
Transfer documents may be Medium

lost.
13.Hazardous C Employees may disregard Low

materials are hazardous material handling
handled and stored and storage policies and
in compliance with procedures.
Occupational Safety
and Health
Administration
(OSHA) and other
laws and
regulations.
Storage tanks may leak. Medium-High
39.Transfer documents are

prenumbered, with missing
documents investigated weekly.
40.Employees responsible for Controls are adequate to achieve

handling and storing hazardous the objective. However, employees
materials are closely supervised, are not provided periodic training on
and their work reviewed by laws and regulations, nor on
experienced supervisors. Deviations handling and storage techniques.
from specified policy are treated as This training could provide
serious matters, and disciplinary assurance that employees remain
action is swift and severe. knowledgeable of such laws,
regulations and techniques.
Internal Use Only
Additionally, it would help ensure
that employees remain aware of the
importance of complying with
company policies.
41.Employees responsible for

handling and storing hazardous
materials are subject to regular drug
testing.
42.Storage tanks are inspected

annually. Any sign of irregularity is
immediately investigated and
resolved.
43.Storage tanks are replaced at

90% of the manufacturer's
estimated useful life.
44.Water and soil samples, taken

from near the storage tanks, are
tested quarterly to detect leakage.
Any sign of irregularity is
immediately investigated and
resolved.
Risk Analysis
14.Federal and state C Personnel may not be Medium

Occupational Safety familiar with all OSHA
and Health requirements.
Administration
(OSHA) laws and
regulations are
complied with.
Internal Use Only

OSHA requirements may be Medium-High
violated due to errors,
neglect or intentional
disregard.
45.Monitoring systems to measure

pressure in pipelines used to
transport hazardous materials are
utilized to detect leaks or other
potential problems. These systems
are inspected quarterly. Any sign of
irregularity is immediately
investigated and resolved.
46.Legal counsel, and the Vice Controls are sufficient to achieve the
President— Operations review objective.
policy and procedures quarterly.
Such policy and procedures are
modified as necessary to comply
with OSHA requirements.
47.Legal counsel observes

execution of company policies and
procedures on a regular basis.
Questionable acts are immediately
investigated and appropriate follow-
up action is taken.
48.Employees are encouraged to

report any suspected violations to
the office of the CEO. Employees of
the office of the CEO follow-up on
Internal Use Only

such communication.

Click here for the Word version of the Overall Internal
9_System Evaluation.doc
Internal Control Components Preliminary Conclusions/ Additional Considerations
Actions Needed
(see individual
evaluation tools)
Control Environment—Does Management has demonstrated its The board and I [CEO] are
management adequately convey the commitment to integrity, ethical considering the benefits of a formal
message that integrity cannot be behavior and competence of the code of conduct. I am monitoring the
compromised? Does a positive Company's people, and has effectiveness of the recent
control environment exist, whereby communicated that commitment to organizational structure
there is an attitude of control all employees. The company's modifications, which resulted from
consciousness throughout the control environment is conducive to the Laker Parts acquisition and
organization, and a positive "tone at effective internal control, and divestiture of the defense division,
the top"? Is the competence of the provides a positive influence that and will introduce changes as
entity's people commensurate with enhances the likelihood of achieving appropriate. In addition, newly
their responsibilities? Are ABC's objectives. created key manager responsibilities
management's operating style, the will be evaluated over time and
way it assigns authority and changed as needed. The Laker Parts
responsibility and organizes and acquisition has resulted also in a
develops its people appropriate? duplication of some accounting
Does the board provide the right department functions. Reviews of
level of attention? personnel requirements are
underway.
Risk Assessment—Are entity-wide The company-wide objectives and The implications of competitive
objectives and supporting activity- strategies provide relevant guidance pressures for long-term growth and
Internal Use Only
level objectives established and on what the entity is to achieve and profitability objectives will continue to
linked? Are the internal and external how it will be achieved. Resources require the attention of operating and
risks that influence the success or are allocated to achieve objectives financial management. Such
failure of the achievement of the commensurate with their importance. attention will be provided.
objectives identified and assessed? Activity-level objectives have been
The development of new or modified
Are mechanisms in place to identify developed to support achieving the
production processes will be
changes affecting the entity's ability company-wide objectives. Those
expedited to keep pace with changes
to achieve its objectives? Are activity-level objectives are
in the industry.
policies and procedures modified as consistent with and complement
Further consolidation of the
needed? each other.
commercial airline industry and
ABC management identifies and
government re-regulation of the
assesses risk informally on an
industry are changes that could
ongoing basis, and formally in
adversely affect the company. These
conjunction with the annual update
changes are followed closely and
of the business plan. Appropriate
strategies are being developed to
actions are taken to manage the
respond to the changes.
risks. Hedges for materials cost
increases and modernizing
production processes need to be
addressed.
Controls to identify and react to

changes are adequate. We need to
continue to watch for potential
morale weakness from former Laker
Parts employees. Consider having
human resources monitor attitudes
and performance.
Control Activities—Are control Control activities have been Activities for testing materials for
activities in place to ensure designed and implemented to determining whether to accept or
adherence to established policy and address significant risks related to reject shipments, and procedures for
the carrying out of actions to address department and unit activity training operations personnel on
the related risks? Are there objectives. Concerns raised re OSHA requirements for disposal of
appropriate control activities for each materials testing and handling hazardous waste, will be refined and
hazardous materials need to be
Internal Use Only
of the entity's activities? addressed. formalized.
Information and Communication— Information systems provide Available information related to

Are information systems in place to management with the information competitors' activities in the
identify and capture pertinent needed, on a timely basis, to development of lighter weight
information-financial and manage the company effectively. materials for use in production, and
nonfinancial, relating to external and exposures to foreign currency
Generally, communication within the
internal events-and bring it to exchange losses from an unstable
entity and with external parties is
personnel in a form that enables U.S. dollar will be obtained and
effective. The following items will be
them to carry out their considered in our long-term
considered to enhance effective
responsibilities? Does strategies.
communication further: Develop a
communication of relevant
formal corporate code of conduct, A formal program to communicate
information take place? Is it clear
and further encourage department the company's ethical standards to
with respect to expectations and
managers to solicit and consider vendors and other outside parties
responsibilities of individuals and
constructive suggestions from will be developed.
groups, and reporting of results? And
personnel at all levels.
does communication occur down,
across and upward in the entity, as
well as between the entity and other
parties?
Monitoring—Are appropriate Internal control monitoring is Ongoing monitoring of the former

procedures in place to monitor on an appropriate and sufficient. Although Laker Parts operation is important to
ongoing basis, or to periodically employee compliance with the ensuring its continued effectiveness
evaluate the functioning of the other behavioral expectations outlined in and overall consistency with the
components of internal control? Are the employee manual is high, consolidated company. Factors of
deficiencies reported to the right management will consider the particular importance are the
people? Are policies and procedures benefit of formalizing a code of appropriateness of its organizational
modified as needed? conduct and requiring periodic structure and assignment of
employee affirmation that they responsibilities to key managers. I
understand and comply with it. The plan to continue to monitor these
internal audit function is new, and is areas. I will instruct the head of
expected to grow and become more internal audit to develop a formal
effective over time. The scope of evaluation process.
separate evaluations needs to be
Internal Use Only

considered.
Overall Conclusion
ABC's system of internal control, as of December 31, 19xx, is effective and provides reasonable assurance that
the company's financial reporting process is reliable, that the company has effective procedures for ensuring
compliance with applicable laws and regulations, and that management is aware of the extent to which the
company is moving toward achieving the operations objectives.
Guidance on Monitoring Internal Control

Systems
Introduction
COSO_Intro.doc
January 2009
Board Members
Larry E. Rittenberg Mark S. Beasley Michael P. Cangemi
COSO Chair American Accounting Financial Executives

Association International
Charles E. Landes David A. Richards Jeffrey Thomson
Internal Use Only

American Institute of The Institute of Internal Institute of Management
Certified Public Auditors Accountants
Accountants
Grant Thornton LLP - Author
R. Trent Gazzaway James P. Burton J. Russell Gates Keith O. Newton

(Project Leader)
Partner President Partner

Managing Partner of
Partner President Grant Thornton LLP -
Corporate Governance
Chicago
Grant Thornton LLP - Dupage Consulting LLC -
Managing Partner of
Denver Chicago
Grant Thornton LLP -

Charlotte
Sridhar Ramamoorti Richard L. Wood R. Jay Brietz
Partner Partner Senior Manager
Partner Grant Thornton LLP - Grant Thornton LLP -

Toronto Charlotte
Chicago
Internal Use Only

Review Team
Andrew D. Bailey Jr. Dorsey L. Baskin Jr. Craig A. Emrick Philip B. Livingston
Senior Policy Advisor Regional Partner of VP - Senior Accounting Vice Chairman, Approva
Analyst Corporation
Senior Policy Advisor Professional Standards
Moody's Investors Service Former President and
Grant Thornton LLP - Grant Thornton LLP -
CEO,
Phoenix Dallas
Financial Executives
International
COSO Task Force
Abraham D. Akresh Douglas J. Anderson Robert J. Benoit Richard D. Brounstein
Senior Level Expert for Corporate Auditor President and Director of Chief Financial Officer,
Auditing Standards
Dow Chemical Company SOX Research NewCardio, Inc.
Senior Level Expert for
Lord & Benoit, LLC Director, The CFO Network
Auditing Standards
U.S. Government
Accountability Office
Jennifer M. Burns Paul Caban James W. DeLoach Miles E. Everson
Partner Assistant Director Managing Director Partner
Deloitte & Touche LLP U.S. Government Protiviti PricewaterhouseCoopers

Accountability Office LLP
Audrey A. Gramling Scott L. Mitchell James E. Newton Edith G. Orenstein
Internal Use Only

Associate Professor Chairman and CEO Partner Director, Technical Policy
Analysis
Kennesaw State University Open Compliance & Ethics KPMG LLP
Group Financial Executives
International
John H. Rife Michael P. Rose Robert S. Roussey Andre Van Hoek
Partner Partner Professor of Accounting Vice President, Corporate

Controller
Ernst & Young LLP Grant Thornton LLP University of Southern
California Celgene Corporation
Former CEO and Senior
Partner
GR Consulting LLP
Observer
Josh K. Jones
SEC Observer
SEC Observer
Monitoring: An Integral Component of

Internal Control
Internal Use Only

Over the past decade, organizations have invested heavily in improving the quality of their internal control
systems. They have made the investment for a number of reasons, notably: (1) good internal control is good
business — it helps organizations ensure that operating, financial and compliance objectives are met, and (2)
many organizations are required to report on the quality of internal control over financial reporting, compelling
them to develop specific support for their certifications and assertions.
Internal control is designed to assist organizations in achieving their objectives. The five components of COSO's
Internal Control — Integrated Framework (the COSO Framework) work in tandem to mitigate the risks of an
organization's failure to achieve those objectives.
The COSO Board recognizes that management's assessment of internal control often has been a time-
consuming task that involves a significant amount of annual management and/or internal audit testing. Effective
monitoring can help streamline the assessment process, but many organizations do not fully understand this
important component of internal control. As a result, they underutilize it in supporting their assessments of
internal control.
Internal Use Only

Monitoring Applied to the Internal Control Process
Figure 1 depicts the comprehensive nature of monitoring and illustrates how effective monitoring considers the
collective effectiveness of all five components of internal control.
COSO's 2008 Guidance on Monitoring Internal Control Systems (COSO's Monitoring Guidance) was developed
to clarify the monitoring component of internal control. It does not replace the guidance first issued in the COSO
Framework or in COSO's 2006 Internal Control over Financial Reporting — Guidance for Smaller Public
Companies (COSO's 2006 Guidance). Rather, it expounds on the basic principles contained in both documents,
guiding organizations in implementing effective and efficient monitoring.
Internal Use Only
How Does Monitoring Benefit the
Governance Process?
Unmonitored controls tend to deteriorate over time. Monitoring, as defined in the COSO Framework, is
implemented to help ensure "that internal control continues to operate effectively."1 When monitoring is
designed and implemented appropriately, organizations benefit because they are more likely to:
 Identify and correct internal control problems on a timely basis,

 Produce more accurate and reliable information for use in decision-making,
 Prepare accurate and timely financial statements, and
 Be in a position to provide periodic certifications or assertions on the effectiveness of internal control.
Over time effective monitoring can lead to organizational efficiencies and reduced costs associated with public
reporting on internal control because problems are identified and addressed in a proactive, rather than reactive,
manner.
Fundamentals of Effective Monitoring

COSO's Monitoring Guidance builds on two fundamental principles originally established in COSO's 2006
Guidance:2
 Ongoing and/or separate evaluations enable management to determine whether the other components of
internal control continue to function over time, and
 Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for
taking corrective action and to management and the board as appropriate.
The monitoring guidance further suggests that these principles are best achieved through monitoring that is
based on three broad elements:
 Establishing a foundation for monitoring, including (a) a proper tone at the top; (b) an effective organizational
structure that assigns monitoring roles to people with appropriate capabilities, objectivity and authority; and (c) a
starting point or "baseline" of known effective internal control from which ongoing monitoring and separate
evaluations can be implemented;
 Designing and executing monitoring procedures focused on persuasive information about the operation of
key controls that address meaningful risks to organizational objectives; and
Internal Use Only

 Assessing and reporting results, which includes evaluating the severity of any identified deficiencies and
reporting the monitoring results to the appropriate personnel and the board for timely action and follow-up if
needed.
Breadth of Monitoring Processes

Organizations may select from a wide variety of monitoring procedures, including but not limited to:
 Periodic evaluation and testing of controls by internal audit,

 Continuous monitoring programs built into information systems,
 Analysis of, and appropriate follow-up on, operating reports or metrics that might identify anomalies indicative of
a control failure,
 Supervisory reviews of controls, such as reconciliation reviews as a normal part of processing,
 Self-assessments by boards and management regarding the tone they set in the organization and the
effectiveness of their oversight functions,
 Audit committee inquiries of internal and external auditors, and
 Quality assurance reviews of the internal audit department.
Continued advancements in technology and management techniques ensure that internal control and related
monitoring processes will change over time. However, the fundamental concepts of monitoring, as outlined in
COSO's Monitoring Guidance, are designed to stand the test of time.
Using the Guidance to Move Monitoring

Forward
Management can begin the monitoring process by encouraging the people with control system responsibility to
read COSO's Monitoring Guidance and consider how best to implement it or whether it has already been
incorporated into certain areas. Further, personnel with appropriate skills, authority and resources should be
charged by management with addressing these four fundamental questions:
1. Have we identified the meaningful risks to our objectives, for example, the risks related to producing
accurate, timely and complete financial statements?

2. Which controls are "key controls" that will best support a conclusion regarding the effectiveness of
internal control in those risk areas?

3. What information will be persuasive in telling us whether the controls are continuing to operate
effectively?
Internal Use Only
4. Are we presently performing effective monitoring that is not well utilized in the evaluation of internal
control, resulting in unnecessary and costly further testing?

Management and the board of directors should understand the concepts of effective monitoring and how it
serves their respective interests. As the board learns more about monitoring, it will develop the knowledge
necessary to ask management in relation to any area of meaningful risk, "How do you know the internal control
system is working?"
COSO's Monitoring Guidance is designed to help organizations answer these and other questions within the
context of their own unique circumstances — circumstances that will change over time. As they progress in
achieving effectiveness in monitoring, organizations likely will have the opportunity to further improve the
process through the use of such tools as continuous monitoring software and exception reports tailored to their
processes.
The guidance also covers other concepts that are important to effective and efficient monitoring, including:
 The characteristics associated with the objectivity of the evaluator;

 The period of time and the circumstances by which an organization can rely on adequately designed indirect
information — when used in combination with ongoing or periodic persuasive direct information — to conclude
that internal control remains effective;
 Determining the sufficiency and suitability of information used in monitoring to ensure that the results can
adequately support conclusions about internal control; and
 Ways in which the organization can make monitoring more efficient without reducing its effectiveness.
COSO's Monitoring Guidance encompasses three volumes. Volume I presents the fundamental principles of
effective monitoring and develops the linkage to the COSO Framework. Volume II conveys in greater detail the
principles outlined in Volume I and provides guidance to those responsible for implementing effective monitoring.
Volume III contains examples of effective monitoring.
Many organizations, through applying the concepts set forth in the guidance, should improve the effectiveness
and efficiency of their internal control systems. To that end, COSO's Monitoring Guidance is designed to help
organizations (1) identify effective monitoring where it already exists and use it to the maximum benefit, and (2)
identify less effective or efficient monitoring, leading to improvements. In both instances, the internal control
system may be improved, increasing the likelihood that organizational objectives will be achieved.
Footnotes
1 COSO Framework, p. 69.
Internal Use Only

2 See principles #19 and #20 in COSO's Internal Control over Financial Reporting - Guidance for Smaller
Public Companies issued in 2006 (COSO's 2006 Guidance).
Volume I: Guidance
Volume1.doc
Board Members


Accountants
Internal Use Only

(Project Leader)
Managing Partner of Grant Thornton LLP - Dupage Consulting LLC - Grant Thornton LLP -
Corporate Governance Denver Chicago Chicago

Charlotte
Grant Thornton LLP - Grant Thornton LLP - Grant Thornton LLP -

Chicago Toronto Charlotte
Review Team
Analyst Corporation
Grant Thornton LLP - Professional Standards
Phoenix Moody's Investors Service Former President and
CEO,
Dallas
International
COSO Task Force
Internal Use Only

Auditing Standards
U.S. Government


Analysis
International

Controller
Partner
GR Consulting LLP
Observer
Josh K. Jones
Internal Use Only

SEC Observer
Guidance on Monitoring
Internal Control Systems
Volume I: Guidance
January 2009
From the Chairman …
The COSO Board is pleased to issue its Guidance on Monitoring Internal Control Systems (the Monitoring
Guidance) — a demonstration of COSO's commitment to assisting organizations in implementing effective
internal control and monitoring its continued effectiveness. The Board believes that organizations can achieve
greater efficiency and effectiveness through a better understanding and more efficient utilization of the
monitoring component of the COSO Internal Control — Integrated Framework (the COSO Framework). The
purpose of the guidance is to assist organizations in monitoring the effectiveness of their internal control systems
and taking timely corrective actions as needed.
The COSO Framework contemplates that monitoring is implemented as an active part of an organization's
internal control system. Thus, an organization should consider whether monitoring of internal control should be
performed annually — as often occurs in firms that report publicly on the quality of their internal control — or
whether monitoring can be "built into" the organization's everyday activities. The COSO Board believes that
many organizations can achieve greater efficiencies by building monitoring into their ongoing internal control
processes. The guidance seeks to equip organizations to attain that goal.
The Grant Thornton project team, accompanied by a large, diverse task force, grappled with a number of
conceptual and practical issues in developing the Monitoring Guidance. The team addressed basic issues such
as, "How can an organization know that its monitoring activities are effective?" and more-complex issues such
as, "To what extent can an organization utilize 'indirect information' (e.g., comparisons with expectations) as part
of an effective monitoring program?" Readers of the guidance will find that effective monitoring is both risk based
Internal Use Only

and principles based and that the guidance is presented in a way that encourages adaptation to individual
organizational circumstances.
I want to thank the entire Grant Thornton team and the task force for their contributions in developing the
Monitoring Guidance. In particular, I want to recognize Trent Gazzaway, Grant Thornton's Managing Partner of
Corporate Governance, for leading this project and for his intellectual contributions and perseverance. His
attention to detail was instrumental in ensuring consistency with the COSO Internal Control — Integrated
Framework, as well as with the COSO 2006 guidance for smaller public companies.
We hope you will find the Monitoring Guidance useful. We always welcome your feedback, including examples
of areas in which you have successfully implemented monitoring.
Sincerely,
Larry E. Rittenberg, PhD, CPA, CIA
COSO Chair
I. Purpose of the Guidance

1. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) introduced the
Internal Control — Integrated Framework (the COSO Framework) in 1992. Much has happened since
the initial release. Most notably, some countries have implemented regulations requiring certain
companies to publicly report on the effectiveness of internal control.

COSO's Guidance on Monitoring Internal Control Systems (COSO's Monitoring Guidance) elaborates on the
monitoring component of internal control discussed in the 1992 COSO Framework and in the subsequent
Internal Control over Financial Reporting — Guidance for Smaller Public Companies issued in 2006 (COSO's
2006 Guidance).
2. COSO initiated this project based on observations that many organizations were not fully utilizing the
monitoring component of internal control. This fact became most clear as COSO witnessed the efforts of
many companies to meet internal control certification and assertion requirements around the world.
3. COSO observed that some organizations had effective monitoring in certain areas, but were
underutilizing the results of that monitoring to support their conclusions about the effectiveness of
internal control, especially conclusions related to the effectiveness of internal control over financial
reporting. Instead, they were adding redundant, often unnecessary procedures designed to evaluate
controls for which management — through its existing monitoring efforts — already had sufficient
support. Other organizations were not making the best use of ongoing monitoring1 procedures or
Internal Use Only
lacked necessary monitoring procedures altogether, which may have caused them to implement
inefficient year-end evaluations to support their conclusions about the effectiveness of internal control.
4. The objectives of COSO's Monitoring Guidance are twofold:
 To help organizations improve the effectiveness and efficiency of their internal control2 systems. The
COSO Framework emphasizes that organizations with effective internal control systems monitor the
effectiveness of those systems over time3 — just as a manufacturing organization monitors the
continued effectiveness and efficiency of its manufacturing procedures. This guidance is designed to
help organizations recognize and maximize the use of monitoring when it is effective and enhance
monitoring in areas where improvement may be warranted.
 To provide practical guidance that illustrates how monitoring can be incorporated into an organization's
internal control processes. The "Applying the Concepts" sections in Volume II of the guidance provide
easy reference points — demonstrating how organizations might apply the general concepts of
monitoring. Volume III goes further by providing a variety of monitoring examples from organizations
interviewed during the project.
5. This guidance does not:

 Change the COSO Framework or COSO's 2006 Guidance,
 Dictate risks or controls that organizations must consider,
 Mandate the exact monitoring procedures that organizations must follow,
 Increase the monitoring effort for organizations in areas where monitoring is already effective, or
 Mandate a certain level or formality of monitoring documentation, including the use of certain terms.4
6. This guidance should help management, board members, internal and external auditors, regulators,
and others recognize effective monitoring where it exists and take into account its results with respect to
their duties. In areas where monitoring is ineffective, this guidance should help organizations identify and
correct weaknesses and move toward achieving effectiveness in monitoring. In so doing, organizations
can improve their internal control system's ability to provide reasonable assurance about the
achievement of organizational objectives. Effective monitoring may also result in organizational

improvements by (1) minimizing internal control failures and their errors/defects that require correction,
and (2) improving the quality and reliability of information used for decision making.
7. This guidance is designed to apply to all three objectives addressed in the COSO Framework: the
effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with
applicable laws and regulations. However, recognizing that its initial application may be related to
Internal Use Only

evaluating internal control over financial reporting (ICFR), most of the examples concentrate on the
financial reporting objective.

8. The Monitoring Guidance comprises three volumes. Volume I, the Guidance volume, is designed to
demonstrate succinctly the core concepts embodied in COSO's monitoring component. Volume II, the
Application volume, is integral to Volume I and contains a more detailed description of the principles
contained in Volume I. The Application volume should be read by those responsible for implementing the
guidance and by those who are interested in gaining a greater understanding of the related concepts.
Volume III, the Examples volume, contains examples from organizations whose monitoring efforts are
consistent with the Monitoring Guidance.
II. Nature and Purpose of Monitoring

See Vol. II, ¶¶ 1-2.
9. The COSO Framework states that "monitoring ensures that internal control continues to operate
effectively."5 COSO's 2006 Guidance enhances the understanding of monitoring by articulating the
following two related principles:

 Ongoing and/or separate evaluations enable management to determine whether the other
components of internal control6 continue to function over time.
 Internal control deficiencies are identified and communicated in a timely manner to those parties
responsible for taking corrective action and to management and the board as appropriate.
10. COSO's Monitoring Guidance builds on those two fundamental principles.

See Vol. II, ¶¶ 38-41.
11. The COSO Framework recognizes that risks change over time and that management needs to
"determine whether the internal control system continues to be relevant and able to address new risks."7
Thus, monitoring should evaluate (1) whether management reconsiders the design of controls when
risks change, and (2) whether controls that have been designed to reduce risks to an acceptable level
continue to operate effectively. Accordingly, this guidance continues to emphasize COSO's belief that
monitoring should be based on an analysis of risks to organizational objectives and an understanding of

how controls may or may not manage or mitigate those risks.
12. An overview of the framework and how its components work together is shown in Figure 1, which is
an enhancement of the process approach to internal control developed in COSO's 2006 Guidance. The
Internal Use Only

enhancements include the explicit recognition that monitoring relates to all three internal control
objectives and not just to the financial reporting objectives.

See Vol. II, ¶¶ 11-19.
13. This graphic also demonstrates that monitoring evaluates the internal control system's ability, in its
entirety, to manage or mitigate meaningful risks to organizational objectives.

14. Each of the five components of internal control set forth in the COSO Framework is important to
achieving an organization's objectives. However, the fact that each component must be present and
functioning does not mean that each must function perfectly. Accordingly, monitoring does not seek to
conclude on the effectiveness of individual internal control components operating in isolation.
Internal Use Only

Figure 1
III. A Model for Monitoring

See Vol. II, ¶¶ 20-21.
15. An effective approach to monitoring involves (1) establishing a foundation for monitoring, (2)
designing and executing monitoring procedures that are prioritized based on risks to achieving
Internal Use Only
organizational objectives, and (3) assessing and reporting the results, including following up on
corrective action8 where necessary (see Figure 2).
The Monitoring Process
Figure 2
Establish a Foundation for Monitoring

See Vol. II, ¶ 22.
Internal Use Only

16. The foundation for monitoring includes (1) a tone at the top about the importance of internal control
(including monitoring); (2) an organizational structure that considers the roles of management and the
board in regard to monitoring and the use of evaluators with appropriate capabilities, objectivity,
authority and resources; and (3) a baseline understanding of internal control effectiveness.
Tone at the Top
See Vol. II, ¶ 23.
17. As with every internal control component, the ways in which management and the board express
their beliefs about the importance of monitoring have a direct impact on the effectiveness of internal
control. Management's tone influences the way employees conduct and react to monitoring. Likewise,
the board's tone influences the way management conducts and reacts to monitoring.
See Vol. II, ¶¶ 24-26.
18. Roles of Management and the Board — Management has the primary responsibility for the
effectiveness of an organization's internal control system. Management establishes the system and
implements monitoring to help ensure that it continues to operate effectively. The board's9 role is one of
governance, guidance and oversight. For publicly listed companies, the board's responsibilities may be
mandated by law, listing-exchange requirements or charter. For privately held and not-for-profit
organizations, the board's responsibilities typically are listed in the board's charter.
19. Relative to monitoring, the board exercises its oversight responsibility by understanding the risks to
organizational objectives, the controls that management has put in place to mitigate those risks, and
how management monitors to help ensure that the internal control system continues to operate
effectively. For controls that members of senior management may not be able to objectively monitor —
such as those that they perform directly or those that address the risk of senior-management override —
the board may determine that someone else with an appropriate level of objectivity should perform
monitoring procedures. Such monitoring is often accomplished through an internal audit function or
through other objective senior-management personnel.
20. The COSO Framework, on pages 26-27 and 86-87,10 contains some useful information regarding
the role of boards and audit committees that is consistent with this guidance.
See Vol. II, ¶¶ 27-37.
Internal Use Only

21. Characteristics of Evaluators — Monitoring is conducted by evaluators who are appropriately
competent and objective11 in the given circumstances. Competence refers to the evaluator's
knowledge of the internal control system and related processes, including how controls should operate
and what constitutes a control deficiency. The evaluator's objectivity refers to the extent to which he or
she can be expected to perform an evaluation with no concern about possible personal consequences
and no vested interest in manipulating the results for personal benefit or self-preservation.
Baseline Understanding of Internal Control Effectiveness
See Vol. II, ¶¶ 38-41.
22. Internal control systems fail because:

 They are not designed and implemented properly at the outset;
 They are designed and implemented properly, but the environment in which they operate changes
(such as through changes in risks, people, processes or technology) and the design of the internal
control system does not change accordingly; and/or
 They are designed and implemented properly, but their operation changes
in some way, rendering them ineffective in managing or mitigating applicable risks.
23. In all three circumstances, a baseline understanding of the internal control system's effectiveness in
a given area serves as a starting point for monitoring. Such a baseline allows organizations to design
monitoring procedures (ongoing and separate evaluations) to address changes in "real time" by
identifying those that (1) should be made in the operation of controls, or (2) have already occurred,
enabling evaluators to confirm that they were managed properly. Accordingly, monitoring can be viewed
at a high level as following this general sequence:

 Control Baseline — Establishing a starting point that includes a supported understanding of the internal
control system's design and of whether controls have been implemented to accomplish the
organization's internal control objectives
 Change Identification — Identifying, through ongoing monitoring and separate evaluations, changes in
internal control that are either necessary or have already taken place
 Change Management — Evaluating the design and implementation of those changes, thus establishing
a new baseline
 Control Revalidation/Update — Periodically revalidating control operation when no known changes
have occurred
Internal Use Only

24. This broad depiction of monitoring is illustrated in Figure 3. It is intended to demonstrate how
monitoring of a known effective internal control system is a process that looks for and evaluates changes
that may have a bearing on its effectiveness. It is not intended to dictate monitoring procedures or a
documentation format.
Monitoring for Change Continuum
Figure 3
Internal Use Only

25. Note that the four sequential elements described above in paragraph 23 do not reside solely within
the monitoring component. For example, the risk assessment component might be considered chiefly
responsible for identifying changes in the operating environment. Likewise, evaluating the proper design
and implementation of changes in internal control might be considered a control activity. The monitoring
component operates to help ensure that the other components are properly identifying and managing
changes that affect internal control.
Design and Execute Monitoring Procedures

See Vol. II, ¶¶ 42-53.
26. Monitoring should enable evaluators to assess persuasive information about the operation of one
or more controls that address meaningful risks to the organization's objectives. Accordingly, evaluators
might consider designing monitoring by following the logical progression depicted in Figure 4. Note,
however, that this progression is not meant to imply a rigid, compartmentalized monitoring process
where each step starts and stops before the next. Monitoring is a dynamic process and each of these
"steps" operates, to some extent, at all times. This graphic, and the discussion that follows, is intended
to portray the general flow of monitoring in practice.
1. Prioritize Risks
See Vol. II, ¶¶ 45-47, 54-58.
27. The effectiveness and efficiency of monitoring can be enhanced by linking it to the results of the risk
assessment component. This connection enables evaluators to focus their monitoring attention on
controls that address meaningful risks to the organizational objectives for which they are responsible.
Internal Use Only

Monitoring Design and Implementation Progression
Figure 4
28. Meaningful risks are those that might reasonably, in a given time frame, have a consequential effect
on organizational objectives and are determined through the risk assessment component of internal
control. Such risks may vary between similar organizations and between different levels within the same
organization. For example, controls that mitigate the risk of supplies theft may fall within the monitoring
Internal Use Only

responsibilities of a retail chain store manager, but may not warrant the frequent attention of the chief
executive officer in the context of his or her organization-wide responsibilities.

29. Risk prioritization is a natural part of the risk assessment component of internal control. Its inclusion
here is not meant to imply the need for a separate risk assessment function dedicated solely to
supporting monitoring. In a properly operating internal control system, the risk assessment component
will routinely identify and prioritize risks to the organization's objectives. The results of that process will
then influence decisions regarding the type, timing and extent of monitoring.
2. Identify Key Controls
See Vol. II, ¶¶ 48-51, 59-62.
30. Controls that address meaningful risks are then selected for evaluation based on their ability to
provide support for a reasonable conclusion about the internal control system's effectiveness. Such
controls, referred to as key controls in this guidance, may operate within any or all of COSO's five
components.
31. Selecting key controls that address meaningful risks enhances the effectiveness and efficiency of
monitoring by focusing on that which provides an adequate but not excessive level of support for a
conclusion about the internal control system's ability to achieve identified objectives.
32. Organizations can identify key controls12 by (1) understanding how the internal control system is
designed to manage or mitigate meaningful risks, and (2) determining which controls will contribute most
to the monitoring conclusion. Key controls often have one or both of the following characteristics:
 Their failure could materially affect the objectives for which the evaluator is responsible, but might not
be detected in a timely manner by other controls, and/or
 Their operation might prevent other control failures or detect such failures before they have an
opportunity to become material to the organization's objectives.
33. The intent of identifying key controls is not to suggest that some controls are more important to the
internal control system than others, but to help organizations devote monitoring resources where they
can provide the most value.

3. Identify Persuasive Information
See Vol. II, ¶¶ 52, 63-83.
34. Once key controls are selected, evaluators identify the information that will support a conclusion
about whether those controls have been implemented and are operating as designed. Identifying this
Internal Use Only

information entails knowing how control failure might occur and what information will be persuasive in
determining whether the internal control system is or is not operating effectively.

See Vol. II, ¶¶ 63-64.
35. To be effective, monitoring must evaluate a sufficient amount of suitable information. Suitable
information is relevant, reliable and timely in the given circumstances. Sufficient suitable information
provides the evaluator with the support needed to conclude on the internal control system's ability to
manage or mitigate identified risks. COSO's Monitoring Guidance refers to information that meets these
conditions as "persuasive."
See Vol. II, ¶¶ 65-76.
36. One important aspect of relevance (and, thus, of persuasive information) is the distinction between
direct and indirect information. Direct information is obtained by observing controls in operation,
reperforming them, or otherwise evaluating their operation directly. It can be useful in both ongoing
monitoring and separate evaluations. Generally, direct information is highly relevant because it provides
an unobstructed view of control operation.

37. Indirect information is all other information that may indicate a change or failure in the operation of
controls. It can include, but is not limited to, (1) operating statistics, (2) key risk indicators, (3) key
performance indicators, and (4) comparative industry metrics.

38. Monitoring using indirect information identifies anomalies that may signal a control change or failure
and subjects them to further investigation. Indirect information does not, however, provide an
unobstructed view of control operation, thus it is less able than direct information to identify control
deficiencies. Existing control deficiencies may not yet have resulted in errors significant enough to be
identified as an anomaly, or the indirect information may have lost its ability over time to identify
anomalies. Indirect information is therefore limited as to the level of support (i.e., persuasiveness) it can
provide on its own, especially over a long period of time.
39. The value of indirect information in monitoring depends on several factors, including:
 Its level of precision — More-precise indirect information is better able to identify anomalies that
indicate a control failure.
 The degree of variability in the outcomes — Indirect information is better able to identify anomalies in
processes that typically generate consistent, predictable results.
Internal Use Only

 The adequacy of the follow-up procedures — The skills and experience of people responsible for
investigating anomalies, and the diligence with which they conduct their follow-up procedures, affect the
ability of indirect information to identify a control failure.
 The length of time since the operation of the underlying controls was last validated through persuasive
direct information — As time passes and operating environments change, indirect information loses its
ability to detect control failures. Periodically reestablishing the control baseline using direct information
helps evaluators validate or modify the nature, timing and extent of indirect information used in
monitoring.
40. The table in Volume II, paragraph 76 highlights some additional factors that may influence an
organization's decisions regarding the amount of direct and/or indirect information it uses in monitoring.
4. Implement Monitoring
See Vol. II, ¶¶ 53, 84-93.
41. With risks prioritized, key controls selected, and available persuasive information identified, the
organization implements monitoring procedures that evaluate the internal control system's effectiveness
in managing or mitigating the identified risks to organizational objectives. Monitoring involves the use of
ongoing monitoring procedures and/or separate evaluations to gather and analyze persuasive
information supporting conclusions about the effectiveness of internal control across all five COSO
components.
42. The COSO Framework makes an important point with respect to building monitoring into the routine
operations of an organization:
"An entity that perceives a need for frequent separate
evaluations should focus on ways to enhance its ongoing
monitoring activities, and, thereby, to emphasize 'building
in' versus 'adding on' controls."13
43. Ongoing monitoring occurs when the routine operations of an organization provide feedback —
through both direct and indirect information — to those responsible for the effectiveness of the internal
control system. It includes regular management and supervisory activities, peer comparisons and trend
analysis using internal and external data, reconciliations, and other routine actions. Ongoing monitoring
might also include automated tools that electronically evaluate controls and/or transactions.
Internal Use Only

44. Because they are performed routinely, often on a real-time basis, ongoing monitoring procedures
can offer the first opportunity to identify and correct control deficiencies. When external reporting
requirements exist, management may design ongoing monitoring such that it provides the majority of
evidence management needs to support its assertions, possibly reducing the extent of separate
evaluations whose sole purpose is to support the external assertions.

45. Separate evaluations can employ the same techniques as ongoing monitoring, but they are designed
to evaluate controls periodically and are not ingrained in the routine operations of the organization. They
do, however, play an important role in monitoring in that they often:

 Provide an objective analysis of control effectiveness when performed by personnel who are not
involved in the operation of the control, and
 Provide periodic feedback regarding the effectiveness of ongoing monitoring procedures.
46. When ongoing monitoring is effective, periodic separate evaluations are used as necessary to
reconfirm the conclusions reached through ongoing monitoring. Separate evaluations are also used to
address controls that are not subject to ongoing monitoring.

47. As the likelihood and/or potential significance of a control's failure increases, the length of time
between separate evaluations typically decreases. Conversely, as risk decreases, organizations may
determine to increase the time between separate evaluations. The presence of ongoing monitoring using
appropriately persuasive information can also increase the interval between separate evaluations.
Assess and Report Results

See Vol. II, ¶¶ 94-95.
48. Monitoring includes reporting results to appropriate personnel. This final stage enables the results of
monitoring to either confirm previously established expectations about the effectiveness of internal
control or highlight identified deficiencies for possible corrective action.

Prioritize and Communicate Results
See Vol. II, ¶¶ 96-97.
49. Identifying and prioritizing potential control deficiencies allows organizations to determine (1) the
levels to which the potential deficiencies should be reported, and (2) the corrective action, if any, that
should be taken. Several factors may influence an organization's prioritization of identified deficiencies,
including:
Internal Use Only

 The likelihood that the deficiency will materially affect the achievement of an organizational objective,
 The effectiveness of compensating controls, and
 The aggregating effect of multiple deficiencies.
Report Internally
See Vol. II, ¶¶ 98-101.
50. Reporting protocols vary depending on the purpose for which the monitoring is conducted and the
severity of the deficiencies. Typically, the results of monitoring conducted for purposes of evaluating
internal control related to an organization's entity-wide objectives are reported to senior management
and the board. Examples include monitoring of internal control over financial reporting or monitoring of
controls over operations that are material to the organization's profitability.

51. Some monitoring, however, is conducted for purposes that might be relevant only to a part of an
organization, e.g., a small subsidiary's operational monitoring to meet local goals that are not significant
to the consolidated organization. Identified deficiencies in this case might have "higher likelihood" and
"higher significance" relative to the subsidiary's objectives, but not to the organization's overall
objectives. Reporting in such cases might be limited to local management personnel for whom the local
goals are relevant.
52. In any case (except, perhaps, where fraud is suspected), control deficiencies should be reported to
the person directly responsible for the control's operation and to management that has oversight
responsibilities and is at least one level higher. Reporting at least to these two levels gives the
responsible person the information necessary to correct control operation and also helps ensure that
appropriately objective people are involved in the severity assessment and follow-up. At some point,
deficiencies may become severe enough to warrant discussion with the board. Management and the
board may wish to discuss in advance the nature and severity of deficiencies that should be reported to
that level.
53. In situations where fraud is suspected, reporting may not occur to the person directly responsible for
the control's operation. It should occur to higher levels, including to senior management and the board
as appropriate.
Report Externally
See Vol. II, ¶¶ 102-107.
Internal Use Only

54. A properly designed and executed monitoring program helps support external assertions or
certifications because it provides persuasive information that internal control operated effectively at a
point in time or during a particular period.

55. The presence of external assertion requirements may affect the type, timing and extent of monitoring
an organization decides to perform. Therefore, organizations that are not required to report, and those
that are required to report publicly or to third parties on the effectiveness of their internal control system,
may design and execute monitoring activities differently.

56. External reports that assert as to the effectiveness of an internal control system may need to
withstand scrutiny by outsiders who (1) do not have management's implicit knowledge of controls, and
(2) require enough persuasive information to form their own opinions about the effectiveness of internal
control. As a result, an organization may wish to compare the scope of its monitoring program with the
needs of external parties, such as auditors and regulators, to help ensure that all parties understand the
available monitoring information, enabling them to maximize its use. In addition, the organization might
be able to enhance the efficiency of external parties' work by directing them to portions of its monitoring
procedures that they might use, or by making modifications to its monitoring program to better facilitate
external parties' work. Such modifications might include:

 Using evaluators with a higher degree of objectivity in certain areas if doing so will enhance the ability of
the external party to use their work;
 Increasing the use of direct information in monitoring of certain areas if doing so will enable the external
party to more effectively and efficiently support its own conclusions; and
 Increasing the formality and detail of documentation in order to improve the external party's ability to
understand and evaluate internal control.
See Vol. II, ¶¶ 105-107.
57. Most external reporting requirements are developed to address risks that are already contemplated
by properly designed and executed monitoring procedures. Effective monitoring procedures generally
provide substantial support for such assertions. In some circumstances, however, modifications to the
monitoring program may be warranted or beneficial to the organization when external reporting is
required.
Monitoring Controls Outsourced to Others
Internal Use Only
See Vol. II, ¶¶ 108-109.
58. When organizations use external parties (also known as service providers) to provide certain
services, such as a bank outsourcing loan servicing or a corporation outsourcing its benefit plan
administration, the associated risks to organizational objectives still must be managed properly. Users of
outsourced services (often referred to as "user organizations") should understand and prioritize the risks
associated with those services. User organizations should also understand how the service provider's
internal control system manages or mitigates meaningful risks, and obtain at least periodic information
about the operation of those controls. This understanding may be attained through reviewing an
independent audit or examination report provided by the service provider. Where such an audit or
examination report is not available and where the level of risk warrants, user organizations may conduct
their own periodic separate evaluations of key controls at the service provider.
59. User organizations may also find other useful sources of information about the design and operation
of service organization controls such as through frequent interaction with the service provider, user
group forums, and reports by internal auditors or regulatory authorities. Additionally, some user
organizations may find it necessary to implement effective internal control over the processing
performed by the service provider (e.g., comparison of input to output or reconciliation of service
provider processing results to other independent records), which may reduce either the need to monitor
controls of the service provider or the frequency with which to monitor them.
Using Technology for Monitoring
See Vol. II, ¶¶ 110-114.
60. Organizations often use information technology (IT) — through control monitoring tools and process
management tools — to enhance monitoring. As the use of IT increases, both as part of an
organization's operations and as tools used in monitoring, the need increases to evaluate internal control
over those information systems.14

61. Control Monitoring Tools — Automated control monitoring tools perform routine tests and can
enhance the effectiveness, efficiency and timeliness of monitoring specific controls. Some control
monitoring tools are used to perform what is often referred to as "continuous controls monitoring." These
tools complement normal transaction processing by checking every transaction, or selected
transactions, for the presence of certain anomalies (e.g., identifying transactions that exceed certain
thresholds, analyzing data against predefined criteria to detect potential controls issues such as
Internal Use Only

duplicate payments, or electronically identifying segregation of duties issues). Many of these tools serve
more as highly effective control activities (detecting individual errors and targeting them for correction
before they become material) than they do as internal control monitoring activities. Regardless, if they
operate with enough precision to prevent or detect an error before it becomes material, they can
enhance the efficiency and effectiveness of the whole internal control system and may be key controls
whose operation should be monitored.

62. Process Management Tools — Process management tools are designed to make monitoring more
efficient and sustainable by facilitating some of the activities that affect monitoring, including assessing
risks, defining and evaluating controls, and communicating results. These tools are most often used in
situations in which responsibilities for controls are distributed throughout multiple or geographically
dispersed business units, but they can also be of value to any organization — including smaller ones.
Most of these tools use workflow techniques to provide structure and consistency to the performance
and reporting of monitoring procedures.
See Vol. II, ¶¶ 115-118.
Formality and Level of Documentation

63. Management and boards of smaller organizations may need less documentation to support
conclusions regarding control effectiveness — especially where senior management and the board have
direct knowledge of the internal control system's operation. As organizations increase in size, the level of
direct knowledge declines at the senior-management and board levels, thus increasing the need for
more-formal monitoring documentation.

64. When external reporting is required (especially that which is subject to examination by auditors,
regulators or other external parties), organizations of all sizes may find that more-formal documentation
is a cost-effective way to improve the efficiency of meeting those requirements. For example, an external
auditor, regulator or other external party may be able to conduct a more efficient audit or examination if
he or she has access to documentation that demonstrates the results of management's monitoring.
65. More-formal documentation can be achieved through manual processes or through the use of
software tools designed to retain and report the results of monitoring.

Scalability of Monitoring
66. Many factors can influence the type, timing and extent of an organization's monitoring. Two factors
that warrant special mention are organizational size and complexity.

See Vol. II, ¶¶ 120-123.
Internal Use Only
67. Scalability Based on Size — Organizational size affects the design and conduct of monitoring. In
most large organizations, neither senior management nor the board is in close proximity to the operation
of many controls. As a result, both bodies often rely on monitoring procedures performed by other
personnel through successive levels of management. These procedures are built into the day-to-day,
ongoing monitoring activities that operate at each level of the organization (all of which "roll up" to a
home office or headquarters). The ongoing monitoring activities typically are augmented by separate
evaluations that are performed by a qualified internal audit function or other parties (e.g., lower-level
management or other departments) and which lend support to the conclusion that the lower-level
monitoring systems are operating effectively.
68. In smaller organizations, on the other hand, monitoring at the senior-management level often occurs
much closer to the risk and related controls, giving the evaluators more direct information about the
operation of controls. The greater quantity of direct information about the operation of internal control
may allow the evaluator in a smaller organization to support his or her control conclusions without
adding the additional monitoring procedures that may be necessary in a larger organization where the
evaluator is further removed from the operation of controls.

See Vol. II, ¶¶ 124-127.
69. Scalability Based on Complexity — Size notwithstanding, some organizations are more complex
than others. Factors influencing complexity include industry characteristics, regulatory requirements,
number of products or service lines, level of centralization versus decentralization, use of prepackaged
versus customized software, or the presence of certain types of transactions (e.g., complex capital
structures, derivative transactions or acquisitions).
70. Because the level of complexity may vary by department or area, scaling of monitoring based on
complexity is more difficult to apply to an entire organization than is scaling based on size. For example,
an organization may use a prepackaged information system for one of its business processes, which
can reduce certain IT-related risks (such as the risk of incorrect programming), but that same
organization might also use a complex, internally developed software system for another business
process, which, unless well controlled, can increase IT-related risks.

71. The level of complexity generally correlates with the level of risk. Accordingly, in areas of greater
organizational complexity, one might expect more ongoing monitoring using direct information. In
Internal Use Only

contrast, in areas of lesser complexity, ongoing monitoring using indirect information, along with periodic
confirmation through separate evaluations that use direct information, might be appropriate.
72. Clearly, any plan for monitoring — if it is to remain effective and efficient — must recognize the
variables that affect monitoring and be able to adapt to them as necessary. This implies that monitoring
is not one-size-fits-all, but is unique to each organization's risk profile and internal control structure.
IV. Summary Considerations

73. Properly designed and executed monitoring (1) provides persuasive information to evaluators
regarding the internal control system's effectiveness, and (2) identifies and communicates internal
control deficiencies in a timely manner to those parties responsible for taking corrective action and to
management and the board as appropriate. In doing so, it facilitates the correction of control deficiencies
before they materially affect the achievement of the organization's objectives.

74. The following general principles may be helpful in determining how best to utilize COSO's Monitoring
Guidance:
1. Organizations should follow a systematic process in determining "what" and "how" to monitor.
Figure 2 portrays such a process.

2. Monitoring considers how the entire internal control system addresses meaningful risks, not
how individual control activities operate in isolation.

3. The board has important oversight responsibilities in monitoring internal control (especially the
controls that relate to ensuring a strong tone at the top) and in mitigating the risk of management
override.
4. A baseline understanding of internal control design and operating effectiveness serves as a
good starting point for implementing monitoring procedures that are both effective and efficient.
5. Determining what to monitor should be influenced by:
a. The significance and likelihood of the underlying risk,
b. The nature of the controls that are designed to address the risk, and
c. The persuasiveness of the information needed to conclude whether the identified
controls are operating effectively.

6. Organizations should consider using ongoing monitoring, when feasible, over separate
evaluations where the risks and availability of information merit such an approach.
Internal Use Only

7. Effective monitoring relies on the development of persuasive information about the continued
operation of controls or control elements, as evaluated by appropriately competent and objective
evaluators.
8. Management must be enabled and expected to exercise reasonable judgment in determining
the optimal approach to monitoring.

9. Monitoring generally includes the use of both direct and indirect information. However, indirect
information can be used only for a finite period of time without some direct information
supporting a conclusion that the underlying control is operating effectively.

10. Identified control deficiencies should be:
a. Evaluated as to their severity,
b. Reported to appropriate personnel, and
c. Considered for corrective action.

See Vol. II, ¶¶ 128-129.
75. In addition to the considerations above, organizations may benefit from periodically evaluating the
overall effectiveness and efficiency of monitoring. The following questions — which may be asked at
various levels, including the board level — may help with regard to those evaluations.
Effectiveness
1. Has the organization appropriately considered all of the risks that could materially affect its objectives?
2. What recent changes have taken place within the organization's environment, people, processes or technology,
and did the organization properly consider the impact of those changes on internal controls, including possible
alteration of related monitoring procedures?
3. How long has it been since the organization discussed, at an appropriate level of detail, the risks the
organization faces related to operations, financial reporting, or compliance with laws and regulations? Is that
period of time acceptable?
4. Have errors resulted from control failures that were not detected on a timely basis by the organization's routine
Internal Use Only

monitoring procedures? If so, what changes in monitoring could prevent similar control failures?
5. What do the results of internal audits, external audits or regulatory exams tell the organization about the
effectiveness of monitoring?
6. Do we have a process for tracking control deficiencies through evaluation and remediation?
7. Have all identified deficiencies been addressed properly?
Efficiency
1. Is the organization monitoring controls at a cost, effort or organizational level that is inconsistent with the
amount of risk the controls mitigate?
2. Is the organization monitoring internal controls in areas that have never had a control failure and have not been
known to cause errors in similar organizations? (Note: this may not be a reason to omit monitoring procedures, but
it may affect the desired type, timing and extent of monitoring, including at what organizational level monitoring
might be performed.)
3. Do risk areas exist within the organization that rarely experience meaningful change and which, given their
level of risk, might lend themselves to control monitoring that varies in scope over time (e.g., using indirect
information over longer periods of time between control baselines established using direct information)?
4. Does unwarranted duplication of effort occur where multiple people monitor the effectiveness of the same
controls and where, given the level of risk, redundancy is not necessary?
5. Does the organization conduct additional evaluation procedures implemented solely to meet regulatory or other
Internal Use Only

requirements? If so, are there elements of the organization's normal monitoring procedures that might provide the
necessary level of monitoring support?
Footnotes
1 See the Glossary in Volume II for definitions of terms set in boldface.
2 Throughout this document, we use the terms "controls" and "internal controls" to refer to all of the
components of the internal control framework, i.e., the term is used to reference more than just the
control activities component.
4 This guidance uses terms such as "meaningful risk," "persuasive information," "key controls," and
"direct and indirect information." These terms, and others, are defined in this guidance and the Glossary
at the end of Volume II. Their use is intended to make the guidance understandable to a broad
audience. It is not intended to force changes in the terminology organizations use when discussing or
documenting monitoring.
6 COSO's 2006 Guidance refers specifically to internal control over financial reporting, but the concepts
can be applied to any internal control objective.
7 COSO Framework, p. 69, emphasis added.
8 Correcting deficiencies may be considered a management activity rather than an element of internal
control (see the COSO Framework, page 21, Exhibit 3). Regardless of how it is classified, correcting
control deficiencies should take place when the organization determines that control deficiencies are
severe enough to warrant correction.
Internal Use Only

9 Many organizations have boards of directors and related board committees to help oversee the conduct
of their activities. Other organizations may not have a formal board of directors, but may have
stakeholders who serve in a governance and oversight capacity. For simplicity, this guidance will use
the terms "board of directors" or "board" to refer to all groups charged with governance and
management oversight.
10 Competence and objectivity are also relevant factors to consider regarding information sources (i.e., the
people responsible for providing monitoring information to evaluators).
11 Reproduced in Volume II, Appendix B.
12 Key controls can include controls from any of the five COSO components, not just control activities.
14 See Volume III, Chapter VI for more detailed application techniques regarding the use of technology in
monitoring.
Volume II: Application
Volume2.doc
January 2009
Board Members

Internal Use Only


Accountants
R. Trent James P. Burton J. Russell Gates Keith O. Newton

Gazzaway(Project Leader)

Managing Partner of
Grant Thornton LLP - Dupage Consulting LLC - Grant Thornton LLP -
Denver Chicago Chicago
Charlotte
Grant Thornton LLP - Grant Thornton LLP - Grant Thornton LLP -

Chicago Toronto Charlotte
Internal Use Only

Review Team
Analyst Corporation
Phoenix Moody's Investors Service Former President and
CEO,
Dallas
International
COSO Task Force
Auditing Standards
U.S. Government


Analysis
International
Internal Use Only


Controller
Partner
GR Consulting LLP
Observer
Josh K. Jones
SEC Observer
I. Monitoring as a Component of Internal

Control Systems
1. In 1992, The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
developed the Internal Control — Integrated Framework (the COSO Framework), consisting of five
interrelated and equally important components (Figure 1). Four components relate to the design and
operation of the system of internal control: control environment, risk assessment, control activities, and
Internal Use Only

information and communication. The fifth component — monitoring — is designed to "ensure that
internal control continues to operate effectively."1
The COSO Internal Control Integrated Framework
Figure 1
2. In 2006, COSO published the Internal Control Over Financial Reporting — Guidance for Smaller
Public Companies (COSO's 2006 Guidance), which further developed the understanding of how all five
internal control components work cohesively to form an effective internal control system. Although
Internal Use Only

targeted to smaller public companies' reporting on internal control over financial reporting, COSO's 2006
Guidance contains information that should be (1) helpful to all organizations, regardless of size,2 and (2)
relevant to all of the COSO objectives. Its 20 principles (reproduced in Appendix A) and supporting
attributes clarify the COSO Framework so that organizations might apply the Framework more
effectively and efficiently. Principles 19 and 20 relate specifically to monitoring — namely, (1) monitoring
procedures are designed and implemented to provide information on whether the internal control system
operates effectively over time, and (2) internal control deficiencies3 are identified and communicated in
a timely manner to those parties responsible for taking corrective action and to management and the
board as appropriate.
3. The primary factor leading to the development of this guidance was the observation by COSO that
many organizations were not effectively utilizing the monitoring component to support conclusions about
the effectiveness of internal control over financial reporting. Some organizations had effective monitoring
in certain areas, but were not optimizing the results of that monitoring to support their conclusions about
the effectiveness of internal control. Instead, they were adding redundant, often unnecessary procedures
designed to evaluate controls for which management — through its existing monitoring efforts — already
had sufficient support. In other cases, organizations were not making the best use of ongoing monitoring
procedures or lacked necessary monitoring procedures altogether, which may have caused them to
implement inefficient year-end evaluations to support their conclusions about the effectiveness of
internal control.
COSO's 2006 Guidance
Principle 19: "Ongoing and/or separate evaluations enable management to determine whether the other
components of internal control over financial reporting continue to function over time."
Principle 20: "Internal control weaknesses are identified and communicated in a timely manner to those parties
responsible for taking corrective action and to management and the board as appropriate."
4. This Guidance on Monitoring Internal Control Systems (COSO's Monitoring Guidance) is intended to
help any organization design, implement and evaluate monitoring procedures that achieve the principles
of the monitoring component in an effective and efficient manner. It is intended to reinforce and clarify,
Internal Use Only

not add to or change, the sound principles of monitoring previously established through the 1992 COSO
Framework and COSO's 2006 Guidance.

5. This guidance is designed to apply to all three objectives addressed in the COSO Framework: the
effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with
applicable laws and regulations. However, recognizing that the primary application of this guidance may
be related to monitoring internal control over financial reporting (ICFR), most of the examples included
herein concentrate on the financial reporting objective.
Role of Monitoring
6. In an effective internal control system, the COSO Framework's five components work together,
providing reasonable assurance to management and the board of directors4 regarding the
achievement of the organization's objectives.5 The monitoring component helps ensure that the internal
control system continues to operate effectively. As such, the effective operation of the monitoring
component provides value to the organization in three ways:

 It enables management and the board to determine whether the internal control system — including all
five components — continues to operate effectively over time. Thus, it provides valuable support for
assertions, if required, about the internal control system's effectiveness.
 It improves the organization's overall effectiveness and efficiency by providing timely evidence of
changes that have occurred, or might need to occur, in the design or operation of internal control, thus
helping the organization to identify and correct control deficiencies before they materially affect the
internal control system's ability to achieve the organization's objectives.
 It promotes good control operation. When people who are responsible for internal control know
their work is subject to oversight through monitoring, they are more likely to perform their duties
properly over time.
1992 COSO Framework
"Monitoring ensures that internal control continues to operate effectively. This process involves assessment by
appropriate personnel of the design and operation of controls on a suitably timely basis, and the taking of
necessary actions. It applies to all activities within an organization, and sometimes to outside contractors as well."
Internal Use Only

7. Properly designed and executed monitoring requires planning that leads to the evaluation of
persuasive information, which is both suitable and sufficient in the circumstances.6 In contrast,
ineffective monitoring, over time, allows the natural deterioration of internal control systems. Controls
within any or all of the five components may change, cease to operate or lose effectiveness because of
changes in circumstances. Accordingly, monitoring should be designed to identify and evaluate such
changes in a timely fashion.

8. A system of internal control cannot guarantee the achievement of organizational objectives, and
monitoring cannot guarantee the prevention or detection of all control deficiencies. However, when
properly designed and executed, monitoring does provide support for a reasonable conclusion about the
effectiveness of the internal control system.

9. Monitoring considers how the entire internal control system manages or mitigates risks to achieving
the organization's objectives. Its effectiveness and efficiency are enhanced when it draws from the
conclusions reached in the risk assessment component, allowing the organization to design monitoring
procedures that are commensurate with the level of risk. Organizations further enhance monitoring's
effectiveness and efficiency by selecting controls7 to monitor based on the level of support they are
likely to provide regarding conclusions about the internal control system's effectiveness. In contrast,
monitoring is less effective and efficient when it focuses on a checklist of control activities that are
selected for evaluation without regard to (1) the level of the risk they address, or (2) the amount of
support they provide.
10. Many organizations will find that the elements of monitoring described in this guidance are part of
their routine activities. This guidance will help them identify and more effectively utilize existing
monitoring (e.g., to provide support for external assertions regarding internal control effectiveness).
Other organizations may find that they lack effective monitoring or perform monitoring in an inefficient
manner. This guidance will help them improve their monitoring procedures.
Structure of Effective Internal Control Systems

11. The COSO Framework states that:
designed to provide reasonable assurance regarding the achievement of objectives in the following
categories:
 Effectiveness and efficiency of operations,
Internal Use Only

 Reliability of financial reporting, and
 Compliance with applicable laws and regulations.8
12. Organizations achieve these objectives through the operation of the five interrelated components of
internal control. These components provide a framework for understanding internal control and
assessing its effectiveness.

13. The concepts embodied in the COSO Framework are frequently presented in the form of a three-
dimensional cube (see page 1, Figure 1) that depicts the five components operating across each internal
control objective9 and within all organizational units and activities.

14. Not only does the cube demonstrate the connections between objectives and components, it also
illustrates that the control components operate at different levels across the organization ¾ a concept
that is often overlooked. Like the other control components, monitoring can operate at different levels.
As organizations increase in size, evaluators at the highest organizational levels — who are removed
from direct interaction with controls or process owners — often monitor by evaluating the results of
monitoring activities performed at another level. Conversely, in smaller organizations, management often
has more direct exposure to the operation of controls and, thus, might rely less on monitoring performed
by others.
15. The interrelationships embodied in the components of the COSO Framework have also been
illustrated in the process-oriented graphic included in COSO's 2006 Guidance. This graphic (modified in
Figure 2) depicts the monitoring component as a process that evaluates the internal control system's
effectiveness, in its entirety, in managing or mitigating meaningful risks to organizational objectives.

This process view of the COSO Framework demonstrates that monitoring does not seek to conclude on
the effectiveness of individual internal control components operating in isolation.
Internal Use Only

Figure 2
16. This view also shows that internal controls10 are developed (1) in response to one or more identified
risks that affect the achievement of organizational objectives, (2) within the context of an effective control
environment, and (3) with proper information and communication. The process includes:
1. Setting objectives,
2. Identifying risks to achieving those objectives,
Internal Use Only

3. Prioritizing those risks, and
4. Designing and implementing responses to the risks (e.g., internal control).
17. Many organizations design and implement monitoring procedures in conjunction with step #4 above.
Doing so allows the organization to utilize the results of the risk assessment process to facilitate the
design of the entire internal control system, including monitoring activities. However, monitoring activities
can be designed or adjusted after other elements of the internal control system have been implemented.
18. In order to implement monitoring that provides the necessary level of support, organizations must
make several decisions. Some of those key decision points — and the paragraphs in this Volume in
which they are discussed — are listed below.
Who should perform monitoring Paragraphs 27-37
What controls to consider Paragraphs 54-62
What information to evaluate Paragraphs 63-83
What procedures to employ and how often Paragraphs 84-93
How to assess and report results Paragraphs 94-107
19. This list and the following model for monitoring are not meant to prescribe an order of events, but to
portray monitoring within an organization as a dynamic and continually evolving process.
A Model for Monitoring
Internal Use Only

Figure 3
20. Management implements monitoring by (see Figure 3):
1. Establishing a foundation for monitoring, including:

 A tone at the top that stresses the importance of monitoring,
 An effective organizational structure that considers the roles of management and the board in
regard to monitoring, and places people with appropriate capabilities, objectivity, authority and
resources in monitoring roles, and
Internal Use Only
 A baseline understanding of internal control effectiveness.
2. Designing and executing monitoring procedures that:

 Evaluate controls in areas of meaningful risk,
 Select appropriate controls for evaluation from across any or all of the five components,
 Changes — Identifying and reporting changes to critical resources, data or information, making it
possible to verify that changes are appropriate and authorized.
 Processing integrity — Verifying and monitoring the completeness and accuracy of data as it
progresses through various IT processes and systems.
 Error management — Monitoring the volume and resolution of activity in suspense areas, error logs or
exception reports, typically as part of an application system.
112. Some control monitoring tools are used to perform what is often referred to as "continuous controls
monitoring." These tools complement normal transaction processing by checking every transaction, or
selected transactions, for the presence of certain anomalies (e.g., identifying transactions that exceed
certain thresholds, analyzing data against predefined criteria to detect potential controls issues such as
duplicate payments, or electronically identifying segregation of duties issues). Many of these tools serve
more as highly effective control activities (detecting individual errors and targeting them for correction
before they become material) than they do as internal control monitoring activities. Regardless, if they
operate with enough precision to detect an error before it becomes material, they can enhance the
efficiency and effectiveness of the whole internal control system and may be key controls whose
operation should be monitored.
113. To the extent that manual procedures, such as review and follow-up, are necessary components of
these tools, their effectiveness should be considered.

114. Process management tools — Process management tools are designed to make monitoring more
efficient and sustainable by facilitating some of the activities that affect monitoring including assessing
risks, defining and evaluating controls, and communicating results. These tools are most often used in
situations in which responsibilities for controls are distributed throughout multiple or geographically
dispersed business units, but they can also be of value to any organization — including smaller ones.
Most of these tools use workflow techniques to provide structure and consistency to the performance
and reporting of monitoring procedures. Some features that make these tools useful include their ability
to:
Internal Use Only
 Coordinate the risk assessment process at both the entity and transaction-flow levels;
 Provide a repository for process, control and monitoring documentation;
 Enhance the communication process as it relates to the identification, evaluation and resolution of
internal control deficiencies, including their severity and any remediation activities;
 Support the "roll-up" of information about risks and controls at various levels within an organization; and
 Provide simplified dashboards showing relevant control performance indicators and the current status of
differing aspects of management's control evaluation process.
Formality and Level of Documentation

115. Management and boards of smaller organizations may need less documentation to support
conclusions regarding control effectiveness — especially where senior management and the board have
direct knowledge of the internal control system's operation. As organizations increase in size, the level of
direct knowledge declines at the senior-management and board levels, thus increasing the need for
more-formal monitoring documentation.
116. When external reporting is required (especially reporting that is subject to examination by auditors,
regulators or other external parties), organizations of all sizes may find that more-formal documentation
is a cost-effective way to improve the efficiency of meeting those requirements. For example, an external
auditor, regulator or other external party may be able to conduct a more efficient audit or examination if
he or she has access to documentation that demonstrates the results of management's monitoring.
117. More-formal documentation can be achieved through manual processes or through the use of
software tools designed to retain and report the results of monitoring.

118. Beyond adjusting the formality and level of documentation, organizations may find benefit and cost-
effectiveness in coordinating certain monitoring procedures with any external parties who may conduct
an independent audit or examination of internal control.
Scalability of Monitoring
119. Many factors can influence the type, timing and extent of an organization's monitoring. Two factors
that warrant special mention are organizational size and complexity, both of which have been discussed
throughout this guidance. Following are some additional thoughts regarding the impact of size and
complexity.
Scalability Based on Size
Internal Use Only

120. Organizational size affects the design and conduct of monitoring. In most large organizations,
neither senior management nor the board is in close proximity to the operation of many controls. As a
result, they often rely on monitoring procedures performed by other personnel through successive levels
of management. These procedures are built into the day-to-day, ongoing monitoring activities that
operate at each level of the organization (Figure 934 ), all of which "roll up" to a home office or
headquarters, and typically are augmented by separate evaluations performed by a qualified internal
audit function or other parties (e.g., lower-level management or other departments). These periodic
separate evaluations lend support to the conclusion that the smaller monitoring systems are operating
effectively.
Internal Use Only

Sample Large-Company Financial Reporting Monitoring Structure
Figure 9
121. In smaller organizations, on the other hand, monitoring at the senior-management level often
occurs much closer to the risk and related controls, giving the evaluators more direct information about
the operation of controls. Monitoring in the smaller organization (Figure 10) can look much like
monitoring at lower levels in a large organization (Figure 9). The primary difference is that the lead
evaluator (the CFO in the examples) in the larger organization performs more monitoring of other
Internal Use Only

monitoring procedures, where the lead evaluator in the smaller organization performs more monitoring of
actual internal controls. The greater quantity of direct information about the operation of internal control
may allow the evaluator in a smaller organization to support his or her control conclusions without
adding the additional monitoring procedures that may be necessary in a larger organization where the
evaluator is further removed from the operation of controls.
Sample Small-Company Financial Reporting Monitoring Structure
Figure 10
Internal Use Only

122. Large organizations do have the advantage of scale. Because their risks are more dispersed,
control problems that are confined to one area may not be material to the organization as a whole. For
example, a company that has 20 people processing invoices, one of whom is not properly trained, may
be able to operate for some time without material error. On the other hand, an organization that has only
one person processing invoices cannot afford for that person to be improperly trained; such a deficiency
would increase the importance of management's daily observation of internal control. In addition,
management's objectivity in a smaller organization may be impaired by the fact that it performs some of
the control activities that are subject to monitoring, placing greater importance on the monitoring
activities of the board or audit committee.
123. Small organizations, however, can be more efficient than large organizations in prioritizing risks,
identifying controls for evaluation and determining what information to use in the evaluation process
because knowledge about risks and controls typically is contained within a small group.
Scalability Based on Complexity
124. Size notwithstanding, some organizations are more complex than others. Factors influencing
complexity include industry characteristics, regulatory requirements, number of products or service lines,
level of centralization versus decentralization, use of prepackaged versus customized software, or the
presence of certain types of transactions (e.g., complex capital structures, derivative transactions or
acquisitions).
125. Because the level of complexity may vary by department or area, scaling of monitoring based on
complexity is more difficult to apply to an entire organization than is scaling based on size. For example,
an organization may use a prepackaged information system for one of its business processes, which
can reduce certain IT-related risks (such as the risk of incorrect programming), but that same
organization might also use a complex internally developed software system for another business
process which, unless well-controlled, can increase IT-related risks.

126. The level of complexity generally correlates with the level of risk. Accordingly, in areas of greater
organizational complexity, one might expect more ongoing monitoring using direct information. In
contrast, in areas of lesser complexity, ongoing monitoring using indirect information, along with periodic
confirmation through separate evaluations that use direct information, might be appropriate.
Internal Use Only

127. Clearly, any plan for monitoring — if it is to remain effective and efficient — must recognize the
variables that affect monitoring and be able to adapt to them as necessary. This implies that monitoring
is not one-size-fits-all, but is unique to each organization's risk profile and internal control structure.
VI. Assessing the Effectiveness and

Efficiency of Monitoring
128. Effective internal control systems enable organizations to manage risks and uncertainties in their
environment and processes and in the information they use to make decisions. They promote efficiency,
reduce risk of loss, and help ensure the reliability of financial statements and compliance with laws and
regulations.
129. As the COSO Framework indicates, the monitoring component of internal control "ensures that
internal control continues to operate effectively."35 The ultimate goal of monitoring is met when
organizations use the most efficient means possible to gather and evaluate appropriately persuasive
information about the effectiveness of the internal control system in addressing meaningful risks to
organizational objectives. Accordingly, it may be helpful to periodically evaluate the overall effectiveness
and efficiency of monitoring. The following questions — which may be asked at various levels, including
the board level — may help in that regard.
Effectiveness
1. Has the organization appropriately considered all of the risks that could materially affect its objectives?
2. What recent changes have taken place within the organization's environment, people, processes or technology,
and did the organization properly consider the impact of those changes on internal controls, including possible
alteration of related monitoring procedures?
3. How long has it been since the organization discussed, at an appropriate level of detail, the risks the
organization faces related to operations, financial reporting, or compliance with laws and regulations? Is that
period of time acceptable?
Internal Use Only

4. Have errors resulted from control failures that were not detected on a timely basis by the organization's routine
monitoring procedures? If so, what changes in monitoring could prevent similar control failures?
5. What do the results of internal audits, external audits or regulatory exams tell the organization about the
effectiveness of monitoring?
6. Does the organization have a process for tracking control deficiencies through evaluation and remediation?
7. Have all identified deficiencies been addressed properly?
Efficiency
1. Is the organization monitoring controls at a cost, effort or organizational level that is inconsistent with the
amount of risk the controls mitigate?
2. Is the organization monitoring internal controls in areas that have never had a control failure and have not been
known to cause errors in similar organizations? (Note: this may not be a reason to omit monitoring procedures, but
it may affect the desired type, timing and extent of monitoring, including at what organizational level monitoring
might be performed.)
3. Do risk areas exist within the organization that rarely experience meaningful change and which, given their
level of risk, might lend themselves to control monitoring that varies in scope over time (e.g., using indirect
information over longer periods of time between control baselines established using direct information)?
4. Does unwarranted duplication of effort occur where multiple people monitor the effectiveness of the same
controls and where, given the level of risk, redundancy is not necessary?
Internal Use Only

5. Does the organization conduct additional evaluation procedures implemented solely to meet regulatory or other
requirements? If so, are there elements of the organization's normal monitoring procedures that might provide the
necessary level of monitoring support?
Principles of Effective Internal Control

Over Financial Reporting
COSO's 2006 publication, Internal Control over Financial Reporting — Guidance for Smaller Public Companies,
provides a set of 20 basic principles representing the fundamental concepts associated with, and drawn directly
from, the five components of the Framework. Although developed specifically for smaller companies to consider
in evaluating internal control over financial reporting, these principles can be useful to all organizations
regardless of size and for internal control objectives beyond those associated with financial reporting. These
principles are listed below, organized by COSO component.
Control Environment
1. Integrity and Ethical Values — Sound integrity and ethical values, particularly of top management, are
developed and understood and set the standard of conduct for financial reporting.
2. Board of Directors — The board of directors understands and exercises oversight responsibility
related to financial reporting and related internal control.

3. Management's Philosophy and Operating Style — Management's philosophy and operating style
support achieving effective internal control over financial reporting.

4. Organizational Structure — The company's organizational structure supports effective internal control
over financial reporting.

5. Financial Reporting Competencies — The company retains individuals competent in financial
reporting and related oversight roles.
6. Authority and Responsibility — Management and employees are assigned appropriate levels of
authority and responsibility to facilitate effective internal control over financial reporting.
7. Human Resources — Human resource policies and practices are designed and implemented to
facilitate effective internal control over financial reporting.
Internal Use Only

Risk Assessment
8. Financial Reporting Objectives — Management specifies financial reporting objectives with sufficient
clarity and criteria to enable the identification of risks to reliable financial reporting.
9. Financial Reporting Risks — The company identifies and analyzes risks to the achievement of
financial reporting objectives as a basis for determining how the risks should be managed.
10. Fraud Risk — The potential for material misstatement due to fraud is explicitly considered in
assessing risks to the achievement of financial reporting objectives.
Control Activities
11. Integration with Risk Assessment — Actions are taken to address risks to the achievement of
financial reporting objectives.

12. Selection and Development of Control Activities — Control activities are selected and developed
considering their cost and potential effectiveness in mitigating risks to the achievement of financial
13. Policies and Procedures — Policies related to reliable financial reporting are established and
communicated throughout the company, with corresponding procedures resulting in management
directives being carried out.

14. Information Technology — Information technology controls, where applicable, are designed and
implemented to support the achievement of financial reporting objectives.

15. Financial Reporting Information — Pertinent information is identified, captured, used at all levels of
the company, and distributed in a form and time frame that supports the achievement of financial
16. Internal Control Information — Information needed to facilitate the functioning of other control
components is identified, captured, used and distributed in a form and time frame that enables personnel
to carry out their internal control responsibilities.

17. Internal Communication — Communications enable and support understanding and execution of
internal control objectives, processes and individual responsibilities at all levels of the organization.
Internal Use Only

18. External Communication — Matters affecting the achievement of financial reporting objectives are
communicated with outside parties.
Monitoring
19. Ongoing Monitoring and Separate Evaluations — Ongoing monitoring and/or separate evaluations
enable management to determine whether the other components of internal control over financial
reporting continue to function over time.

20. Reporting Deficiencies — Internal control deficiencies are identified and communicated in a timely
manner to those parties responsible for taking corrective action, and to management and the board as
appropriate.
Map Linking the Model for Monitoring to

the 1992 COSO Framework
The table below demonstrates how the model for monitoring presented on page 7 links to, and is derived from,
the 1992 COSO Framework.
2008 Guidance
Model for Monitoring 1992 Pg. No. 1992 COSO Framework Text
Internal Use Only

Establish a Foundation
Tone at the top 17 The control environment provides an

atmosphere in which people conduct
their activities and carry out their
control responsibilities. It serves as
the foundation for the other
components. Within this
environment, management assesses
Internal Use Only
risks to the achievement of specified
objectives. Control activities are
implemented to help ensure that
management directives to address
the risks are carried out. Meanwhile,
relevant information is captured and
communicated throughout the
organization. The entire process is
monitored and modified as
conditions warrant. [Emphasis
added]
23 The control environment sets the

tone of an organization, influencing
the control consciousness of its
people. It is the foundation for all
other components of internal control,
providing discipline and structure.
Control environment factors include
the integrity, ethical values and
competence of the entity's people;
management's philosophy and
operating style; the way
management assigns authority and
responsibility and organizes and
develops its people; and the
attention and direction provided by
the board of directors. [Emphasis
added]
23 The control environment has a

pervasive influence on the way
business activities are structured,
objectives established and risks
assessed. It also influences control
activities, information and
Internal Use Only
communication systems, and
monitoring activities. This is true not
only of their design, but also the way
they work day to day. The control
environment is influenced by the
entity's history and culture. It
influences the control consciousness
of its people. Effectively controlled
entities strive to have competent
people, instill an enterprise-wide
attitude of integrity and control
consciousness, and set a positive
"tone at the top." They establish
appropriate policies and procedures,
often including a written code of
conduct, which foster shared values
and teamwork in pursuit of the
entity's objectives. [Emphasis added]
23 The effectiveness of internal controls

cannot rise above the integrity and
ethical values of the people who
create, administer and monitor them.
Integrity and ethical values are
essential elements of the control
environment, affecting the design,
administration and monitoring of
other internal control components.
[Emphasis added]
Organizational structure 27 An entity's organizational structure

provides the framework within which
its activities for achieving entity-wide
objectives are planned, executed,
controlled and monitored.
Internal Use Only

26-27 The control environment and "tone at
the top" are influenced significantly
by the entity's board of directors and
audit committee. Factors include the
board or audit committee's
independence from management,
experience and stature of its
members, extent of its involvement
and scrutiny of activities, and the
appropriateness of its actions.
Another factor is the degree to which
difficult questions are raised and
pursued with management regarding
plans or performance. Interaction of
the board or audit committee with
internal and external auditors is
another factor affecting the control
environment.
Because of its importance, an active

and involved board of directors,
board of trustees or comparable
body — possessing an appropriate
degree of management, technical
and other expertise coupled with the
necessary stature and mind set so
that it can adequately perform the
necessary governance, guidance
and oversight responsibilities — is
critical to effective internal control.
And, because a board must be
prepared to question and scrutinize
management's activities, present
alternative views and have the
courage to act in the face of obvious
wrongdoing, it is necessary that the
Internal Use Only
board contain outside directors.
Certainly, officers and employees
often are highly effective and
important board members, bringing
knowledge of the company to the
table. But there must be a balance.
Although small and even mid-size
companies may find it difficult to
attract or incur the cost of having a
majority of outside directors —
usually not the case with large
organizations — it is important that
the board contain at least a critical
mass of outside directors. The
number should suit the entity's
circumstances, but more than one
outside director normally would be
needed for a board to have the
requisite balance.
69 This process involves assessment

by appropriate personnel of the
design and operation of controls on a
suitably timely basis, and the taking
of necessary actions. [Emphasis
added]
86-87 The audit committee (or the board

itself, where no audit committee
exists) is in a unique position: It has
the authority to question top
management regarding how it is
carrying out its financial reporting
responsibilities, and it also has
authority to ensure that corrective
action is taken. The audit committee,
Internal Use Only
in conjunction with or in addition to a
strong internal audit function, is often
in the best position within an entity to
identify and act in instances where
top management overrides internal
controls or otherwise seeks to
misrepresent reported financial
results. Thus, there are instances
where an audit committee, or board,
must carry its oversight role to the
point of directly addressing serious
events or conditions.
Baseline understanding of internal 69 Internal control systems change over

control effectiveness time. The way controls are applied
may evolve. Once-effective
procedures can become less
effective or perhaps are no longer
performed. This can be due to the
arrival of new personnel, the varying
effectiveness of training and
supervision, time and resource
constraints or additional pressures.
Furthermore, circumstances for
which the internal control system
originally was designed also may
change, causing it to be less able to
warn of the risks brought by new
conditions. Accordingly,
management needs to determine
whether the internal control system
continues to be relevant and able to
address new risks.
72 The evaluator must understand each

of the entity activities and each of the
Internal Use Only
components of the internal control
system being addressed. It may be
useful to focus first on how the
system purportedly functions,
sometimes referred to as the system
design. This may involve discussions
with entity personnel and review of
existing documentation.
The evaluator must determine how

the system actually works.
Procedures designed to operate in a
particular way may over time be
modified to operate differently. Or,
they may no longer be performed.
Sometimes new controls are
established but are not known to
persons who described the system
and are not included in available
documentation. A determination as
to the actual functioning of the
system can be accomplished by
holding discussions with personnel
who perform or are affected by
controls, by examining records on
performance of the controls or a
combination of procedures.
The evaluator must analyze the

internal control system design and
the results of tests performed. The
analysis should be conducted
against the backdrop of the
established criteria, with the ultimate
goal of determining whether the
system provides reasonable
Internal Use Only

assurance with respect to the stated
objectives.
Design
& Execute
Prioritize risks 71 Evaluations of internal control vary in

scope and frequency, depending on
the significance of risks being
controlled and importance of the
Internal Use Only

controls in reducing the
risks.Controls addressing higher-
priority risks and those most critical
to reducing a given risk will tend to
be evaluated more often. Evaluation
of an entire internal control system
— which will generally be needed
less frequently than the assessment
of specific controls — may be
prompted by a number of reasons:
major strategy or management
change, major acquisitions or
dispositions, or significant changes
in operations or methods of
processing financial information.
When a decision is made to evaluate
an entity's entire internal control
system, attention should be directed
to each of the internal control
components with respect to all
significant activities. The evaluation
scope will also depend on which of
the three objectives categories —
operations, financial reporting and
compliance — are to be addressed.
[Emphasis added]
Identify controls 71 See the quote above
Identify persuasive information 70-71 Each of the examples of ongoing

about controls monitoring on pages 70-71
demonstrate how various forms of
direct and indirect information can be
evaluated through ongoing
Internal Use Only

71 While ongoing monitoring
procedures usually provide important
feedback on the effectiveness of
other control components, it may be
useful to take a fresh look from time
to time, focusing directly on the
system's effectiveness. This also
provides an opportunity to consider
the continued effectiveness of the
ongoing monitoring procedures.
Implement monitoring procedures 69-70 Monitoring can be done in two ways:

through ongoing activities or
separate evaluations. Internal control
systems usually will be structured to
monitor themselves on an ongoing
basis to some degree. The greater
the degree and effectiveness of
ongoing monitoring, the less need for
separate evaluations. The frequency
of separate evaluations necessary
for management to have reasonable
assurance about the effectiveness of
the internal control system is a
matter of management's judgment.
In making that determination,
consideration should be given to the
following: the nature and degree of
changes occurring and their
associated risks, the competence
and experience of the people
implementing the controls, as well as
the results of the ongoing monitoring.
Usually, some combination of
ongoing monitoring and separate
Internal Use Only

evaluations will ensure that the
internal control system maintains its
effectiveness over time.
It should be recognized that ongoing

monitoring procedures are built in to
the normal, recurring operating
activities of an entity. Because they
are performed on a real-time basis,
reacting dynamically to changing
conditions, and are ingrained in the
entity, they are more effective than
procedures performed in connection
with separate evaluations. Since
separate evaluations take place after
the fact, problems will often be
identified more quickly by the
ongoing monitoring routines. Some
entities with sound ongoing
monitoring activities will nonetheless
conduct a separate evaluation of
their internal control system, or
portions thereof, every few years. An
entity that perceives a need for
frequent separate evaluations should
focus on ways to enhance its
ongoing monitoring activities and,
thereby, to emphasize "building in"
versus "adding on" controls.
Internal Use Only

Assess
& Report
Prioritize findings 75 In considering what needs to be

communicated, it is necessary to
look at the implications of findings.
Report results to appropriate level 69 Internal control deficiencies should

be reported upstream, with serious
matters reported to top management
Internal Use Only

and the board.
75 Certainly, all internal control

deficiencies that can affect the
entity's attaining its objectives should
be reported to those who can take
necessary action, as discussed in
the next section. The nature of
matters to be communicated will vary
depending on individuals' authority to
deal with circumstances that arise
and the oversight activities of
superiors.
75 It can be argued that no problem is

so insignificant as to make
investigation of its control
implications unwarranted. An
employee's taking of a few dollars
from a petty cash fund for personal
use, for example, would not be
significant in terms of that particular
event, and probably not in terms of
the amount of the entire petty cash
fund. Thus, investigating it might not
be worthwhile. However, such
apparent condoning of personal use
of the entity's money might send an
unintended message to employees.
75 Information generated by employees

in conducting regular operating
activities usually is reported through
normal channels to their immediate
superior. He or she may in turn
communicate upstream or laterally in
Internal Use Only

the organization so that the
information ends up with people who
can and should act on it. As
discussed in Chapter 5, there should
be alternative communications
channels for reporting sensitive
information such as illegal or
improper acts.
Findings of internal control

deficiencies usually should be
reported not only to the individual
responsible for the function or
activity involved, who is in the
position to take corrective action, but
also to at least one level of
management above the directly
responsible person. This process
enables that individual to provide
needed support or oversight for
taking corrective action, and to
communicate with others in the
organization whose activities may be
affected. Where findings cut across
organizational boundaries, the
reporting should cross over as well
and be directed to a sufficiently high
level to ensure appropriate action.
76 Providing needed information on

internal control deficiencies to the
right party is critical to the continued
effectiveness of an internal control
system. Protocols can be
established to identify what
information is needed at a particular
Internal Use Only

level for decision-making.
Such protocols are based on the

general rule that a manager should
receive control information needed to
affect action or behavior of people
under his or her responsibility, or to
achieve the activity's objectives. A
chief executive normally would want
to be apprised, for example, of very
serious infractions of policies and
procedures. He or she would also
want supporting information on the
nature of matters that could have
significant financial consequences or
strategic implications, or that could
affect the entity's reputation. Senior
managers should be apprised of
control deficiencies affecting their
units. Examples include where
assets with a specified monetary
value are at risk, where the
competence of personnel is lacking
or where important financial
reconciliations are not performed
correctly. Managers should be
informed of control deficiencies in
their units in increasing levels of
detail as one moves down the
organizational structure.
Protocols are established by

supervisors, who define for
subordinates what matters should be
reported. The degree of specificity
will vary, usually increasing at lower
Internal Use Only

levels in the organization. While
reporting protocols can inhibit
effective reporting if too narrowly
defined, they can enhance the
reporting process if sufficient
flexibility is provided.
Parties to whom deficiencies are to

be communicated sometimes
provide specific directives regarding
information to be reported. A board
of directors or audit committee, for
example, may ask management or
internal or external auditors to
communicate only those findings of
deficiencies meeting a specified
threshold of seriousness or
importance. One such threshold
used by the public accounting
profession is "reportable conditions."
They are defined as: ... significant
deficiencies in the design or
operation of the internal control
structure, which could adversely
affect the organization's ability to
record, process, summarize and
report financial data consistent with
the assertions of management in the
financial statements.
This definition relates to financial

reporting objectives, though the
concept probably could be adapted
to cover operations and compliance
objectives as well. [Emphasis added]
Internal Use Only

Follow up on corrective action 75 Findings of internal control
deficiencies usually should be
reported not only to the individual
responsible for the function or
activity involved, who is in the
position to take corrective action, but
also to at least one level of
management above the directly
responsible person. This process
enables that individual to provide
needed support or oversight for
taking corrective action, and to
communicate with others in the
organization whose activities may be
affected. Where findings cut across
organizational boundaries, the
reporting should cross over as well
and be directed to a sufficiently high
level to ensure appropriate action.
[Emphasis added]
77 Personnel in a smaller entity usually

have a clear understanding of the
types of problems that need to be
reported upstream. What may not
always be apparent is who is
responsible for determining the
cause of a problem and taking
corrective action. This is as
important to a small or mid-size
organization as it is for a large one.
[Emphasis added]
Glossary
Internal Use Only
Accuracy or accurate In monitoring, accuracy is the degree to which
information can reasonably be expected to be free from
error and/or to communicate results that reflect reality.
Change management Relative to monitoring, change management is the act

of verifying that (1) necessary changes in the design or
operation of internal control are made, and (2) when
changes are made, they are made correctly. The goal is
to render the internal control system capable of
providing reasonable assurance that organizational
objectives will be achieved.
Compensating controls Compensating controls serve to accomplish the

objective of another control that did not function
properly, thus helping to reduce risk to an acceptable
level.
Competence or competent Competence refers to the evaluator's knowledge of the

controls and related processes, including how controls
should operate and what constitutes a control
deficiency.
Control activities Control activities are the policies and procedures that
help ensure that management directives are carried out
and that necessary actions are taken to address risks to
achieving objectives. Control activities occur throughout
the organization, at all levels and in all functions. They
include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and
segregation of duties.
Control baseline A control baseline is a point in time at which an

organization has persuasive information supporting a
reasonable conclusion that controls across the entire
Internal Use Only

organization or in a given area are designed and
implemented to achieve the organization's internal
control objectives. A control baseline serves as an
appropriate starting point for effective control
monitoring.
Control environment The control environment sets the tone of an

organization by influencing the control consciousness of
its people. It is the foundation for all other components
of internal control, providing discipline and structure.
Control environment factors include:
 The integrity, ethical values and competence of the

entity's people;
 Management's philosophy and operating style;
 The way in which management assigns authority and
responsibility and in which it organizes and develops
its people; and
 The attention and direction provided by the board of
directors.
Control objectives Relative to monitoring, control objectives provide

specific targets against which to evaluate the
effectiveness of internal control. Typically they are
stated in terms that describe the nature of the risk they
are designed to help manage or mitigate. For example,
a control objective that all transactions should be
properly authorized relates to the risk that improper,
unauthorized transactions will occur.
Deficiency or internal control deficiency A condition within an internal control system worthy of
attention. A deficiency, therefore, may represent a
perceived, potential or real shortcoming, or an
opportunity to strengthen the internal control system to
provide a greater likelihood that the entity's objectives
will be achieved.
Internal Use Only

Direct information Direct information is information that directly
substantiates the operation of controls and is obtained
by observing them in operation, reperforming them, or
otherwise directly evaluating their operation. Direct
information is generally highly persuasive because it
provides an unobstructed view of control operation. It
can be obtained from either ongoing or separate
evaluations, but it must link directly to a judgment
regarding the effective operation of controls.
Evaluator Evaluators are individuals who are responsible for

monitoring internal control at various levels throughout
an organization. Effective internal control systems
include evaluators who have appropriate capabilities,
objectivity, authority and resources that enable them to
(1) understand the risks that can materially affect the
organization's objectives, (2) identify the controls that
are critical to managing or mitigating those risks, and (3)
conduct and/or oversee the monitoring of appropriately
persuasive information about the effectiveness of the
internal control system. Evaluators often include
management and line-personnel, as well as internal
auditors. Board members also serve as evaluators when
they monitor the activities and conduct of senior
management. The two primary attributes of effective
evaluators are competence and objectivity.
Indirect information Indirect information is information (other than direct

information) that is relevant to assessing whether an
underlying risk is mitigated and controls are operating.
Indirect information does not tell the evaluator explicitly
that underlying controls are operating effectively, but it
can identify anomalies that are indicative of a potential
control failure.
When evaluators begin with a baseline understanding of
Internal Use Only

internal control effectiveness, established through the
use of persuasive direct information, the evaluation of
indirect information can be a valuable monitoring tool
that may:
 Signal that a change in the environment or control

operation has occurred, or
 Supplement the support provided by direct
information — sometimes for an extended time frame
— regarding the evaluator's conclusions about
control effectiveness.
As a result, monitoring using indirect information can

influence the type, timing and extent of future monitoring
procedures that use direct information.
Internal control Internal control is a process effected by an entity's board

of directors, management and other personnel, and it is
designed to provide reasonable assurance that
organizational objectives can be met.
Key controls Key controls are those that, when evaluated, provide
support for a reasonable conclusion about the entire
internal control system's ability to achieve the underlying
objectives. They may operate within any or all of
COSO's five components.
Key controls often have one or both of the following

characteristics:
 Their failure could materially affect the objectives for

which the evaluator is responsible, but might not be
detected in a timely manner by other controls, and/or
 Their operation might prevent other control failures or
detect such failures before they have an opportunity
to become material to the organization's objectives.
Internal Use Only

Key performance indicators Key performance indicators are metrics that reflect
critical success factors. They help organizations
measure progress towards goals and objectives.
Key risk indicators Key risk indicators are forward-looking metrics that seek
to identify potential problems, thus enabling an
organization to take timely action, if necessary.
Material or materially Materiality is a fundamental concept that helps

distinguish the important from the trivial in a specific
discipline or application. It furnishes a threshold
determination of criticality and, with respect to
exercising judgment, permits a decision-maker to omit
from consideration issues that do not matter (cf. Ernest
L. Hicks, 1964, Journal of Accounting Research).
Meaningful risks Meaningful risks are those that, in a given time frame,
might reasonably have a consequential effect on an
organizational objective.
Objective (adj.) or objectivity Objectivity is a measure of the factors that might

influence any person to report inaccurately or
incompletely information necessary for evaluators to
reach appropriate conclusions. It includes personal
integrity, as well as factors that might motivate even a
person with perceived high integrity to misrepresent
facts, such as having a vested, personal interest in the
outcome of the monitoring procedures.
Ongoing monitoring Ongoing monitoring relates to activities that serve to

monitor the effectiveness of internal control in the
ordinary course of operations, including regular
management and supervisory activities, comparisons,
reconciliations, and other routine actions.
Persuasiveness of information or persuasive information The persuasiveness of information refers to the degree
to which the information provides support for
Internal Use Only

conclusions. The level of persuasiveness is derived
from its suitability (i.e., its relevance, reliability and
timeliness) and its sufficiency.
Reasonable assurance The definition of "reasonable assurance" varies

depending on the context in which it is being used. In
the Securities and Exchange Commission's "Guidance
Regarding Management's Report on Internal Control
Over Financial Reporting Under Section 13(a) or 15(d)
of the Securities Exchange Act of 1934" (p. 3),
reasonable assurance is defined as the "degree of
assurance as would satisfy prudent officials in the
conduct of their own affairs." The American Institute of
Certified Public Accountants (AICPA) defines
reasonable assurance for auditors as "a high, but not
absolute, level of assurance." (See AICPA Statements
on Auditing Standards (SAS) No. 1, Section AU 230,
¶10.) For purposes of this guidance, the reasonable
assurance provided by an effective system of internal
control is a level of assurance that is not absolute, but
that does provide a person competent in matters related
to internal control with a sound basis for concluding
whether the organization's related objectives are likely
to be met.
Relevant information Relevant information tells the evaluator something

meaningful about the operation of the underlying
controls or control component. Information that directly
confirms the operation of controls (see "Direct
information") is most relevant. Information that relates
indirectly to the operation of controls (see "Indirect
information") can also be relevant, but is less relevant
than direct information.
Reliable information Reliable information is accurate (see "Accuracy"),

verifiable (see "Verifiable") and from an objective source
Internal Use Only

(see "Objective").
Risk assessment Every entity faces and must assess a variety of risks
from external and internal sources. A precondition for
risk assessment is establishing objectives at appropriate
levels in the organization. Risk assessment is the
identification and analysis of risks relevant to realizing
objectives, and it serves as a basis for determining how
the risks should be managed. Because economic,
industry, regulatory and operating conditions will
continue to change, flexible mechanisms are needed to
identify and address the special risks associated with
change.
Self-assessment Self-assessment occurs when persons responsible for a

particular unit or function determine the effectiveness of
controls for their activities. The term is often used to
describe assessments made by the personnel who
operate the control (i.e., self-review). It can also
describe more-objective personnel who are not
responsible for operating the control. In this guidance
those "other, more objective personnel" would include
persons performing peer or supervisory review.
Self-review In this guidance the term "self-review" refers narrowly to

the review of one's own work. It represents the least
objective type of "self assessment" described above.
Separate evaluations Separate evaluations seek to draw inference about the

consistent operation of controls by evaluating controls at
a specific point or over a specific period of time.
Separate evaluations can make use of all of the
techniques used in ongoing monitoring, but they are
employed less frequently and are often based on a
sample of instances in which the controls operate.
Internal Use Only

Sufficient information Information is sufficient when evaluators have gathered
enough of it to form a reasonable conclusion. However,
in order for information to be sufficient, it must first be
suitable.
Suitable information Suitable information is relevant (i.e., fit for its intended
purpose), reliable (i.e., accurate, verifiable and from an
objective source) and timely (i.e., produced and used in
an appropriate time frame).
Timely information Timely information is produced and used in a time frame

that makes it possible to prevent or detect control
deficiencies before they become material to an
organization.
Verifiable or verifiability Verifiable information is information that can be

established, confirmed or substantiated as true or
accurate.
 Identify information that will be persuasive in supporting conclusions about control effectiveness, and
 Evaluate that information through a mix of ongoing monitoring and separate evaluations.
3. Assessing and reporting results in order to:

 Prioritize findings,
 Provide support at the appropriate organization level for conclusions regarding the effectiveness of
internal control, and
 Facilitate prompt corrective actions11 and follow-up where necessary.
21. As noted above, the intent of this model is not to dictate exact monitoring procedures, but to
articulate the general flow of monitoring in a dynamic environment as envisioned in the 1992 COSO
Framework. The table in Appendix B demonstrates how this model links to that Framework.
II. Establish a Foundation for Monitoring

22. The foundation for monitoring includes (1) a tone at the top about the importance of internal control
(including monitoring), (2) an organizational structure that considers the roles of management and the
Internal Use Only
board in regard to monitoring and the use of evaluators with appropriate capabilities, objectivity,
authority and resources, and (3) a baseline understanding of internal control effectiveness.
Tone at the Top

23. As with every internal control component, the ways in which management and the board express
their beliefs about the importance of monitoring have a direct impact on the effectiveness of internal
control. Management's tone influences the way employees conduct and react to monitoring. Likewise,
the board's tone influences the way management conducts and reacts to monitoring.
Applying the Concepts — Tone at the Top12
Expressing a positive tone at the top regarding internal control and the importance of monitoring involves
communicating expectations and taking action when necessary.
• Communicating expectations — Personnel responsible for key areas of operations, financial reporting or
compliance should understand that management expects them to (1) know the risks in their area of responsibility
that can materially impact organizational objectives, and (2) monitor controls designed to manage or mitigate
those risks. Expectations can be emphasized in periodic meetings or performance reviews, or may be written into
job descriptions. As organizations grow in size, these communications may need to be more formalized.
• Taking action — When control problems are identified, the action required of management and the board
depends on the circumstances. It could involve discussions with responsible parties, training, redesign of controls
or monitoring activities, or discipline. By taking appropriate action — especially when deficiencies or their
consequences are significant — management and the board send a strong message throughout the organization
about the role of monitoring and the importance of internal control.
24. Monitoring involves establishing appropriate roles and responsibilities of management and the board
regarding monitoring and placing evaluators with proper characteristics in the right positions.
Role of Management and the Board
25. As noted earlier, management has the primary responsibility for the effectiveness of an
organization's internal control system. Management establishes the system and implements monitoring
to help ensure that it continues to operate effectively. The board's role is one of oversight. For publicly
listed companies, the board's responsibilities may be mandated by law, listing-exchange requirements or
Internal Use Only

charter. For privately held and not-for-profit organizations, the board's responsibilities typically are listed
in the board's charter.

26. Relative to monitoring, the board exercises its oversight responsibility by understanding the risks to
organizational objectives, the controls that management has put in place to mitigate those risks, and
how management monitors to help ensure that the internal control system continues to operate
effectively. For controls that members of senior management may not be able to monitor objectively—
such as those that they perform directly or those that address the risk of senior-management override —
the board may determine that someone else with an appropriate level of objectivity should perform
monitoring procedures. Such monitoring is often accomplished through an internal audit function or
through other objective senior-management personnel.
Applying the Concepts — Organizational Structure
In order to perform its oversight function the board need not understand all of the details of every monitoring
procedure. Sources of information that may persuade the board that management has implemented an effective
monitoring system include (1) inquiries and observation of management, (2) the internal audit function (if present),
(3) hired resources or specialists (when necessary), and (4) external auditors. The board might also consider the
information from ratings agencies and analysts. Finally, in some circumstances, boards might make inquiries of
non-management personnel, customers and/or vendors.
An effective internal audit function can be a valuable tool for the board in exercising its oversight role. In small
organizations, however, the board may not have access to an internal audit function and may need to increase its
oversight efforts, especially in areas lacking management objectivity. Board members may decide to increase their
interaction with non-management personnel or observe some controls in operation (notably, controls in areas of
higher risk). As organizations grow in size and complexity, they may need internal auditors or other experts to help
evaluate the effectiveness of the internal control system in certain areas.
COSO's 2006 Guidance, which focused on internal control over financial reporting, contains some useful attributes
of Principle 2 regarding the role of the board of directors. Principle 2 says, "The board of directors understands
and exercises oversight responsibility related to financial reporting and related internal
control." Three attributes of that principle relate to the board's oversight role regarding monitoring:
 Monitors Risk — The audit committee actively evaluates and monitors risks of management override of internal
Internal Use Only

control and considers risks affecting the reliability of financial reporting.
 Oversees Quality and Reliability — The audit committee provides oversight to the effectiveness of internal control
over financial reporting and financial statement preparation.
 Oversees Audit Activities — The audit committee oversees the work of both internal and external auditors and
interacts with regulatory auditors if necessary. The audit committee has exclusive authority to engage, replace
and determine the compensation of the external audit firm. The audit committee meets privately with internal and
external audit to discuss relevant matters.13
If the external auditor's work or regulatory examinations identify errors or control deficiencies, the organization
should consider those results in the context of its own monitoring (i.e., identifying the root cause of the errors or
control deficiencies, prioritizing any control deficiencies based on severity, and reporting the results to people who
are in a position to take any necessary corrective action). However, management should not plan to reduce its
monitoring — and the board should not decrease its oversight efforts — in other areas simply because the
external auditor or regulator did not find errors or control deficiencies.
Characteristics of Evaluators
27. The monitoring process involves people who are responsible for determining what and how to
monitor, assessing the monitoring information and reaching a conclusion regarding the effectiveness of
internal control. This guidance refers to such people as "evaluators." Evaluators can be specially trained
professionals separate from operations (e.g., internal auditors) or people within the organization who, as
part of their routine job function, are responsible for overseeing processes or monitoring the operation of
certain controls. Regardless, in order to design and implement monitoring procedures, evaluators
require adequate skills, authority and resources, as well as an understanding of the risks that the
controls are intended to manage.
28. The right side of the COSO Framework cube (see Figure 4) illustrates how internal control systems,
including monitoring, might be viewed across an organization. It also demonstrates that individuals
serving in different capacities within an organization may have some monitoring responsibility.
29. Some people who are not responsible for designing or executing monitoring procedures do produce
information the evaluators use to reach their final conclusions. For example, a divisional controller may
have certain monitoring procedures dictated from the home office or may provide information that is
used by a regional manager to perform the monitoring function. These personnel are vital to the
Internal Use Only

monitoring process because they often provide much of the information used by more-senior evaluators
in reaching conclusions regarding the effective operation of controls.

30. Both evaluators and their information sources (i.e., the people responsible for providing information
to evaluators) need to be appropriately competent and objective.

31. Competence refers to the evaluator's knowledge of the internal control system and related
processes, including how controls should operate and what constitutes a control deficiency. Monitoring
includes the identification of control deficiencies (if any) and an analysis of the root causes of control
failures. Therefore, the evaluator must have knowledge of the underlying control and the risks that the
control is designed to mitigate. Maintaining documentation as to how the internal control system
operates can be useful in that regard.

32. As to the competence of information sources, people who provide monitoring information to
evaluators should know how to compile complete and accurate information.
Internal Use Only

The COSO Internal Control Integrated Framework
Figure 4
33. Objectivity refers to the extent to which evaluators and information sources can be expected to
perform an evaluation or provide information with no concern about possible personal consequences
and no vested interest in manipulating the results for personal benefit or self-preservation. Personal
integrity is a primary consideration in assessing objectivity, but other, more easily observed factors
Internal Use Only

include compensation incentives, reporting responsibilities, personal relationships and the degree to
which individuals might be otherwise affected by the results of monitoring.

34. Self-reviewThe evaluator's objectivity can be viewed along a continuum from least to most objective
(see Figure 5). 14 (the evaluation of one's own work) is least objective and, thus, is limited in its ability to
support conclusions about the effectiveness of internal controls. Self-review can, however, serve a
valuable role in an internal control system since it naturally occurs close to the point of control execution
and usually affords the first opportunity to identify control deficiencies before they can become material
to the organization.
Internal Use Only

Objectivity in Assessment
Figure 5
35. Peer review, which is more objective than self-review, is the evaluation of a coworker's or peer's
work. Supervisory review is the evaluation of a subordinate's work and is typically more objective than
peer review. Both peer and supervisory review are valuable — especially when performing ongoing
monitoring procedures — because the individuals involved are usually in close proximity to the control.
As a result, they are in the best position to identify and correct control deficiencies promptly.
36. The most objective form of monitoring is performed by evaluators who are impartial with respect to
the operation of the control. Such impartial monitoring often includes evaluations performed by an
internal audit function, people from other departments or external parties.

37. On a relative basis, senior management in small organizations may be more directly involved in the
operation of controls than it is in large organizations. This direct involvement can be advantageous in
that it provides senior managers in small organizations with highly persuasive information to support
their conclusions about the effectiveness of internal control. However, their direct involvement also
diminishes their objectivity in monitoring, which — depending on the level of risk — may increase the
importance or change the nature of the board's monitoring activities.
Applying the Concepts — Characteristics of Evaluators
Management might consider a two-step process to place people with the right capabilities, objectivity, authority
and resources into monitoring positions. The first step is to establish monitoring leadership at the executive level,
which, for illustrative purposes, might start with the:
 Chief financial officer (CFO) and controller responsible for monitoring internal control over financial reporting;
 Chief information officer responsible for monitoring controls over information systems; and
 Chief risk officer or chief legal officer responsible for monitoring controls over compliance with laws and
regulations.
The people responsible for executive-level monitoring should have an understanding of the risks that affect the
achievement of the organization's objectives and possess the skills to manage those risks.
Monitoring leadership can then match the skills and objectivity needed by evaluators with the controls that require
monitoring. For example, complex areas may warrant monitoring by evaluators that have specialized skills or
training. Processes that directly impact people's compensation, or that might otherwise be subject to theft or fraud,
typically warrant evaluators that have a high degree of objectivity. Internal audit often can provide valuable insight
Internal Use Only
in determining who should monitor controls over risks in a given area.
The board could consider this same two-step process in determining an appropriate approach to its monitoring
activities. The possible outcome of the process includes directing internal audit or others to perform monitoring
procedures in certain areas or directing independent board members with appropriate expertise to perform
monitoring.
Baseline Understanding of Internal Control

Effectiveness
38. Internal control systems fail because:
 They are not designed and implemented properly at the outset;
 They are designed and implemented properly, but the environment in which they operate changes,
(such as through changes in risks, people, processes or technology) and the design of the internal
control system does not change accordingly; and/or
 They are designed and implemented properly, but their operation changes in some way, rendering them
ineffective in managing or mitigating applicable risks.
39. In all three circumstances, a baseline understanding of the internal control system's effectiveness in
a given area can serve as a starting point for monitoring. Such a baseline allows organizations to design
monitoring procedures (ongoing and separate evaluations) to address changes in "real time" by
identifying those that (1) should be made in the operation of controls, or (2) have already occurred,
enabling evaluators to confirm that they were managed properly. Accordingly, monitoring can be viewed
at a high level as following this general sequence (illustrated in Figure 6):

 Control Baseline — Monitoring starts with a supported understanding of the internal control system's
design and of whether controls have been implemented to accomplish the organization's internal control
objectives. As management gains experience with monitoring, its baseline understanding will expand
based on the results of monitoring. If an organization does not already have such a baseline
understanding in an area with meaningful risks, it will need to perform an initial, and perhaps extensive,
evaluation of the design of internal control and determine whether appropriate controls have been
implemented. Figure 6 shows the control baseline as the starting point and a new control baseline
established over time through monitoring.
 Change Identification — The risk assessment component15 of internal control identifies changes in
processes or risks and verifies that the design of underlying controls remains effective. Monitoring,
Internal Use Only

through the use of ongoing and separate evaluations,16 should consider the risk assessment
component's ability to identify and address those changes. Monitoring also identifies indicators of
change in the design or operation of controls and verifies that the controls continue to meet their
objective of helping to manage or mitigate related risks.
Figure 6 demonstrates how ongoing monitoring and periodic separate evaluations can identify changes or,
when no changes are present, revalidate the conclusion that controls are effective (see Control
Revalidation/Update below).
 Change Management — When changes in the operation of controls have occurred, or when needed changes in
control design are identified, monitoring verifies that the internal control system manages the changes and
establishes a new control baseline for the modified controls.
 Control Revalidation/Update — When ongoing monitoring procedures use persuasive information,17 they can
routinely revalidate the conclusion that controls are effective, thus maintaining a continuous control baseline.
When ongoing monitoring uses less-persuasive information, or when the level of risk warrants, monitoring
periodically revalidates control operation through separate evaluations using appropriately persuasive
information.
40. This broad depiction of monitoring is intended to demonstrate how monitoring of a known effective
internal control system is a process that looks for and evaluates changes that may have a bearing on its
effectiveness. It is not intended to dictate monitoring procedures or a documentation format.
Internal Use Only

Figure 6
41. Note that the four elements described in paragraph 39 do not reside solely within the monitoring
component. For example, the risk assessment component might be considered chiefly responsible for
identifying changes in the operating environment. Likewise, evaluating the design and implementation of
changes in internal control might be considered a control activity. The monitoring component operates to
help ensure that the other components are identifying and managing changes that may affect internal
Internal Use Only

control. The next chapter demonstrates how monitoring can be designed and executed to achieve these
broad goals of identifying changes from the baseline and verifying that the changes were managed
properly.
Applying the Concepts — Baseline Understanding of IC18Effectiveness
The following example demonstrates how ordinary supervisory activities can be part of monitoring.
Assume that a supervisor is responsible for multiple order-entry personnel and is concerned about the
completeness, accuracy and timeliness of orders entered into the sales system. He or she begins the monitoring
process with (1) an understanding of how the internal control system manages or mitigates the risks that might
lead to incomplete, inaccurate or untimely order entry, and (2) a basis for believing that those controls are effective
(i.e., a control baseline).
From that baseline, the supervisor could then develop ongoing monitoring procedures that identify changes in the
environment or control operation. Monitoring for changes in the environment might include the routine business
practice of considering the implications of new sales channels or of changes in the order-entry system
programming.
Monitoring for changes in controloperation might include routine reviews of order-entry statistics (e.g., orders
entered per person or system edit reports showing keying-error statistics). It might also include periodic
observation of orders being entered or re-verification of selected orders within the order-entry team.
This combination of monitoring procedures can operate as a routine part of business operations. If the supervisor
identifies a change, he or she can verify that the change was handled appropriately and possibly, for a time,
increase the scope of monitoring of controls affected by the change. For example, if the organization added a new
sales channel with different order-entry procedures, the supervisor might verify that the new procedures are
designed and implemented properly (i.e., change management). He or she might then decide to perform, for some
period of time, more-robust observation of the new orders being entered and/or select more orders for re-
verification than would be selected of the older, routine orders.
Thus, the effective change-identification and change-management procedures can draw attention to areas of
heightened risk due to change, allowing the supervisor to vary the type, timing and extent of monitoring
procedures — thereby improving their overall efficiency.
Absent any changes, and assuming the ongoing monitoring procedures do not already provide the level of support
needed over a long period of time, the supervisor would, at some point, revalidate that order-entry controls are
operating correctly. Such revalidation would occur periodically, commensurate with the level of risk.
Internal Use Only

III. Design and Execute Monitoring
Procedures
42. Monitoring should enable evaluators to assess persuasive information about the operation of one or
more controls that address meaningful risks to the organization's objectives for which they are
responsible. It is risk-based, enabling evaluators to focus their monitoring efforts on that which will
provide adequate support for their conclusions about the internal control system's effectiveness.
43. Evaluators might consider designing monitoring by following the logical progression demonstrated in
Figure 7. Note, however, that this progression is not meant to imply a rigid, compartmentalized
monitoring process where each step starts and stops before the next. Monitoring is a dynamic process
and each of these "steps" operates, to some extent, at all times. This graphic and the discussion that
follows are intended to portray the general flow of monitoring in practice.
Internal Use Only

Figure 7
44. The components in this illustration are discussed in detail in later sections, but the following
summary may be helpful.

45. Monitoring is risk-based when it focuses on the evaluation of controls that address meaningful risks
to an organization's objectives. Meaningful risks are those that, in a given time frame, might reasonably
have a consequential effect on organizational objectives.
Internal Use Only

46. Meaningful risks may vary between similar organizations and between different levels within the
same organization. For example, controls that mitigate the risk of supplies theft may fall within the
monitoring responsibilities of a retail chain store manager, but may not warrant the frequent attention of
the chief executive officer in the context of his or her organization-wide responsibilities.
47. Risk prioritization is a natural part of the risk assessment component of internal control. Its inclusion
here is not meant to imply the need for a separate risk assessment function dedicated solely to
supporting monitoring. In a properly operating internal control system, the risk assessment component
Internal Use Only

will routinely identify and prioritize risks to the organization's objectives. The results of that process will
then influence decisions regarding the type, timing and extent of monitoring.
48. Controls that address meaningful risks are then selected for evaluation based on their ability to
provide support for a reasonable conclusion about the internal control system's effectiveness. Such
controls, referred to as key controls in this guidance, may operate within any or all of COSO's five
components.
Internal Use Only

49. Selecting key controls that address meaningful risks enhances the effectiveness and efficiency of
monitoring by focusing on that which provides an adequate but not excessive level of support for a
conclusion about the internal control system's effectiveness.

50. Organizations can identify key controls19 by (1) understanding how the internal control system is
designed to manage or mitigate meaningful risks, and (2) determining which controls will contribute most
to the monitoring conclusion. Key controls often have one or both of the following characteristics:
 Their failure could materially affect the objectives for which the evaluator is responsible, but might not
be detected in a timely manner by other controls, and/or
 Their operation might prevent other control failures or detect such failures before they have an
opportunity to become material to the organization's objectives.
51. Identifying key controls is not meant to suggest that they are necessarily more important to the
internal control system than other controls. It is merely intended to help organizations devote monitoring
resources where they can provide the most value.

52. Once key controls are selected, evaluators identify the information that will support a conclusion
about whether those controls have been implemented and are operating as designed. Identifying this
determining whether the control system is or is not operating effectively.
Internal Use Only

53. The identification of persuasive information allows the organization to determine which monitoring
procedures to employ (i.e., ongoing monitoring, separate evaluations, or a combination of both), as well
as the frequency with which the monitoring procedures should take place.
Prioritize Risks
Internal Use Only

54. As part of the risk assessment component of internal control,20 management identifies and
evaluates risks to achieving the organization's objectives. This process enables the organization to
design an effective internal control system, which includes all five components of internal control.
Internal Use Only

55. Initially, risk assessment might involve a comprehensive analysis of objectives and the risks that
could have a meaningful effect on the achievement of those objectives. This process includes
considering risks that may manifest at the entity level or at the activity level.21
56. The formality and frequency of risk assessment can vary greatly among organizations. A large,
complex organization might perform annual or more-frequent assessments using complex risk-scoring
mechanisms. Conversely, a small, non-complex organization might update its risk assessment through
discussions among knowledgeable people, performing its updates less frequently unless changes in the
Internal Use Only

environment dictate otherwise. Regardless, the assessment considers the importance of the risk without
considering the expected effectiveness of internal control. For example, in prioritizing risks related to
revenue recognition, an organization's initial assessment of the channel-stuffing22 risk as "low" — based
on the expectation that the internal control system will prevent or detect such activity — could lead to the
inappropriate exclusion of important controls from monitoring. Considering risk importance apart from
expected control effectiveness helps ensure that the organization monitors controls it relies on most to
address meaningful risks.
57. For each objective and risk, the organization might identify locations, operations or processes where
manifestation of the risk could be material.

58. Risk factors to consider at this stage include:
 Nature of operations — The way an organization is structured and the characteristics of its operations
can influence the need for and conduct of monitoring. Such characteristics might include, but are not
limited to, transaction volumes, operational complexity, dollar amounts involved, geography, degree of
centralization, information system complexity and existence of foreign operations.
 Changes in operations — Mergers, joint ventures, acquisitions, system changes, personnel and other
changes are indicators of increased risk.
 Environmental factors — The external environment can affect an organization's viability and increase
the need to monitor certain internal controls. External risk examples include competition, changes in the
market (e.g., technology, supply chain, customer base or economy), regulation, and areas with a
heightened risk of litigation or loss.
 Susceptibility to theft or fraud — Some factors can increase the potential for theft or fraud. Examples
include: the presence of valuable assets (e.g., cash, trade secrets, fungible goods); employee
performance metrics that may provide an incentive to commit fraudulent acts; and process or system
designs that make theft or fraud possible through access to systems, execution of unauthorized
transactions and/or override of controls. The presence of such risk factors increases the need for strong
internal controls and related monitoring.
Applying the Concepts — Prioritize Risks
Assume that management of a manufacturing organization wants to be confident that internal control over
financial reporting is effective. Management can begin the analysis by reviewing its financial statements and
asking what can go wrong or what might reasonably prevent the organization from achieving its financial reporting
objectives in a given area. The following revenue recognition example may clarify the thought process.
Note: This example is not designed to show all revenue recognition risks, nor is it intended to establish a standard
Internal Use Only
risk-importance grade. Reasonable people, given the same set of facts, might reach different conclusions
regarding risk prioritization and, later, regarding key control selection and other monitoring decisions.
1. Prioritize Risk
Area Objective Risk Priority
Revenue 1. Recognize in the proper Overstatement - recording Moderate

period revenue before delivery or
Internal Use Only

title transfer
Rationale:
Factors increasing risk:
- This organization's quarter-end sales and shipping activity is typically high, increasing cutoff risk
- Dollar amounts involved at or near quarter-end for this organization are normally material to the financial
statements
- The compensation plan is structured such that it could influence sales personnel to push for premature
recognition
Factor decreasing risk:
- The organization's standard business practice requires FOB-shipping-point terms, thus reducing cutoff risk
related to the issue of title transfer
This same organization might rate a different revenue-related risk as having a higher priority, as the following
channel-stuffing example demonstrates. (Note: This channel-stuffing example will be expanded further throughout
the remainder of the guidance.)
Area Objective Risk Priority
Revenue 2. Recognize revenue in Overstatement - sales High

proper amounts agents grant future credits
for unsold goods (i.e.,
"channel stuffing")
Rationale:
In this example, the monetary amounts involved are material, and this risk is prevalent in the industry. In addition,
the company's compensation plan, which is standard in the industry, could encourage channel stuffing because it
rewards sales personnel for sales recorded in a given period. Management also notes that channel stuffing can be
very hard to detect in a timely manner, particularly if the sales personnel enter into side agreements with their
customers.
Note that the personnel responsible for this risk assessment process first identified the objectives and the risks to
achieving those objectives. Then they thought rationally about the risk, considering factors that might increase or
decrease the likelihood and/or significance of the risk.
Internal Use Only

Identify Key Controls
59. In order to identify key controls to monitor, the people designing monitoring procedures must first
understand (1) how the internal control system is designed to manage or mitigate the identified
meaningful risks, and (2) how that control system could fail, with the failure not being detected in a timely
manner.
60. Key controls might include those that represent the most likely point of failure regarding meaningful
risks. Other controls may be identified as key because their operation can prevent other control failures,
Internal Use Only
or can detect and correct other control failures before they can become material to the organization. An
example might include a three-way match between purchase order, receiving document and invoice,
which can detect certain control failures that occur earlier in the processes associated with purchasing,
receiving and accounts payable.

61. Key-controls determination can occur at various levels within an organization. For example, controls
that are key in addressing a risk that is meaningful to a plant manager may not be key to senior
management in addressing risk at the overall organization level. As evaluators, the plant manager's and
senior management's roles and purposes for monitoring differ, as do the controls each identifies as key.
Accordingly, they will select controls to monitor that will provide them with the necessary level of support
commensurate with their roles and responsibilities.

62. This key-control analysis can be facilitated by considering factors that increase the risk that the
internal control system will fail to properly manage or mitigate a given risk. These control risk factors
might include the following:

 Complexity — Controls that require specialized skill or training typically are more susceptible to failure
than simple controls.
 Judgment — Controls that require a high degree of judgment, such as controls over the determination
of valuation allowances, are highly dependent on the experience and training of those responsible for
the judgments and are often associated with meaningful risks.
 Manual vs. automated — Manual controls are more susceptible to human error than automated controls
and, as a result, are often subjected to different levels of monitoring than automated controls (e.g., they
may be evaluated more frequently or employ larger sample sizes when sampling is performed).
However, when automated controls fail, they tend to fail repeatedly in the same circumstances and,
therefore, need to be subjected to an appropriate level of monitoring when they address meaningful
risks. The table on page 35 contains some additional guidance about monitoring manual and automated
controls.
 Known control failures — Previous control failures are a clear indicator of the need to increase
monitoring activities until corrective actions have effectively addressed the cause of the control failure.
 Competence/experience of personnel — Lack of qualifications or experience in performing a given
control increases the likelihood of control failure.
 Risk of management override — Controls that might be overridden by management for purposes that
are contrary to organizational objectives may warrant specific monitoring attention.
 Likelihood of control failure detection — Other controls within the internal control system may
reasonably be expected to detect a given control's failure before it becomes material, decreasing the
Internal Use Only

need to identify the given control as key. Conversely, a reasonable belief that a control's failure may be
material, and not detected and corrected on a timely basis, increases the need to identify the control as
key.
Applying the Concepts —Identify Key Controls
Continuing the revenue recognition example from page 23, the organization might identify key controls addressing
the risk of channel stuffing through a process similar to the one outlined below.
This control-identification process might vary from organization to organization; however, in every organization, it
is essential that the personnel responsible for designing monitoring first understand how the internal control
system addresses the risk at relevant locations or levels within the organization. They can then identify the
controls that will provide the necessary support to conclude that the internal control system is working.
In the channel-stuffing example, the organization identified 11 controls relevant to mitigating the risk of channel
stuffing, with four of them selected as "key" controls (see the following table). The rationale for selecting each key
control is presented below the control, as is the rationale for not designating some of the other controls as key.
From the perspective of the total internal control system, the evaluator might reasonably conclude that monitoring
these four controls will provide adequate support for conclusions about the whole system's effectiveness in
addressing this risk.
First, some caveats regarding this example:
1. To save space, this table does not include the rationale regarding all "non-key" controls and why they
were not selected as key.
2. Reasonable people might reach different conclusions regarding which of the controls below are key and
which are not. The varying nature of risk and control can lead two organizations to implement controls and
monitoring procedures differently. Therefore, the example is not intended to represent a "best practice" for
monitoring internal control over the channel-stuffing risk.
3. This example is not meant to imply that the non-key controls will never be monitored. They may be
monitored in relation to other risks, or the organization may decide to evaluate them less frequently. For
example, it could decide to evaluate policy training every three to five years. Regardless, the people
responsible for monitoring controls in this risk area should be aware of how the internal control system
addresses the risk and what controls provide the most support for their conclusions that the system is
working.
4. The following table is not meant to imply a level of documentation or a format that is necessary to
support the identification of key controls.
Internal Use Only

2. Identify Key Controls
Key Control Component
1. Management philosophy and

Control Environ.
communication against channel stuffing
Rationale:
This tone-from-the-top control was selected as key because the risk is primarily one of integrity. If sales personnel
Internal Use Only
sense that channel stuffing is accepted they are more likely to engage in the practice. Conversely, if they know
that it is not only against policy, but against management's expressed desires, then the risk of channel stuffing will
be reduced.
2. Training on
Control Environ. and Info. & Commun.
policies
3. Code of conduct
signed by all sales Control Environ. and Info. & Commun.
personnel
4. Policies
specifically against Control Activity
channel stuffing
5. Standardized
Control Activity
contracts
Rationale:
This control might be considered "key," but the effective operation of control #6 would catch its failure on a timely
basis. Therefore, this control is not selected as a key control, thus reducing the potential to develop unnecessary
monitoring procedures — one of the standardized contract control and another of the standardized contract
modification approval control.
6. Sales manager and legal approval

required for all modifications of standard Control Activity
sales contracts
Rationale:
In this example, the standard contract would have to be modified in order to accommodate channel stuffing. Thus,
this approval control would have to fail or be circumvented in order for channel stuffing to occur. As a result, it is
selected as a key control.
The risk still exists, however, that sales personnel could bypass the standard contract altogether through side
agreements with customers. That remaining risk will be addressed by the other selected key controls - in this
case, primarily by controls #1, #10 and #11.
Internal Use Only

Key Control Component
7. Approval of sales above a certain limit Control Activity
Rationale:
Some controls, such as this sales limit approval control, may address more than one risk and at different levels.
For example, this approval control might be a key control related to credit default risks. It also helps address the
channel-stuffing risk by limiting a salesperson's ability to sell excessively large quantities to a given customer.
However, it is not selected here as a key control related to channel-stuffing risk because (1) an excessively large
shipment to a customer would still require modification of credit terms in order to result in channel stuffing
(addressed by control #6), and (2) unusually large sales and related returns would likely be identified by key
controls #10 and #11.
8. Exception reports generated and

Control Activity, Info. & Commun., and
reviewed for any transactions exceeding
Monitoring
authorized limits
9. System controls that prevent billing (and,

thus, revenue recognition) unless goods are Control Activity
shipped
10. Salesperson compensation is reviewed

quarterly by sales manager and adjusted if
returns exceed a threshold percentage of Control Activity & Monitoring
their sales. Anomalies are investigated and
results are documented.
Rationale:
This control serves as both an effective deterrent and a detective control related to channel-stuffing risk. If it
operates effectively, the chance of material channel stuffing is significantly reduced. Therefore, it is identified as a
key control.
11. Periodic review by the sales manager

(weekly) and CFO (monthly) of sales trends
Control Activity & Monitoring
and sales return trends by salesperson, by
customer
Internal Use Only

Rationale:
This is a dual-purpose control (i.e., a control activity identifying possible revenue recognition errors and a
monitoring activity using indirect information) that might identify a control breakdown in a timely manner. Since any
significant channel stuffing by a salesperson would stand out in this trend analysis, it is selected as a key control.
Identify Persuasive Information
Internal Use Only

63. Persuasive information is capable of providing adequate support for a conclusion regarding the
effectiveness of internal control. Persuasive information is both suitable and sufficient in the
circumstances and gives the evaluator reasonable, but not necessarily absolute, support for a
conclusion regarding the continued effectiveness of the internal control system in a given risk area. An
appropriate cost-benefit analysis — one that weighs the effort to gather the information against the
ability of the information to persuade the evaluator that the controls continue to operate effectively — is
an important part of effective, sustainable monitoring. This analysis is normally qualitative in nature, but
may contain quantitative measurements as well. Regardless of the method, those responsible for
monitoring must exercise judgment in determining the information necessary to have reasonable, but not
necessarily absolute, support for a conclusion regarding the continued effectiveness of the internal
control system in a given area.
64. Suitable information is a broad concept that implies that information is useful within the context for
which it is intended. In order to be suitable, information must be relevant, reliable and timely.
Sufficiency is a measure of the quantity of information (i.e., whether the evaluator has enough suitable
information).
Suitable Information
65. Figure 8 demonstrates how the three elements of suitability operate together. In the center of the
diagram, where the information is relevant, reliable and timely, the evaluator can turn his or her attention
to whether sufficient information is available to form a reasonable conclusion.

66. Information that does not adequately demonstrate all three elements may be suitable to a degree,
but alone it cannot support reasonable conclusions regarding continued control effectiveness. For
example, information may be relevant and reliable, yet not timely enough to support a conclusion
regarding control effectiveness for the period of time under consideration. Alternatively, information may
be both relevant and timely, but generated from a less-than-reliable source. Finally, information may be
both timely and reliable, but not adequately relevant to a conclusion about the effectiveness of the
related controls. In such circumstances, and as illustrated in Figure 8, additional information is needed to
achieve the required degree of suitability.
67. Determining the suitability of information being used to evaluate a particular control is a matter of
judgment that depends on the level of risk and the internal control system's susceptibility to failure
(discussed earlier).
Internal Use Only

68. Relevance of information — Information is relevant when it tells the evaluator something meaningful
about the operation of the underlying controls. For example, reviewing r?m?and training records can tell
an evaluator something about whether an accountant has the background to handle certain areas of
complex accounting — the information contained in r?m?and training records is relevant to the controls
regarding the financial competence of personnel. When evaluators obtain relevant information about the
effectiveness of controls, they identify characteristics or attributes indicative of the internal control
system's proper performance or failure. They can then test23 for the presence or absence of these
conditions using persuasive direct and indirect information.
Relevant
Need Need
Timely Reliable
Info Relevant, Info
Reliable &
Timely
Reliable Need Timely
Relevant
Info
Internal Use Only

69. Information that directly confirms the operation of controls is more relevant than information that
requires a greater degree of inference to conclude whether the controls are effective. Using the above
example to illustrate this concept, firsthand knowledge that an accountant accurately analyzes complex
accounting and makes informed choices (direct information) is more relevant than information obtained
by reviewing r?m?and training records (indirect information requiring the evaluator to infer that the
background and training will lead to more informed analysis and better decisions).
70. Direct information substantiates the operation of controls. It is obtained by observing controls in
operation,24 reperforming them, or otherwise evaluating their operation directly, and can be useful in
both ongoing monitoring and separate evaluations. Generally, direct information is highly relevant
because it provides an unobstructed view of control operation.

71. Indirect information is all other information that may indicate a change or failure in the operation of
controls. It either relates to or is produced by the process in which the controls reside. Indirect
information can include, but is not limited to, (1) operating statistics, (2) key risk indicators, (3) key
performance indicators, and (4) comparative industry metrics.

72. Monitoring using indirect information identifies anomalies that may signal a control change or failure
and subjects them to investigation. Indirect information does not, however, provide an unobstructed view
of control operation, thus it is less able than direct information to identify control deficiencies. Existing
control deficiencies may not yet have resulted in errors significant enough to be identified as an
anomaly, or the indirect information may have lost its ability over time to identify anomalies. Indirect
information is thus limited as to the level of support (i.e., persuasiveness) it can provide on its own,
especially over a long period of time.
73. When evaluators begin with a baseline understanding of internal control effectiveness, established
through the use of persuasive direct information, the evaluation of indirect information can be a valuable
monitoring tool that may:

 Signal that a change in the environment or control operation has occurred, or
 Supplement the support provided by direct information — sometimes for an extended time frame —
regarding the evaluator's conclusions about control effectiveness.
74. As a result, monitoring using indirect information can influence the type, timing and extent of future
monitoring procedures that use direct information.
Internal Use Only

75. Assume, for example, that a supervisor must determine whether controls over billing continue to
operate effectively. Through a routine review of credit memos, the supervisor finds that no credit memos
related to billing errors have been issued for a lengthy period (indirect information). By itself, a review of
credit memos that is free of anomalies does not reveal whether controls over billing continue to operate
effectively — the controls may be ineffective, but related problems may not have led (at least, not yet) to
the issuance of credit memos. However, in the presence of an effective monitoring structure (including a
baseline of direct-information support regarding the effectiveness of billing controls and procedures to
identify and manage changes in the billing area), the review of credit memo activity may allow the
supervisor to conclude that the risk of control failure in the billing area is reduced to an acceptable level,
at least for some period of time. This conclusion might then influence the type, timing and extent of other
monitoring procedures over controls in the billing area.
76. The following table highlights some factors that may influence an organization's decisions regarding
the amount of direct and/or indirect information to use in monitoring. Note that these factors, among
others, may also influence judgments regarding the sufficiency of information (i.e., how much information
the evaluator needs regardless of its type). See the table following paragraph 82 on page 33 for other
factors that may influence judgments regarding sufficiency.
Possible Impact on the Use of
Factor to Consider Direct vs. Indirect Information
As the potential impact of a control failure increases, the

Potential impact of a control's failure
need to monitor using direct information increases.
Indirect information is typically less able than direct

information to identify possible control failures in areas
Controls that operate in areas with a high degree of that are subject to a high degree of change. As a result,
change in people, processes or technology versus controls in those areas warrant monitoring using more-
controls operating in stable areas direct information. Conversely, controls that operate in
stable environments may be better able to employ
indirect information in monitoring.
Internal Use Only

Known failures of the internal control system's proper
Recent experience with control performance management or mitigation of given risks may warrant an
increase in evaluation of direct information.
Over time, indirect information loses its ability to

highlight indicators of control failure. Small errors
resulting from failed controls, undetected by indirect
The length of time since the operation of the underlying information, can compound and become material. They
controls was last validated through persuasive direct also may gradually influence the indirect information,
information making the underlying control problem harder to detect.
Thus, monitoring using indirect information should be
reconfirmed periodically through monitoring of direct
information.
The relevance, reliability, timeliness and sufficiency of

indirect information have a direct bearing on its
contribution to monitoring. In the earlier channel-stuffing
The relative persuasiveness of the indirect information example, the review of sales trends and return trends by
salesperson, by customer is more likely to identify a
control failure than will a review of sales trends solely at
the consolidated company level.
The skills and experience of people responsible for

The adequacy of the investigating anomalies, and the diligence with which
they conduct their follow-up procedures, affect the ability
of indirect information to identify a control failure.
follow-up process
External parties, such as auditors or regulators, may be

Potential effect on the conduct of external audits,
required to conduct independent evaluations of an
regulatory examinations or other external-party
organization's internal control system. Management's
evaluations
use of direct information in monitoring may facilitate
Internal Use Only

such evaluations by reducing the amount of direct
information gathered separately by the external parties.
77. Reliability of information — Evaluators need a reasonable basis for concluding that the information
they are using is reliable. Reliable information is accurate, verifiable and comes from an objective
source. Having accurate information is prerequisite to reaching correct conclusions. Verifiable
information enables evaluators to know whether the information can be trusted.

78. Although accuracy and verifiability are commonly understood, objectivity of information sources
warrants further discussion.

79. The "Characteristics of Evaluators" section discussed the objectivity of evaluators and their sources
of information. The objectivity of the information source is the degree to which that source can be
expected to provide unbiased information for evaluation. The more objective the information source, the
more likely the information will be reliable. For example, notifying information sources in advance that
certain instances of a control will be monitored, or directing them to provide supporting documentation in
such a manner and time frame that they have an opportunity to review and correct that documentation
before it is examined, reduces the information's objectivity and, therefore, its reliability.
The evaluator considers two primary factors in deciding whether to obtain detailed direct information: 1) what
is the risk that the control objective will not be met? and 2) how persuasive is the obtainable indirect
information? The higher the risk of failure and the lower the persuasiveness of the indirect information, the
more important it becomes to obtain direct information.
80. Timeliness of information — To be suitable, information must be produced and used in a time frame
that makes it possible to prevent control deficiencies or detect and correct them before they become
material to the organization. The "Ongoing Monitoring and Separate Evaluations" section discusses the
time frame in which information is used (i.e., the timing of ongoing monitoring and separate evaluations).
81. To be suitable, the information must also relate to the period under consideration. As information
ages, it loses its ability to tell the evaluator whether the related controls are operating properly. Likewise,
information produced after a control operates may not help support earlier point-in-time conclusions (if
Internal Use Only

such conclusions are necessary). For example, evaluating the operation of a monthly control in March
does not tell the evaluator whether that same control was operating the previous December.
Sufficient Information
82. Evaluators must gather sufficient suitable information to support a reasonable conclusion about
control effectiveness. Sufficiency can refer to how many occurrences of a given control are evaluated
(e.g., selecting 30 occurrences from a population of 1,000). Sufficiency can also refer to qualitative
assessments of adequacy, particularly when monitoring controls that do not lend themselves to
sampling. Examples include infrequently operating control activities or controls within other components,
such as the control environment, risk assessment, and information and communication. Regardless, the
evaluator must exercise judgment in determining whether he or she is evaluating enough information.
Some factors to consider include the following (note that several of these factors are also among
those listed in paragraph 76 on page 31 regarding the use of direct and indirect information):
Factor to Consider Possible Impact on the Amount of Information Needed
The potential impact of a control's failure may affect the amount of

information needed to conclude that the internal control system is effective
in a given area. For instance, an evaluator monitoring reconciliation controls
in a low- or moderate-risk area might decide to evaluate only a few
Potential impact of a control's failure
reconciliations on a monthly basis, with a periodic separate evaluation
using a larger sample when necessary (e.g., after the passage of a certain
period of time or upon the identification, through the review of indirect
information, of a possible anomaly). Alternatively, in high-risk areas, that
same evaluator might monitor every reconciliation control every month.
Controls that operate in areas with a

high degree of change in people, Controls that operate in areas with a high degree of change often warrant
processes or technology versus gathering and analyzing more information than those operating in more-
controls operating in stable areas stable environments.
Recent experience with control Known failures of the internal control system to properly manage or mitigate
performance given risks may warrant an increase
Internal Use Only

in the amount or frequency of information gathered for evaluation.
Controls that occur infrequently are

often subjected to judgmental
selection methods, while those that
occur frequently lend themselves to
possible statistical sampling
methods. In non-statistical selection
Control frequency
methods, organizations determine
the amount of information to
evaluate after considering the level
of risk and the importance of the
identified control.
If evaluators are routinely involved in or witness the execution of controls

(which constitutes direct information about the operation of controls), then
Who is conducting the monitoring their participation is ordinarily sufficient for them to conclude whether the
controls are effective. As evaluators become more distant from the
operation of the controls they typically need to obtain more information
regarding the controls' operation.
If the monitoring of Control A provides at least partial support that Control B

is operating effectively, that fact may influence the amount of information
Corroboration provided by required to evaluate Control B. For example, effective monitoring of a three-
monitoring other controls way-match control between purchase orders, receiving documents and
invoices may help support a conclusion that no data-entry errors were
made and that data-entry controls over invoices are effective — possibly
impacting the scope of monitoring those data-entry controls.
Complex controls To address the variables in control operation, complex controls may
warrant gathering more information than do simple controls.
Controls requiring significant judgment (as opposed to those requiring little

Controls requiring the exercise of
or no judgment) may warrant gathering more information to support a
significant judgment
reasonable conclusion that judgment is being applied correctly in all
Internal Use Only

circumstances.
Controls that address the risk of

fraud or are subject to management When intentional manipulation of controls is a plausible risk, evaluators
override might gather more information regarding the effective operation of controls.
For manual controls, which are more prone to error than are automated
Manual controls controls, the quantity of information necessary will vary depending on the
frequency of a control's operation, personnel turnover, and the experience
and training of personnel who perform the controls.
Automated controls generally operate consistently when they exist in a

controlled environment. Therefore, a periodic reconfirmation through
evaluation of a single instance of a given automated control is often an
Automated controls acceptable monitoring threshold regarding the operation of that control. In
such situations, management includes in its monitoring procedures the
effectiveness of relevant information technology general controls such as
program testing, program security, change-control processes and, perhaps,
data security.
83. Evaluators can conclude that they have sufficient suitable information when, based on the evaluation
of that information, they can reasonably conclude either that the risk of a control failure material to the
organization's objectives is:

 Below the level of reasonable possibility, or
 Above the level of reasonable possibility, leading to an assessment of the severity of the identified
deficiency.
Applying the Concepts — Identify Persuasive Information
The consideration of information suitability and sufficiency in monitoring is not intended to create prescriptive rules
for monitoring (e.g., establishing a certain percentage of direct versus indirect information). Rather, it is to help
those responsible for monitoring evaluate the level of support that various information sources might provide in a
given risk context.
Internal Use Only

Answering a series of questions may help evaluators make this judgment. Example questions include:
 Is the information relevant to a conclusion about control effectiveness?

 Does the information demonstrate directly whether the control being evaluated operates properly, or does it
require a greater degree of inference based on the existence or lack of certain anomalies?
 If the indirect information is not negative (i.e., it does not indicate that the control may have failed to operate
properly), how supportive is it in light of the:
 Level of risk the control is intended to mitigate,

 Length of time since evaluators last obtained information that directly supported their control conclusions,
and
 Effectiveness of other controls that might address the same risk(s)?
 Does the organization have a reasonable basis for concluding that the information used in monitoring is
reliable? For example:
 If the information comes from a system report, are the controls affecting that system report effectively
monitored?
 Does the information come from an objective source, or can it be confirmed by an objective source?
 Is the information possibly subjected to a procedure or reconciliation that might affirm its reliability? (For example,
a three-way match of purchase orders, receiving documents and invoices helps support a conclusion that the
related dollars and/or quantities are accurate.)
• Is the information evaluated in a time frame that allows the organization to take corrective action before a
control breakdown has a reasonable opportunity to materially affect related objectives?
• Does the information relate to the period under consideration? (For example, information may be too old to tell
evaluators anything about the current operation of controls, or it might come from a period following the desired
control evaluation date.)
• Do evaluators gather and evaluate enough information to support their control conclusions? (Note: the answer
might be influenced by some of the factors listed in the table on page 34.)
Continuing the earlier revenue recognition example, the following represents this "level-of-support" thought
process. Recall that the organization identified the risk of channel stuffing as "high" and identified four key controls
out of 11 that it will subject to specific monitoring procedures. Here, the organization identifies what information is
available to support a conclusion about whether those controls are working.
Internal Use Only

In this example, where the underlying risk relates to a potential material misstatement of the financial statements,
the ultimate risk owner is most likely the CFO, and oversight is provided by the audit committee. To the extent that
the ultimate risk owner (e.g., the CFO) is involved in or directly witnesses the execution of the key controls, he or
she may not need to gather any additional information about the operation of those controls — participation in the
control process can provide sufficient relevant, reliable and timely information to support his or her individual
conclusions about control effectiveness. However, to the extent that others, such as the audit committee, are not
directly involved and require support regarding control effectiveness, they would need to gather and evaluate
additional persuasive information either on their own or through others. The following example demonstrates these
two different levels of support.
Note: This example is not meant to show the level of documentation necessary to support the identification of
persuasive information. It is intended to demonstrate an organization's possible thought process in determining
what information to use in monitoring.
Internal Use Only

3. Identify Persuasive Information About Key Controls
Key Control Available Information
Control #1 - Tone at the top - Management participation and periodic commu-nications in sales
meetings, including setting expectations that specifically address this risk
- Evidence of corrective actions, if necessary
Internal Use Only

Rationale:
Relevant - This information is obtained from witnessing or delivering the communications, so it is relevant.
Reliable - For those who witness these communications and actions, this is reliable information because they see
the control in action. Others (such as the audit committee) may desire to confirm the communications through
discussions with relevant personnel.
Timely - The observations happen in real time and would be timely.
Sufficient - Witnessing these communications and actions would adequately demonstrate the existence of a
proper tone at the top.
Control #6 - Approval for

- Signed approval noted on modified contract
- CFO participation in sales meetings where modifications are discussed

contract modifications
Rationale:
Relevant - Short of witnessing or participating in the approval process, reviewing a signed approval is the most
direct form of supporting information available. Participation in sales meetings may also be relevant if such
modifications are a standard discussion topic.
Reliable - Reviewing signed approvals would generally be a reliable way to see that modifications were approved.
Participation in sales meetings would only provide reliable information if all modifications are discussed. It would
not provide information about modifications that were excluded from the discussion. Accordingly, such
participation would not be reliable enough, on its own, to support a conclusion that all modifications are approved.
However, participation in sales meetings might provide enough suitable information to influence the number, type
and frequency of individual approvals the evaluator reviews.
Note that objectivity may be a factor to consider. If the sales manager signs approvals and participates in the sales
meetings, then the CFO may want a more objective, periodic evaluation.
Timely - The timeliness of any approval review process will be dependent on the evaluator's selection of contracts
for review that are applicable to the period under consideration. The timeliness of participation in sales meetings is
real-time and, thus, is timely.
Sufficient - The organization's conclusions regarding sufficiency could follow a thought process such as the
following. The CFO's participation in monthly sales meetings where modifications are discussed, coupled with a
quarterly review by the controller (or testing by internal audit) of X number of contracts selected at random, would
provide sufficient information to conclude whether the internal control system is effective in addressing this
Internal Use Only

channel-stuffing risk (and possibly other contract-related risks).
Key Control Available Information
Control #10 - Sales personnel - CFO participation in the review/adjustment process

compensation review & adjustment
- Completed and documented reviews/adjustments
Rationale:
Relevant - Participation in this review and adjustment process provides the most relevant information about its
completion. Seeing documented evidence of the reviews and adjustments provides the next most-relevant
information.
Reliable - Both forms of information above would reliably tell the evaluator whether this control was working.
Again, objectivity could be a factor to consider.
Timely - Similar to Control #6, timeliness depends on the evaluator selecting the right instances of the control to
evaluate. Participation in the process is real-time and, thus, is timely.
Sufficient - Deciding how much of this information to gather will follow a similar thought process as Control #6.
Control #11 - Sales and return trend - CFO participation in the review process
review by salesperson, by customer
- Completed and documented sales and return trend review
Rationale:
The rationale for concluding on the persuasiveness of this information will be similar to the rationale for concluding
on the information in Control #10.
Other Possibly Persuasive

Available Information
Information
The organization might also

determine how control failure might
- Revenue would increase, coupled with declining margins over time
manifest in such a way as to be
detected before material error can - Increase in accounts receivable aging on a per-sales-person basis
result. This may reveal other forms
- Increase in sales returns after quarter-end
of indirect information that are useful
in monitoring.
Internal Use Only

Rationale:
In this case, these potential risk indicators (i.e., indirect information) might be deemed to be relatively weak
because they could take a long time to highlight a problem and are susceptible to being clouded by other business
factors.
Implement Monitoring Procedures
Internal Use Only

84. With risks prioritized, key controls selected and available persuasive information identified, the
organization implements monitoring procedures that evaluate the internal control system's effectiveness.
Monitoring involves the use of ongoing monitoring procedures and/or separate evaluations to gather
and analyze persuasive information supporting conclusions about the effectiveness of internal control
across all five COSO components.

Ongoing Monitoring and Separate Evaluations
85. Ongoing monitoring procedures using both direct and indirect information are built into the routine,
recurring operating activities of an organization. They include regular management and supervisory
activities, peer comparisons and trend analysis using internal and external data, reconciliations, and
other routine actions. They might also include automated tools that electronically evaluate controls
and/or transactions. Because they are performed routinely, often on a real-time basis, ongoing
monitoring procedures can offer the first opportunity to identify and correct control deficiencies.25
86. Separate evaluations can employ the same techniques as ongoing monitoring, but they are designed
to evaluate controls periodically and are not ingrained in the routine operations of the organization.
87. Separate evaluations often are performed by people who are not directly involved in the operation of
the controls being monitored. As such, they may provide a more objective analysis of control
effectiveness than ongoing monitoring procedures that often are performed by less objective personnel.
1992 COSO Framework
"Monitoring can be done in two ways: through ongoing activities or separate evaluations. Internal control systems
usually will be structured to monitor them-selves on an ongoing basis to some degree. The greater the degree and
effectiveness of ongoing monitoring, the less need for separate evaluations."
"An entity that perceives a need for frequent separate evaluations should focus on ways to enhance its ongoing
monitoring activities and, thereby, to emphasize 'building in' versus 'adding on' controls."
"Usually, some combination of ongoing monitoring and separate evaluations will ensure that the internal control
system maintains its effectiveness over time."
88. Separate evaluations can also provide valuable periodic feedback regarding the effectiveness of
Internal Use Only

89. Principle 19 of COSO's 2006 Guidance,26 which addresses the role of ongoing monitoring and
separate evaluations, includes the following helpful attributes of monitoring:

 Integrates with operations — Ongoing monitoring is built into the organization's routine operating
activities.
 Provides objective assessments — Ongoing monitoring and/or separate evaluations provide an
objective consideration of internal control effectiveness.27
 Uses knowledgeable personnel — Evaluators understand the components being evaluated and how
those components relate to activities supporting the organization's objectives.
 Considers feedback — Management and the board28 receive feedback on the effectiveness of internal
control.
 Adjusts scope and frequency — Management varies the scope and frequency of separate evaluations
depending on the significance of risks being controlled, the nature of the controls mitigating those risks
and the effectiveness of ongoing monitoring.
90. Most organizations employ a combination of ongoing monitoring and separate evaluations, with
ongoing monitoring providing the primary support for management's day-to-day beliefs regarding control
effectiveness, and separate evaluations providing periodic confirmation. This combination works best
when the information used in the ongoing monitoring procedures is persuasive (as discussed below).
91. To determine how often separate evaluations will be performed, organizations consider the likelihood and/or
potential significance of a control's failure between evaluations, including consideration of the support provided
by ongoing monitoring. As the risk and/or significance of control failure increases/decreases, the interval
between separate evaluations decreases/increases.
92. The level of persuasive information used in ongoing monitoring procedures can also influence the
frequency of separate evaluations. Ongoing monitoring that evaluates more-persuasive information in a
given risk scenario might provide all the support necessary to conclude on the effectiveness of the
internal control system in that area. In such a case, separate evaluations might occur infrequently
(perhaps even every few years29 ) and primarily for independent confirmation that the ongoing
monitoring procedures are working.

93. Ongoing monitoring that evaluates less-persuasive information might flag anomalies that trigger an
unscheduled separate evaluation, but generally would not provide the support necessary to conclude
that internal control is effective over an extended period of time. Accordingly, more-frequent separate
evaluations would be warranted.
Internal Use Only

Applying the Concepts — Implement Monitoring Procedures
The "Prioritize Risks" section discussed how the assessment of risk and the susceptibility of controls to failure
work together to influence decisions regarding what controls to monitor. The information below extends that
concept to this "Implement Monitoring Procedures" section of the guidance in order to show how those
determinations might also affect the monitoring procedures employed and the information used in monitoring.
Monitoring Need Possible Monitoring

Determining Factors
Approach
Highest Ongoing monitoring using

Controls that:
direct and indirect
- are susceptible to a high risk of failure, and information, with periodic
separate evaluations of
- address risks deemed to be high-priority
direct information
Moderate in short term Ongoing monitoring using

Controls that:
indirect information, with
- are less susceptible to failure, and periodic separate
evaluations of direct
- address risks deemed to be high-priority
information
Moderate in long term Ongoing monitoring using

Controls that:
indirect information, with
- are susceptible to a high risk of failure, and less-frequent separate
evaluations of direct
- address risks deemed to be lower-priority
information
Lowest Might not be monitored at

Controls that:
all by senior management,
- are less susceptible to failure, and or management may
monitor them infrequently
- address risks deemed to be lower-priority
based on the level of risk.
Completing the earlier channel-stuffing example, the organization is now in position to determine what monitoring
procedures to employ. Note that most of the procedures identified in the following table constitute ongoing
monitoring that is already performed in the ordinary course of business. Additional monitoring procedures are
Internal Use Only

added only to compensate for any remaining risk not covered by the normal operation of the internal control
system.
4. Implement Monitoring Procedures
Key Control Monitoring Procedure
- The CFO participates in the monthly sales meeting,

Control #1 - Tone at the top
both establishing and verifying the proper tone at the
Internal Use Only

top.
- Internal audit also observes these meetings

periodically.
Rationale:
Participation in these meetings may be all that is necessary for the CFO to conclude on the effectiveness of this
control. Evaluators who are further removed, such as the audit committee, might talk to the sales manager and/or
sales personnel about management's attitudes and communications. This activity might be especially valuable if
the organization does not have an internal audit function that can provide an objective assessment of control
effectiveness.
- Participation by CFO in monthly sales meetings.
Control #6 - Approval for contract modifications - Controller (or internal audit) to select X contracts
every quarter, noting any unapproved modifications.
Rationale:
Through weekly management meetings, the CFO may obtain valuable indirect information about the operation of
this control. However, given the level of risk and the fact that sales personnel could make modifications that are
not reported to the sales manager, the CFO might have the controller or internal audit randomly select a few
contracts every quarter and review them for unapproved modifications.
- CFO participation in this control is sufficient.

Control #10 - Sales personnel compensation review &
- Audit committee to direct annual testing by internal
adjustment
audit.
Rationale:
The CFO might review these adjustments and supporting documentation as part of his or her quarterly closing
process, in which case, he or she has already performed the monitoring necessary to support related conclusions.
The audit committee, as part of its oversight responsibility, might instruct internal audit to test this area annually.
Alternatively, it might make direct inquiries regarding the compensation reviews and request proof of their
completion.
Key Control Monitoring Procedure
Control #11 - Sales and credit memo trend review - Obtain evidence that the sales manager and CFO
Internal Use Only

perform their review of sales spikes and credit memo
spikes, including investigation of anomalies to determine
the root cause and correction of any identified control
deficiencies.
Rationale:
Since the CFO is involved in the completion of this control, he or she need not perform additional monitoring to
reach a conclusion regarding its operating effectiveness. Like the previous step, the audit committee might direct
internal audit to test this control when it tests the compensation review control, or audit committee members might
perform their own inquiry and observation procedures.
Other Considerations Monitoring Procedure
- Every other year, internal audit selects a

Additional periodic evaluation representative sample of contracts and tests for
propriety.
Rationale:
The monitoring procedures above might reasonably be expected to evaluate, for an extended period, the
effectiveness of the internal control system related to channel-stuffing risk. However, because the risk is high, and
because it is most likely to occur through deceptive means, the organization could decide to have internal audit, or
some other independent personnel, select and test samples of contracts and sales and return activities on an
annual or bi-annual basis. These additional procedures would firmly establish the effectiveness of the controls and
lend support to the belief that the other ongoing monitoring procedures are effective.
IV. Assess and Report Results

94. Monitoring includes reporting results to appropriate personnel. This final stage enables the results of
monitoring to either confirm previously established expectations about the effectiveness of internal
control or highlight identified deficiencies for possible corrective action. Principle 20 of COSO's 2006
Guidance ("Reporting Deficiencies") identified three helpful attributes that specifically address the role of
monitoring when deficiencies are identified:30
Internal Use Only

 Report findings — Findings of internal control deficiencies are reported (1) to the individual who owns
the process and related controls and who is in a position to take corrective actions, and (2) to at least
one level of management above the process owner.
 Report deficiencies — Significant deficiencies are communicated to top management and the board or
audit committee.
 Correct problems on a timely basis — Deficiencies reported from both internal and external sources are
considered, and timely corrective actions are taken.31
95. These attributes reinforce the need for the right people to receive information such that (1) corrective
action can be taken, and (2) management can provide sufficient oversight to gain assurance that the
corrective action has been taken.

96. Consistent with Principle 20 of COSO's 2006 Guidance, monitoring includes identifying potential
control deficiencies and communicating them to the right people in a timely manner. Prioritizing identified
control deficiencies can help facilitate the reporting process and the determination of possible corrective
action. Some organizations prioritize control issues by severity along a continuum such as high, medium
or low, or along a numerical scale (e.g., 1-5 or 1-10). Other organizations use a less formal mechanism.
Regardless, several factors may influence an organization's prioritization of identified deficiencies,

including:
 The likelihood that the deficiency will affect the achievement of an organizational objective — The fact
that a deficiency has been identified means that there is at least some likelihood that objectives may not
be met. The greater that likelihood, the greater the severity of the control deficiency.
 The effectiveness of compensating controls — The effective operation of other controls may prevent
or detect an error resulting from an identified deficiency before that error can materially affect the
organization. The presence of such controls, when monitored, can provide support for reducing the
severity of a deficiency.
 The aggregating effect of multiple deficiencies — When multiple deficiencies affect the same or similar
risks, their mutual existence increases the likelihood that the internal control system may fail, thus
increasing the severity of the identified deficiencies.
97. Determining who prioritizes the deficiencies is a matter of judgment. Organizations likely will consider
the size and complexity of the organization,
Internal Use Only

the nature and importance of the underlying risk, and the experience and authority of the people involved in the
monitoring process. Regardless, the prioritization of identified deficiencies should be performed by appropriately
competent and objective personnel.
Applying the Concepts — Prioritize and Communicate Results
The following table describes how organizations might consider the likelihood and significance variables as they
prioritize identified control deficiencies. Smaller, less complex organizations might prioritize deficiencies in an
informal manner through discussions within management and/or with the board. As organizations increase in size
and complexity, they may need to formalize this process.
The assessment of the likelihood of a control failure and its potential significance are judgmental decisions that
exist along a continuum. The table below is not meant to imply that there are four distinct categories of control
failure. Rather, it is intended to demonstrate how one might distinguish between different risk grades.
Ranking Considerations
Risk
Significance Likelihood
High High Highest priority - These control

deficiencies deserve immediate
attention. Additional oversight or
review often can be implemented
during the correction period to
protect further against material
errors.
Example: a lack of experience or

knowledge within an organization
about accounting for a material,
complex transaction.
Ranking Considerations
Risk
Significance Likelihood
Internal Use Only

High Low Moderate to high priority in the near
term - The significance of the
potential errors related to these
control deficiencies makes the
deficiencies important to correct.
Additional oversight or review might
also be implemented here during the
correction period.
Example: a weakness exists in the

supervisory oversight of accounting
for a complex, material transaction,
but the experience and knowledge of
the people responsible for the
transaction are adequate. As such,
the organization may conclude that
the likelihood is low that an error will
occur, but the significance is high if it
does occur.
Low High Moderate priority in the long term -

Potential errors resulting from these
deficiencies can accumulate to
material levels over time, or they can
reduce organizational efficiency
because frequent errors must be
corrected repeatedly.
Example: a weakness in a
reconciliation control over an
account that has low or moderate
activity and for which large, single
errors would be easily identified
through the analysis of indirect
information (e.g., metrics or key
performance indicators).
Weaknesses in such controls may
Internal Use Only
grow over time, but are unlikely to
result in an immediate material error,
thus allowing the organization to
prioritize their correction.
Low Low Lowest priority - The errors related to

these control failures often result
more in lost efficiency than in
material errors. Management may
consider these for correction, but not
at the expense of failing to correct
higher-ranking deficiencies.
Report Internally
98. Reporting protocols vary depending on the purpose for which the monitoring is conducted and the
severity of the deficiencies. Typically, the results of monitoring conducted for purposes of evaluating
internal control related to an organization's entity-wide objectives are reported to senior management
and the board. Examples include monitoring of internal control over financial reporting or monitoring of
controls over operations that are material to the organization's profitability.

99. Some monitoring, however, is conducted for purposes that might be relevant only to a part of an
organization, e.g., a small subsidiary's operational monitoring to meet local goals that are not significant
to the consolidated organization. Identified deficiencies in this case might have "higher likelihood" and
"higher significance" relative to the subsidiary's objectives, but not to the organization's overall
objectives. Reporting in such cases might be limited to local management personnel for whom the local
goals are relevant.

100. In any case (except, perhaps, where fraud is suspected), control deficiencies should be reported to
the person directly responsible for the control's operation and to management that has oversight
responsibilities and is at least one level higher. Reporting at least to these two levels gives the
responsible person the information necessary to correct control operation and also helps ensure that
appropriately objective people are involved in the severity assessment and follow-up. At some point,
deficiencies may become severe enough to warrant discussion with the board. Management and the
Internal Use Only

board may wish to discuss in advance the nature and severity of deficiencies that should be reported to
that level.
101. In situations where fraud is suspected, reporting may not occur to the person directly responsible
for the control's operation. It would occur to higher levels, including to senior management and the board
as appropriate.
Applying the Concepts — Report Internally
Evaluators should understand what they should report and to whom concerning the results of their monitoring
efforts. Depending on the size and complexity of the organization, this understanding may be established through
formal or informal protocols. The potential significance of the underlying risk and the purpose for which the
monitoring is being performed are often primary considerations in determining what to report and to whom.
The risk assessment process described in the "Prioritize Risks" section can help management and the board
determine the risk areas in which they want to either (1) conduct monitoring procedures themselves (in which
case, the internal reporting occurs automatically), or (2) receive periodic monitoring updates.
An internal audit function can also be a valuable resource both in identifying internal reporting needs and in
delivering periodic reports regarding the results of monitoring procedures they perform.
As organizations grow in size and complexity, they may find value in using the process management tools
referenced in the "Using Technology for Monitoring" section to document and track the results of internal control
monitoring.
Report Externally
102. A properly designed and executed monitoring program helps support external certifications or
assertions32 because it provides persuasive information that internal control operated effectively at a
point in time or during a particular period.

103. The presence of external assertion requirements may affect the type, timing and extent of
monitoring an organization decides to perform. Therefore, organizations that are not required to report,
and those that are required to report publicly or to third parties on the effectiveness of their internal
control system, may design and execute monitoring activities differently.
104. External reports that assert as to the effectiveness of an internal control system may need to
withstand scrutiny by outsiders who (1) do not have management's implicit knowledge of controls, and
(2) require enough persuasive information to form their own opinions about the effectiveness of internal
Internal Use Only
control. As a result, an organization may wish to compare the scope of its monitoring program with the
needs of external parties, such as auditors and regulators, to help ensure that all parties understand the
available monitoring information, enabling them to maximize its use. In addition, the organization might
be able to enhance the efficiency of external parties' work by directing them to portions of its monitoring
procedures that they might use, or by making modifications to its monitoring program to better facilitate
external parties' work.

105. Most external reporting requirements are developed to address risks that are already contemplated
by properly designed and executed monitoring procedures. They require assertions regarding the
effectiveness of internal control systems in managing or mitigating risks that have a reasonable
possibility of affecting certain organizational objectives. Effective monitoring procedures generally
provide substantial support for such assertions. In some circumstances, however, modifications to the
monitoring program may be warranted or beneficial to the organization when external reporting is
required.
106. For example, when monitoring activities are performed by individuals who are objective, external
parties (such as auditors and examiners) are likely to consider the results to be more reliable than those
compiled by someone less objective. Organizations have choices regarding who conducts monitoring
and should consider the cost of increasing the objectivity of the monitoring (e.g., by instituting a peer or
supervisory review or directing internal audit to perform testing) compared with the cost of having the
third party (such as an external auditor) develop its own reliable support. The most cost-effective option
may be implementing a more objective monitoring process, thereby making the external party's work
more efficient.
107. Similarly, the decision to use indirect rather than direct information to monitor the effectiveness of
controls could involve a cost-benefit evaluation with respect to external-party requirements such as an
audit, regulatory examination or other third-party evaluation. For example, an organization's external
auditors may determine, based on their audit plan, to evaluate the design and operating effectiveness of
certain controls. If the organization uses direct information in monitoring those controls, independent
auditors might use the results of that monitoring to provide support for their audit conclusions.
Conversely, if the organization uses indirect information in monitoring the controls, independent auditors
may need to perform their own separate tests using direct information — possibly increasing the cost of
Internal Use Only

the audit. Thus, when designing its monitoring procedures, the organization might consider the overall
costs involved both in monitoring and in supporting any third-party evaluations.
Applying the Concepts — Report Externally
External reporting requirements, such as for written assertions or confirmations regarding internal control
effectiveness, sometimes lead management to conclude that separate evaluations (whose sole purpose is to
support those requirements) must be implemented. However, management may be able to maximize the value of
existing monitoring procedures by recognizing and/or modifying them for their ability to support management's
reporting requirements.
In considering the impact of external reporting requirements on monitoring, management and the board —
possibly through discussion with their auditor or regulator — might consider the following:
 Do we fully understand the external reporting requirement, including its scope and expected level of
documentation?
 Do reporting-requirement elements exist that might cause us to perform more-extensive monitoring in a particular
area than we feel is necessary given our risk-assessment and control-importance analysis? If so, a review of the
requirement (to help ensure that it does, in fact, require such an evaluation) and the risk assessment process (to
help ensure that the organization did not omit an important risk and related control from normal monitoring
consideration) may be in order. (Note that such conflicts should be rare, but may occur in some regulated
environments.)
 Does the documentation adequately support the assertions?
 Could the organization make cost-effective modifications to the monitoring procedures that might improve the
efficiency of third-party evaluations, such as the external audit (e.g., using more direct information, changing the
timing or increasing the scope of evaluation so that the third party can use the results to support its conclusions)?
 Could the organization make cost-effective modifications to the format or extent of documentation that might
improve the efficiency of third-party evaluations, such as the external audit or a regulatory exam?
V. Other Considerations
Monitoring Controls Outsourced to Others
108. When organizations use external parties (also known as service providers) to provide certain
services, such as a bank outsourcing loan servicing or a corporation outsourcing its benefit plan
administration, the associated risks to organizational objectives still must be managed properly. Users of
Internal Use Only

associated with those services. User organizations should also understand how the service provider's
internal control system manages or mitigates meaningful risks and obtain at least periodic information
about the operation of those controls. This understanding may be attained through reviewing an
independent audit or examination report provided by the service provider. Where such an audit or
examination report is not available and where the level of risk warrants, user organizations may conduct
their own periodic separate evaluations of key controls at the service provider. In fact, a "right to audit"
clause is often included in contracts between user and service organizations.
109. User organizations may also find other useful sources of information about the design and
operation of service organization controls such as through frequent interaction with the service provider,
user group forums, and reports by internal auditors or regulatory authorities. Additionally, some user
organizations may find it necessary to implement effective internal control over the processing
performed by the service provider (e.g., comparison of input to output or reconciliation of service
provider processing results to other independent records), which may reduce either the need to monitor
controls of the service provider or the frequency with which to monitor them.
Using Technology for Monitoring

110. Organizations often use information technology (IT) — via control monitoring tools and process
management tools — to enhance monitoring. As the use of IT increases, both as part of an
organization's operations and as tools used in monitoring, the need increases to evaluate internal control
over those information systems.33

111. Control monitoring tools — Automated control monitoring tools perform routine tests and can
enhance the effectiveness, efficiency and timeliness of monitoring specific controls. Many operate as
controls and, simultaneously, provide monitoring information on the continued operations of other
controls. Some are implemented independently of the controls they are monitoring, whereas others are
part of reporting-capability tools that are otherwise an integral part of the internal control system.
Monitoring tools typically focus on one or more of the following:

 Transaction data — Comparing processed transaction (or masterfile) data against a set of control rules
established to highlight exceptions and/or identify instances in which the controls over a process or
system are not working as intended.
Internal Use Only

 Conditions — Examining application or infrastructure configuration settings/parameters and comparing
them with a baseline or with previously established expectations. An example could include tools that
monitor system access controls.
Volume III: Examples
Volume 3.doc
January 2009
Board Members


Accountants
Grant Thornton LLP — Author

(Project Leader)
Managing Partner of
Grant Thornton LLP - Dupage Consulting LLC - Grant Thornton LLP -
Denver Chicago Chicago
Charlotte
Internal Use Only

Partner Grant Thornton LLP - Grant Thornton LLP -

Toronto Charlotte
Chicago
Review Team
Analyst Corporation
Senior Policy Advisor Regional Partner of
VP - Senior Accounting Former President and
Analyst CEO,
Phoenix
Moody's Investors Service Financial Executives
Dallas
International
COSO Task Force
Auditing Standards
Corporate Auditor SOX Research Chief Financial Officer,
Senior Level Expert for
Dow Chemical Company Lord & Benoit, LLC NewCardio, Inc.
Auditing Standards
Director, The CFO Network
U.S. Government
Internal Use Only

Partner U.S. Government Managing Director PricewaterhouseCoopers
Deloitte & Touche LLP Protiviti

Analysis
Associate Professor Chairman and CEO Partner
International
Group
Partner Partner Professor of Accounting Vice President,

Corporate Controller
California President, Corporate
Controller
Partner
Celgene Corporation
GR Consulting LLP
Observer
Josh K. Jones
SEC Observer
I. Introduction
This volume (Volume III or "the Examples volume") of COSO's Guidance on Monitoring Internal Control Systems
(COSO's Monitoring Guidance) illustrates techniques used by many organizations in applying the principles
Internal Use Only
outlined in Volumes I and II (the Guidance and Application volumes, respectively). The structure of this volume
parallels that of Volume II, providing easy reference between the two.
Chapters II-IV of this volume contain brief examples of various organizations' current monitoring processes,
demonstrating the concepts set forth in the corresponding chapters of Volume II. Chapter V of this volume
contains three comprehensive examples of applying the core concepts presented throughout COSO's Monitoring
Guidance.
Some users may benefit from first reading the examples in Chapter V in order to gain a more complete
understanding of how monitoring might be applied in different situations.
In order to provide further linkage between Volumes II and III, summaries of the Guidance are included in
shaded boxes at the beginning of each section in Chapters II-IV. Those passages also provide a foundation for
the illustrated techniques. To gain the desired benefit from this material, users should be familiar with Volume II.
This material is designed to be useful to those seeking to apply internal control monitoring techniques. Proper
monitoring of internal control, however, is not dependent upon use of the illustrated techniques, nor is their
application required for the monitoring component of internal control to be effective. Accordingly, the descriptions
and exhibits are presented as examples rather than as preferred methods or "best practices."
While some techniques are best applied in smaller, noncomplex organizations, others are more relevant to
larger, complex entities — and many can be applied to organizations of all sizes and levels of complexity.
A Model for Monitoring

Guidance Summary: An effective approach to monitoring involves (1) establishing a foundation for monitoring,
(2) designing and executing monitoring procedures that are prioritized based on risks to achieving organizational
objectives, and (3) assessing and reporting the results, including following up on corrective action where
necessary (See Figure 1).
Internal Use Only

Figure 1
II. Establish a Foundation for Monitoring
Guidance Summary: The foundation for monitoring includes (1) a tone at the top about the importance of internal
control (including monitoring); (2) an organizational structure that considers the roles of management and the
board in regard to monitoring and the use of evaluators with appropriate capabilities, objectivity, authority and
resources; and (3) a baseline understanding of internal control effectiveness.
Tone at the Top
Internal Use Only

Guidance Summary: As with every internal control component, the ways in which management and the board
express their beliefs about the importance of monitoring have a direct impact on the effectiveness of internal
control. Management's tone influences the way employees conduct and react to monitoring. Likewise, the board's
tone influences the way management conducts and reacts to monitoring. The following examples highlight ways in
which various organizations have implemented an effective tone at the top.
Many of these examples are broad, covering the tone at the top regarding the importance of all internal control,
including monitoring. Others demonstrate how management effectively and consistently communicates its
expectations regarding risk and the importance of monitoring in providing assurance that meaningful risks are
properly managed or mitigated.
Example 1: A large professional services organization maintains what it calls a "COSO Usage Document." This
document, updated annually, identifies how the organization adheres to the principles and attributes of each of
the five COSO components. The contents of the COSO Usage Document are validated by the global leadership
responsible for processes across the enterprise (i.e., Finance, HR, CIO, Legal, Operations). In addition to
serving as a key design document that helps management and the auditors understand the strength of their
design, the COSO Usage Document also serves as evidence of the organization's integrated control structure.
Readers receive a clear message from the top of the organization that internal controls, including monitoring, are
an important part of the success of their business. See Appendix A for excerpts from this COSO
Usage Document.
Risk/issue: Pervasive lack of risk and control ownership leading to potential control failures. Can result from a
failure to understand risks, controls and related responsibilities.
Response: Consistent development and communication of expectations regarding internal control, including
monitoring.
Result: Helps ensure consistent understanding of risk/control responsibilities, including monitoring.
Example 2: A large power-generation company has established a Risk Oversight Committee (ROC) to focus on
risk management and oversight of the company's operations. The ROC includes members of senior
management and is an active part of the monitoring structure. The ROC sets the proper tone at the top by:
 Establishing Risk Policies and the organization's Business Risk Profile,

 Monitoring compliance with the Risk Policies, and
 Ensuring that operations are managed within the boundaries set in the organization's Business Risk Profile.
Internal Use Only

Risk/issue: Failure to identify and assess meaningful risks to organizational objectives.
Response: Use of a formal risk committee to develop and communi-cate monitoring expectations.
Result: Helps ensure consistent understanding of risk and control responsibilities, including monitoring.
Example 3: The internal audit department of a financial services organization has implemented a rewards
system that encourages departments to monitor the effectiveness of their internal control systems and self-report
possible control deficiencies. This encouragement comes in the form of an internal audit policy that gives
departments credit in the internal audit grading system for deficiencies that are self-reported. Deficiencies that
are identified through an internal audit examination, rather than through a department's monitoring efforts, are
counted against the score.
This credit for self-reporting does not preclude internal audit from reporting specific deficiencies to management
or the board when such reporting is warranted, but it does positively affect the grading system, which can affect
departmental compensation and benefits, thus increasing the likelihood that control deficiencies will be identified
and corrected before they can become material to the organization.
Risk/issue: Failure to identify, assess and consider for correction control deficiencies that could be addressed
through reasonable self-assessment procedures.
Response: Internal audit policy that encourages self-assessment and self-reporting of potential control problems.
Result: Provides incentive for line personnel and supervisors to monitor internal control routinely, leading to earlier
deficiency identification and correction.
Guidance Summary: Management has the primary responsibility for the effectiveness of an organization's
internal control system. Management establishes the system and implements monitoring to help ensure that it
continues to operate effectively. The board's role is one of oversight. For publicly listed companies the board's
responsibilities may be mandated by law, listing-exchange requirements or charter. For privately held and not-for-
profit organizations, the board's responsibilities typically are listed in the board's charter.
Relative to monitoring, the board exercises its oversight responsibility by understanding the risks to organizational
objectives, the controls that management has put in place to mitigate those risks, and how management monitors
to ensure that the internal control system continues to operate effectively.
Internal Use Only

Example 4: In relation to financial reporting risks, an international consumer products company developed a
policy setting forth the roles and responsibilities of journal-entry preparers, detail reviewers and secondary
reviewers. The organization then developed a matrix of key journal entries (i.e., those with direct financial
statement impact, primarily for the major functional corporate areas including tax, accounting, treasury and legal)
and compared that matrix to the policy.
Risk/issue: Lack of risk and control ownership over journal entry execution, leading to potential material
misstatements and inaccurate internal reports.
Response: Clearly articulated roles and responsibilities through the establishment of preparer/reviewer standards
for key journal entries.
Through this analysis, the organization determined that, in several complex areas, it did not have appropriate
levels of journal-entry review. The organization developed a plan for each identified deficiency — mandating the
formal sign-off by the preparer, detail reviewer and secondary reviewer for each key journal entry.
Independent personnel periodically select a sample of journal entries and evaluate compliance with the policy.
The Audit Committee receives a report on the test results and reviews the key journal entry matrix annually.
Example 5: Senior management at a provider of Internet-based securities brokerage and financial services has
established a formal Corporate Risk Committee (CRC) tasked with facilitating the completion of an enterprise
risk management program. One of this committee's mandates is to determine and communicate how the
organization will monitor controls over the risks identified in its annual Corporate Risk Assessment process. The
result is a "road map," communicated to management and supervisory personnel, in which financial and
operational controls in the business are linked to the risks identified during the annual risk assessment.
Oversight responsibilities are thus communicated clearly throughout the organization.
Risk/issue: Pervasive lack of risk and control ownership leading to potential control failures. Can result from a
failure to understand risks, controls and related responsibilities.
Response: Use of a formal risk committee to develop and communi-cate expectations.
Example 6: An energy company created a new Risk Control function to address risks related to its complex
energy-trading operations. The addition of this function to the organization's structure enables the company to
better monitor the internal control system's ability to address some of the organization's highest operational,
Internal Use Only

financial reporting and compliance-related risks. It also sends a message throughout the organization that
management is committed to monitoring the effectiveness of internal control.
Smaller organizations in similar situations (i.e., those in regulated industries with unique, highly complex, highly
material risks) may not need to establish a separate risk-control function within the organizational structure. They
might, instead, assign specific management or other objective personnel to (1) obtain and maintain appropriate
skills and training, and (2) perform ongoing monitoring and periodic separate evaluations in those high-risk
areas. If necessary, smaller organizations could also engage qualified external professionals to help monitor the
internal control system's ability to manage or mitigate these unique risks.
Risk/issue: Lack of risk and control ownership leading to potential control failures in a complex area known to have
meaningful risks.
Response: Creation of a Risk Control function to facilitate both the development of controls and the monitoring of
those controls.
Result: Establishes clear lines of oversight responsibility, thus helping to ensure that key controls are monitored
and changes to the risks or controls are properly managed.
Example 7: A small software company has an organizational chart for its corporate accounting department that
is updated as new employees are added. Responsibility for overseeing financial reporting processes and
monitoring controls in key areas (e.g., Financial Reporting, Payroll, Human Resources, Payables and Billings)
are assigned to appropriate personnel. The Audit Committee conducts an annual review of the organizational
chart and oversight responsibilities.
Risk/issue: Controls that address meaningful financial reporting risks may not be subjected to an appropriate level
of oversight.
Response: Clear assignment of oversight responsibilities.
Result: Establishes clear lines of oversight responsibility, thus helping to ensure that key controls are monitored
and changes to the risks or controls are properly managed.
Role of Management and the Board

Example 8: To determine that management has implemented effective monitoring procedures over certain
identified risks, the Audit Committee of a small, global manufacturing company has directed internal audit to
perform specific annual reviews. One area of specific concern is manual journal entries, with a particular focus
Internal Use Only

on potential management override activities. Internal audit's review includes basic information such as the
number, dollar amount, preparer, business unit, and timing relative to month- and quarter-end. This analysis also
includes more in-depth information such as:
 Reasonableness of significant entries (e.g., manual entries in traditionally automated accounts such as
inventory),
 Review of the appropriateness of the individual preparing the journal entry (e.g., senior executives or
unauthorized personnel),
 Review of the frequency of journal entries, particularly those that are relevant to management authorization
levels (e.g., to identify potential statistically anomalous entries using Benford's Law[1] ),
 Identification of journal entries without descriptions, and
 Potentially fraudulent entries. The organization created a profile of potential fraudulent entries from management
override frauds known to have been perpetuated at other companies. Internal audit statistically compares the
manual journal entries against this profile.
Risk/issue: Failure or override of internal control over manual journal entries in this large company may lead to
material errors in internal and external financial reports.
Response: Audit committee's use of internal audit to address certain risks.
Result: Gives the Audit Committee and management an objective analysis of the effectiveness of internal control
and related monitoring at lower organizational levels.
Example 9: A provider of Internet-based securities brokerage and financial services has instituted a formal
Internal Control Assessment Program (ICAP). This program requires business-unit owners, on a quarterly basis,
to perform a control self-assessment and certify the effectiveness of certain controls for which they are
responsible. Management clearly communicates its expectations regarding the accuracy of the ICAP
certifications and holds managers accountable if they improperly certify their internal controls.
Management recognizes that self-assessment, while not completely objective, is an effective first line of defense
against internal control failure. As a result, management is able to focus more-objective monitoring where the
level of risk warrants. Furthermore, internal audit helps compensate for the lack of objectivity in the control self-
assessments by performing periodic independent monitoring procedures and comparing their results to the self-
assessments.
Internal audit modifies its annual audit program, which includes both ongoing monitoring and separate
evaluations, based on the results of:
 The organization's Annual Enterprise-wide Risk Assessment,

Internal Use Only
 The results of the business unit owners' ICAP, and
 Internal audit's own risk assessment process.
Risk/issue: Failure to identify, assess and consider for correction control deficiencies that could be addressed
through reasonable self-assessment procedures.
Response: Use of self-assessments to instill monitoring responsi-bilities throughout the management structure.
Result: Instills, at appropriate organiza-tional levels, ownership and oversight of meaningful risks and controls.
Example 10: An international manufacturer has an internal audit function that is both functionally and
administratively independent from the CFO, CEO and business unit leaders. The internal audit department
aligns its annual objectives with the enterprise-wide strategic objectives. As a result, the focus of the annual
audit plan is consistent with the corporate strategic objectives at the corporate and business unit levels.
Furthermore, audit budgets include time allocated for additional reviews and projects that can be initiated at the
request of any executive within the organization and executed upon approval of the corporate Audit Committee.
Risk/issue: The internal audit department's activities might not be properly aligned with organizational objectives
and related risks.
Response: Internal audit develops its plan in concert with the organization's strategic planning process.
Result: Aligns internal audit's activities with organizational objec-tives, thus preventing unnecessary audit
procedures and focusing resources where they are most needed.
Example 11: The board at a medium-sized manufacturing company has standing responsibilities that ensure
that they have visibility to key risk areas. For example, they recently determined that contract compliance was a
high-risk area that warranted board oversight. Accordingly, they implemented a requirement that the board
review and approve any sales contracts over $50M or greater than five years' duration and any corporate
contracts that vary from standard terms.
Risk/issue: The company may not be in compliance with an increasingly complex array of contracts.
Response: Board of directors' oversight adjusted based on risk.
Result: The board increased its own over-sight procedures to ensure that it had visibility to the risks and controls
in the contract compliance area.
Example 12: A large governmental agency has multiple stakeholders.

Internal Use Only
With respect to fraud, waste and abuse, this organization's inspector general is authorized to report on matters
identified from its 1 800 hotline for anonymous callers, e-mail box, FraudNET,[2] etc. Further, a forensic audit
team in the general counsel's office is called in when investigations are warranted.
Risk/issue: In a large, complex and diverse governmental organiza-tion, fraud, waste and abuse may occur at
multiple levels and be difficult to detect.
Response: Open lines of internal and external communication.
Result: Sends a tone-at-the-top message regarding intolerance for fraud, waste and abuse, and increases the
likelihood that related activities would be discovered timely.
Characteristics of Evaluators
Guidance Summary: Monitoring is conducted by evaluators who are appropriately competent and objective in
the given circumstances. Competence refers to the evaluator's knowledge of the internal control system and
related processes, including how controls should operate and what constitutes a control deficiency. The
evaluator's objectivity refers to the extent to which he or she can be expected to perform an evaluation with no
concern about possible personal consequences and no vested interest in manipulating the results for personal
benefit or self-preservation.
Example 13: Executive management at a medium-sized manufacturing company has modified its monitoring to
include more ongoing monitoring of internal control over financial reporting at the corporate level and reduce the
frequency and scope of separate evaluations at plant locations. This shift resulted from corrective action taken
after the organization identified the following internal control problems that had a direct impact on its ability to
monitor its internal control system effectively. The organization determined that it:
 Lacked appropriate internal ownership of risks and controls related to financial reporting, and
 Had an insufficient number of competent personnel throughout the organization who could effectively monitor
controls that address financial reporting-related risks.
Risk/issue: Inadequate monitoring of plant-level internal control may lead to control failures that are not detected
and corrected on a timely basis.
Response: Modifications to monitoring to improve plant-level internal control oversight.
Result: More timely identification and correction of control failures and related errors lead to improved internal and
Internal Use Only

external financial reports and greater efficiency.
Senior management, through ongoing monitoring at lower levels, did not receive enough direct information
regarding the operation of key controls. As result, the organization conducted year-end separate evaluations of
internal control that were not as efficient as they could have been if more-effective ongoing monitoring had been
present.
Driven by the Audit Committee's desire to see immediate improvement in the completeness, accuracy and
integrity of financial information and internal control, the organization made a number of changes, including
extensive personnel changes and new external advisors. However, the company did not realize an immediate
improvement in the results, as numerous accounting errors and significant internal control deficiencies continued
to surface. The organization had taken steps to correct the personnel issues, but some procedural issues
remained to be addressed.
For some of the exceptions, up to five different reviewers had signed off on reconciliations that contained errors.
Further analysis of the continuing errors revealed that, because of turnover in personnel and a lack of previously
developed supporting documentation, the historical knowledge of certain accounting matters and reconciling
items was lost. In addition, the new personnel's ability to operate effectively was affected by a lack of procedural
documentation and training.
The organization corrected these monitoring problems by eliminating unnecessary monitoring redundancies,
formally assigning monitoring responsibilities over accounts and controls, documenting the monitoring
processes, and properly training personnel. With these adjustments in place, the momentum shifted
considerably. The company began to identify and address exceptions and accounting issues in a more timely,
accurate and efficient manner. Also, the increased competence and objectivity of the new personnel allowed the
organization to improve the monitoring information supplied to senior management throughout the year. Senior
management, therefore, has been able to conduct more ongoing monitoring at the corporate level and reduce
the frequency and scope of separate evaluations in the plant locations.
Baseline Understanding of Internal

Control Effectiveness
Guidance Summary: A baseline knowledge about whether the internal control system is effective in a given area
serves as a starting point for monitoring. Figure 2 demonstrates how such a baseline allows organizations to
design monitoring procedures (ongoing and separate evaluations) to address changes in "real time" by identifying
those that (1) should be made in the operation of controls, or (2) have already occurred, enabling evaluators to
Internal Use Only

confirm that they were managed properly.
Example 14: A beverage manufacturer and distributor alters the type, timing and extent of its internal control
monitoring based on the results of its risk assessment process (see Example 16). In areas of meaningful risk,
the company first "benchmarks" the key internal controls, meaning it conducts a thorough review of the design
and operating effectiveness of the controls in order to establish a baseline of effective control. With the risks
prioritized and the benchmark established, management (with the assistance of internal audit) identifies controls
that can be monitored for a reasonable period of time through more-efficient monitoring techniques, such as
using indirect information or self-assessments coupled with supervisory review. On an interval that is
commensurate with the level of risk, internal audit performs periodic separate evaluations of key controls, thus
reconfirming the benchmark and the effectiveness of the ongoing monitoring procedures.
Figure 2
Risk/issue: Potential to enhance the efficiency of monitoring.
Response: Effective use of a control baseline.
Result: Enables the organization to design monitoring procedures that are commensurate with the risk that the
control might depart improperly from that baseline.
Example 15: A small semiconductor research and development organization recognizes that many of its
financial statement risks reside with the selection and application of accounting estimates. As a result, it
conducted an initial risk assessment that identified the following related risks:
 Calculation of allowances for uncollectible accounts, inventory obsolescence, and deferred tax assets;
 Methodology for updating standard costs;
Internal Use Only
 Review of cost provisions regarding its government contract and the methodologies used to identify unallowable
costs and allocations;
 Procedures to test for possible impairment of assets;
 Update of the annual evaluation of goodwill for possible additional impairment analysis; and
 Search for possible loss contingencies related to litigation, environmental remediation or possible product
warranty liabilities.
Risk/issue: Unidentified or improperly managed changes in risks can render the existing internal control system
ineffective.
Response: Establishing a baseline that begins with a list of prioritized risks.
Result: The organization can quickly reassess the currently-identified risks when necessary and identify new risks
that warrant assessment.
As explained within the Guidance, once an organization has completed its initial risk assessment, it can
periodically evaluate any new or changing risks and update the risk assessment accordingly. For example, this
company closed a major plant during one fiscal year. As a result of this identified change, management
considered the related risks and determined to evaluate controls associated with accounting for discontinued
operations, including the process for capturing all costs associated with the closed facility. Identifying the change
in the environment led to an assessment of the related risk and to at least a temporary modification of the
internal control monitoring procedures.
Internal Use Only

Figure 3
Footnotes
[1] Benford's Law, also knows as the "first-digit law," is named for the late physicist Dr. Frank Benford.
Building on a theory first proposed by the astronomer Simon Newcomb in 1881, Dr. Benford proved that
in lists of numbers, leading digits typically are distributed in a specific, nonuniform way. According to
Benford's law, the first digit is 1 approximately 30 percent of the time, and larger numbers occur as the
leading digit with less and less frequency as they grow in magnitude. Benford's Law is frequently used
to search for instances of error or fraud.
[2] FraudNET is a communication vehicle through which the public can report allegations of fraud, waste,
abuse or mismanagement of U.S. federal funds.
III. Design and Execute Monitoring

Internal Use Only
Procedures
Guidance Summary: Monitoring should enable evaluators to assess persuasive information about the
operation of one or more controls that address meaningful risks to the organization's objectives. Accordingly,
evaluators might consider designing monitoring by following the logical progression depicted in Figure 3. Note,
however, that this progression is not meant to imply a rigid, compartmentalized monitoring process where each
step starts and stops before the next. Monitoring is a dynamic process and each of these "steps" operates, to
some extent, at all times.
Prioritize Risks
Guidance Summary: The effectiveness and efficiency of monitoring can be enhanced by linking it to the results
of the risk assessment component. This linkage enables evaluators to focus their monitoring attention on controls
that address meaningful risks to the organizational objectives for which they are responsible.
Example 16: Senior management of a beverage manufacturer and distributor focuses the organization's
monitoring efforts by location and by risk priority. Risk considerations include areas:
 That are material or complex,

 Where systems or processes have changed significantly,
 Where errors or irregularities have been identified,
 With high turnover, and
 Where the self-assessment has indicated issues in the past.
Risk/issue: Monitoring may not be focused on controls that address meaningful risk.
Response: Adjustment of type, timing and extent of monitoring based on the results of risk assessment.
Result: Reduces or eliminates monitoring of controls that do not address meaningful risk, enabling the
Internal Use Only

organization to focus monitoring where it is most needed.
Monitoring begins with the control owners, who perform a self-assessment of their key controls on a monthly,
quarterly or annual basis (depending on the control's frequency) and document the results in a reporting tool that
resides on the network. Management-level process owners above the control owner conduct supervisory
reviews through a process they call Field Internal Control Assessments (FICA). These supervisory reviews are
conducted on a frequency that is commensurate with the level of risk and are executed from an audit program
designed to evaluate key financial and operational controls.
Example 17: A provider of Internet-based securities brokerage and financial services has a formal Corporate
Risk Committee (CRC) tasked with facilitating the enterprise risk management process.
Response: Use of a formalized risk assessment methodology.
Result: Increases the likelihood that this complex organization will properly assess risk and assign monitoring
responsibilities to proper personnel.
One of the key tasks of the CRC is the facilitation and completion of an Annual Enterprise Risk Assessment
using the COSO ERM Framework. CRC members identify, assess and evaluate risks across all strategic,
operational, reporting and compliance activities. Business unit leaders, who have input into the risk assessment
process, are then tasked with managing or mitigating those risks within their area of responsibility. The process
includes ensuring that internal control over the identified risks is designed and operating effectively
(i.e., monitoring).
The business unit leaders have established monitoring procedures that are linked to the prioritized risks. The
results of those procedures are reported to senior management on a regular basis. If risks change, the business
unit leaders are responsible for making any necessary modifications to internal control and related monitoring
procedures.
Example 18: In completing its annual Business Risk Assessment, management of a retail chain store company
utilizes rational groupings of risk (i.e., "real estate," "general accounting" or "loss prevention"). These rational
groupings comprise a number of discretely defined risk factors. Once risks are defined, management identifies
the specific controls that mitigate the discrete risk factors. This process helps management determine what
controls to monitor and how they will be monitored. After completion of the first Business Risk Assessment, the
company anticipates that future updates will be more limited in scope, focusing on environmental and
Internal Use Only

organizational changes over the past year and revisiting the risk assessment in areas where problems have
surfaced. (See Appendix D for excerpts from this company's risk matrix.)
Response: Linkage of a formalized risk assessment methodology to related controls.
Result: Enables this organization to ensure that controls selected for monitoring (1) address meaningful risks, and
(2) provide adequate support to a conclusion regarding control effectiveness.
Guidance Summary: In order to implement effective and efficient monitoring those responsible for its design first
understand how the internal control system manages or mitigates identified risks and then select the controls
(across any or all of the five components) they will subject to evaluation. COSO's Monitoring Guidance refers to
these as key controls.
Selecting key controls that address meaningful risks enhances the effectiveness and efficiency of monitoring by
focusing on that which provides an adequate but not excessive level of support for a conclusion about the internal
control system's effectiveness.
Key controls often have one or both of the following characteristics:
 Their failure could materially affect the objectives for which the evaluator is responsible, but might not be detected
in a timely manner by other controls, and/or
 Their operation might prevent other control failures or detect such
failures before they have an opportunity to become material to the organization's objectives.
Identifying key controls is not meant to suggest that they are necessarily more important to the internal control
system than other controls. It is merely intended to help organizations devote monitoring resources where they
can provide the most value.
Internal Use Only

Example 19: The internal audit department at a financial services company builds its audit programs for
corporate, departmental and individual location audits based on:
• An understanding of how the internal control system is designed to address meaningful risks, and
 The selection of controls within that system that provide the most value in monitoring.
The department's assessment is based on its experience in the industry, knowledge of the underlying control
risk, the existence of any changes or past problems in the area.
Response: Development of an audit program based on an analysis of key controls.
Example 20: Management of a small manufacturing company has prioritized its monitoring procedures based on
the significance and likelihood of risks and the relative importance of certain controls in mitigating those
prioritized risks. In selecting "key controls" to monitor, management first considers whether failure in a given
control might lead to a material error.
Response: Small manu-facturing company's consideration of key controls.
Failure of some key controls, such as the reconciliation controls over certain significant accounts, could lead to
an error if they fail even once. Thus, management monitors those controls on an ongoing basis, using primarily
direct information.
Other key controls, such as controls over the changing of depreciable lives in the fixed asset system, would have
to fail over an extended period of time in order to be material. Management's ongoing monitoring of those
controls utilizes more indirect information, with periodic separate evaluations of the controls using direct
information. The interval between separate evaluations is dependent on (1) management's judgment of the level
of risk, and (2) its related determination of what constitutes a reasonable interval.
Internal Use Only

Still other key controls serve to detect earlier control weaknesses before they can lead to a material error.
Monitoring these key controls allow management to improve the efficiency of monitoring without impairing its
effectiveness. For example, the company employs a three-way match control that compares the quantities and
dollars included in purchase orders, receiving logs and invoices. This key control, if it operates effectively, would
detect failures in controls over data entry in the receiving or accounts payable departments before such failures
could lead to improper payments or inaccurate accounting. Accordingly, rather than frequently evaluating
controls over receiving or accounts payable data entry, management focuses its monitoring efforts on the three-
way match control.
Guidance Summary: Once key controls are selected, evaluators identify the information that will support a
conclusion about whether those controls have been implemented and are operating as designed. Identifying this
determining whether the internal control system is or is not operating effectively.
To be effective, monitoring must evaluate a sufficient amount of suitable information. Suitable information is
relevant, reliable and timely in the given circumstances. Sufficient suitable information provides the evaluator
with the support needed to conclude on the internal control system's ability to manage or mitigate identified risks.
COSO's Monitoring Guidance refers to information that meets these conditions as "persuasive" (see Figure 4).
Elements of Suitable Information
Figure 4
Internal Use Only
Example 21: An international manufacturer implemented an integrated production and financial reporting system
across the organization. This system reduces the amount of data transfer and reconciliation needed to produce
operating and financial information, thus enhancing its reliability. As such, management is better able to monitor
product quality and operational and financial results. This enhanced reliability correspondingly increases the
ability of the resulting indirect information to identify potential control deficiencies.
Risk/issue: Disparate technology platforms can increase risk asso-ciated with data transfer and make internal
control monitoring more difficult.
Response: Integration of operations and finance into one technology platform.
Result: Increased reliability of information leading to improved use of indirect information in monitoring.
Example 22: An international manufacturer holds monthly meetings to evaluate operational and quality results
against standard metrics that are linked to the organization's strategic objectives. Business units report their
metrics and related analysis using standardized templates that include the related goal, the current status in
relation to the goal, and the historical performance against the goal.
Management may initiate a specific quality audit (i.e., a separate evaluation) of any process where statistical
indicators show a negative trend or where it identifies, through observation or customer complaint, a potential
quality issue. Business unit leaders also execute regularly scheduled audits of production quality controls,
recommend remediation, and track and report remediation of production quality issues. Finally, internal audit
develops its annual plan, which includes ongoing and separate evaluations, based in part on the results of this
indirect information analysis.
Risk/issue: Improperly controlled manufacturing operations can lead to declines in product quality.
Response: Use of indirect information in addressing operational risks.
Result: For operations with consistent and/or predictable outputs, the use of robust indirect information in
monitoring can quickly identify control failures before they can materially affect product quality.
Example 23: In relation to certain operational risks at plant locations, the Vice President of Operations at a
medium-sized manufacturing company has been able to make more effective use of indirect information to
identify plant controls that are not operating properly. Two specific examples include controls related to labor
costs and to capital expenditures.
Labor — This company experiences a moderate to high degree of turnover at its plant locations, resulting in
frequent additions to and terminations from plant payroll. The company has determined that the risk of material
Internal Use Only

operational (or financial reporting) problems in this area is relatively low, given the small dollar amounts involved
on a per-person basis and the relative simplicity of the plant payroll process. As a result, the company relies on
monitoring of labor variances to detect control failures as opposed to frequent direct testing of specific controls
over additions, terminations or adjustments to payroll.
During the annual budgeting process, the company determines its production plan, headcount requirements and
expected overall labor costs. The VP of operations monitors the labor variance and investigates any large or
unusual items. Any increase or decrease should correspond to the current month's production activity and
employee turnover.
Capital Expenditures — The company has controls in place to address the risk of improper capital expenditures.
These controls include required approvals for purchase orders and invoices and a three-way match of purchase
orders, invoices and receiving documents.
Capital expenditures are approved as part of the annual budgeting process and are allocated to the plant when
incurred. Direct expenses are budgeted in accordance with anticipated production, whereas indirect expenses
are budgeted based on historical trends and are allocated accordingly. The VP of operations conducts ongoing
monitoring through the review of these costs and investigation of any large or unusual variances. He also meets
weekly with the CEO to discuss performance and explain variances in detail.
The company has concluded that the level of operational (and financial reporting) risk is higher in capital
expenditures than in labor. Management reached this conclusion in part because of the frequency of
transactions and the greater potential, over time, for incorporating improper expenditures into the budget (an
activity that could go undetected by reviewing only indirect information). Therefore, the company supplements
the ongoing monitoring of indirect information with annual direct tests of the approval controls and the three-way
match. As a result, the company's capital expenditures monitoring is more efficient and still addresses risk
adequately.
Risk/issue: The varying nature of financial reporting risks asso-ciated with areas such as labor and capital
expenditures can affect the desired balance of indirect versus direct information.
Response: Balanced use of direct and indirect information in addressing opera-tional risks.
Result: Considering the nature of the risk being addressed can help determine the type of information to use in
monitoring.
Example 24: Approximately 90 percent of a medium-sized manufacturing company's employees are located at
plant sites. The company implemented a new payroll software and workflow to review and approve payroll. All
bi-weekly payrolls are reviewed in detail at the plant sites and are submitted through the workflow. The corporate
Internal Use Only

payroll manager reviews plant payrolls for unusual fluctuations, such as an increase/decrease in employee
headcount or excessive overtime. Any identified fluctuations are reviewed and require sufficient response and
support prior to payroll processing. This monitoring control enabled the corporate payroll manager to identify a
plant accountant's continual excessive overtime, which occurred outside the normal monthly plant closing cycle.
Management's investigation revealed that the plant accountant had falsified overtime hours. This organization's
enhanced review of indirect information surfaced a control deficiency and fraud in an area typically considered to
be of low to moderate risk.
Risk/issue: The nature of risks associated with areas such as plant payroll may affect the desired balance of
indirect versus direct information.
Response: Improved use of indirect information to monitor payroll.
Result: Considering the nature of the risk being addressed can help determine the type of information to use in
monitoring.
Implement Monitoring Procedures
Guidance Summary: With risks prioritized, key controls selected and available persuasive information identified,
the organization implements monitoring procedures that evaluate the internal control system's effectiveness in
managing or mitigating the identified risks to organizational objectives. Monitoring involves the use of ongoing
monitoring procedures and/or separate evaluations to gather and analyze persuasive information supporting
conclusions about the effectiveness of internal control across all five COSO components. The COSO Framework
encourages organizations to "focus on ways to enhance [their] ongoing monitoring activities, and, thereby, to
emphasize 'building in' versus 'adding on' controls."
Ongoing Monitoring and Separate Evaluations
Internal Use Only

Guidance Summary: Ongoing monitoring occurs when the routine operations of an organization provide
feedback — through both direct and indirect information — to those responsible for the effectiveness of the
internal control system. Because they are performed routinely, often on a real-time basis, ongoing monitoring
procedures can offer the first opportunity to identify and correct control deficiencies.
Separate evaluations can employ the same techniques as ongoing monitoring, but they are designed to evaluate
controls periodically and are not ingrained in the routine operations of the organization. They do, however, play an
important role in monitoring in that they often:
•Provide an objective analysis of control effectiveness when performed by personnel who are not involved in the
operation of the control, and
•Provide periodic feedback regarding the effectiveness of ongoing monitoring procedures.
Example 25: At a retail chain store company, management's ongoing monitoring of store operations has always
been considered crucial to the success of the organization. However, an increase in the number of stores,
combined with some incidents of fraud, led management and the board to invest in the development of a
monitoring function at the corporate level — the Store Operations Group — to improve the ongoing monitoring of
controls over store operations.
The Store Operations Group includes former store managers, district managers, auditors and technology
personnel. The team has access to real-time store operations data to perform its monitoring of daily, weekly and
monthly financial and operational indicators. For more information on this retail chain store company's ongoing
monitoring procedures, see the example in Chapter V titled Large Retail Organization's Monitoring of Controls
Over Store Inventory.
Risk/issue: The identifi-cation of fraud or other control deficiencies may cause an organization to reconsider its
current monitoring procedures.
Response: Necessary modifications to improve ongoing monitoring.
Result: The improvements in monitoring enabled this organization to improve the efficiency of monitoring and to
identify and correct future control failures at an earlier stage.
Example 26: The Internal Control Assessment Program (ICAP) at an Internet-based securities brokerage and
financial services company serves as one form of ongoing monitoring of key internal controls (see Example 9).
As the first line of defense against control deficiencies, the presence of the ICAP allows management to
concentrate its ongoing monitoring efforts on (1) areas of higher risk (absence of self-assessments would dilute
Internal Use Only

monitoring efforts to include lower-risk areas), (2) areas where the ICAP has identified potential problems, or
(3) areas where separate evaluations have identified control deficiencies that were not reported through the self-
assessments. Thus, the organization is better able to focus its separate-evaluation efforts on a prioritized-risk
basis and modify ongoing monitoring procedures where necessary.
Risk/issue: The effec-tiveness of ongoing monitoring procedures can affect determina-tions regarding other
Response: Employ on-going self-assessment procedures with periodic reconfirmation by internal audit or others.
Result: Can help focus management's ongoing monitoring on areas of higher risk and on the failure, if any, in the
self-assessment process as identified by the periodic reconfirmation process.
Example 27: A medium-sized manufacturing company has 13 different plant locations, six of which were
deemed to be significant. Management planned to monitor internal control in the less significant plants, primarily
through ongoing monitoring procedures including a review of monthly reconciliations and analytical reviews.
However, management identified several risk factors, including frequent errors in monthly and quarterly
reconciliation activities and turnover among plant-level controllers and supervisory personnel. These risk factors
led management to conclude that periodic evaluation of more-direct information was necessary at its smaller
plants. Accordingly, management implemented random plant audits that evaluate key controls on a periodic
basis. The organization also conducted additional training of plant controllers to address the identified control
deficiencies. These actions helped to improve the ongoing effectiveness of controls at the plant level.
Risk/issue: Changes in risks can affect the type, timing and frequency of monitoring.
Response: Identified changes in business operations lead to reconsideration of, and potential changes in,
monitoring.
Result: The organization is able to adjust its monitoring procedures as appropriate.
IV. Assess and Report Results
Guidance Summary: Monitoring includes reporting results to appropriate personnel. This final stage enables the
results of monitoring to either confirm previously established expectations about the effectiveness of internal
control or highlight identified deficiencies for possible corrective action.
Internal Use Only

Guidance Summary: Identifying and prioritizing potential control deficiencies allows organizations to determine
(1) the levels to which the potential deficiencies should be reported, and (2) the corrective action, if any, that
should be taken. Several factors may influence an organization's prioritization of identified deficiencies, including:
 The likelihood that the deficiency will materially affect the achievement of an organizational objective,
 The effectiveness of compensating controls, and
 The aggregating effect of multiple deficiencies.
Example 28: An international manufacturing company developed a custom database to track production quality
issues — those identified both externally from clients and internally from management's monitoring and Quality
Audit reviews. Issues are prioritized, logged, traced to a root cause, assigned to a manager within the production
area, and tracked until they are resolved.
Management receives monthly presentations from the Production Quality Audit Team leader regarding the
status of open quality issues. Significant issues that may impact the ability of the business to achieve its
operational, financial and quality objectives receive special attention from business unit leadership and are
reported to executive management during their monthly, quarterly and annual meetings.
Executive management of the organization requires business unit and functional leaders not only to evaluate
and report results to management, but also to certify the controls for which they are responsible (see Appendix
B).
Risk/issue: Identified control deficiencies should be considered for correction, and any determined corrections
should be implemented properly.
Response: Use of a tool to help prioritize, track and report potential deficiencies.
Result: Helps ensure that identified control deficiencies are properly addressed.
Example 29: Senior management of trading operations at a large power generation organization reviews all
trading policy violations and assigns a level of severity for each violation based on criteria defined in the Trading
Risk Policy. The organization uses an automated reporting system that is integrated with the trading platform to
ensure that identified issues are reported to the appropriate level for follow-up. Notification routing varies from an
Internal Use Only

individual's direct supervisor to, in the case of more severe issues of noncompliance, executive management,
Risk Oversight Committee (ROC) members and internal audit.
Risk/issue: Identified control deficiencies should be considered for correction and any determined corrections
Response: Use of a tool to help prioritize, track and report potential deficiencies.
Example 30: A large government agency has a senior-level internal control working group that prioritizes
remediation efforts for identified control deficiencies. In doing so, the group considers factors such as the internal
control risks, past internal control assessments, and experience with other federal agencies.
Risk/issue: Competent and objective personnel should be included in the control deficiency evaluation process.
Response: Use of qualified personnel to evaluate control deficiencies.
Result: Helps ensure the consistency and adequacy of the control deficiency assessment.
Example 31: Management of an international manufacturer has created a Quarterly and Annual Disclosure
Committee (QADC) that is responsible for performing a review and analysis of controls monitoring. Important to
this review are the quarterly and annual representations from line management, which include those related to
the operation of internal controls (see Appendix B). Additionally, the Disclosure Committee utilizes a checklist
(see Appendix C) to ensure that monitoring occurs in areas of meaningful risk.
Risk/issue: Competent and objective personnel should be included in the control deficiency evaluation process.
Response: Use of people trained specifically to evaluate the severity of potential deficiencies.
Result: Helps ensure the consistency and adequacy of the control deficiency assessment.
Report Internally
Guidance Summary: Reporting protocols vary depending on the purpose for which the monitoring is conducted
and the severity of the deficiencies. In general, control deficiencies should be reported to the person directly
responsible for the control's operation and to management that has oversight responsibilities and is at least one
level higher. Reporting at least to these two levels gives the responsible person the information necessary to
Internal Use Only

correct control operation and also helps ensure that appropriately objective people are involved in the severity
assessment and follow-up. At some point, deficiencies may become severe enough to warrant discussion with the
board. Management and the board may wish to discuss in advance the nature and severity of deficiencies that
should be reported to that level.
Example 32: The internal audit department at a medium-sized manufacturer logs and tracks all identified control
deficiencies and assesses their impact to the organization. These control deficiencies are reported to the
management team responsible for the audited business unit. If a remediation plan is necessary, the
management team works with internal audit to develop it. An individual within the business unit is assigned
responsibility for remediation of specific control deficiencies. Internal audit assigns a remediation time frame to
each control deficiency based on its ranking. Deficiencies must be remediated within the specified time frame, or
a clear plan must be in place to address the deficiency.
Risk/issue: Control deficiencies should be reported to appropriate personnel.
Response: Established reporting protocols for identified deficiencies.
Result: Helps ensure that the right people are aware of control deficiencies and improves the likelihood that such
deficiencies will be properly addressed.
Example 33: The Store Operations Group at a retail chain store company works with management and/or local
store personnel (depending on whether an identified deficiency is pervasive in all stores or occurs only in a
single store) to develop a remediation plan for identified control deficiencies. The Store Operations Group then
tracks the remediation plan on a spreadsheet until the deficiencies are resolved. Executive management and the
Audit Committee receive quarterly status updates.
Risk/issue: Identified control deficiencies should be considered for correction, and any determined corrections
Response: Use of a spreadsheet to track and report deficiencies.
Example 34: At an international insurance services organization, the internal audit department classifies control
deficiencies identified during the course of an audit as Minor Deficiencies, Reportable Deficiencies or Significant
Internal Use Only

Deficiencies. The communication structure for reporting deficiencies is based on the deficiencies' potential
impact to the organization. The company's internal reporting structure requires that:
 Minor Deficiencies — are reported at the end of each audit, in detail, to the manager responsible for the control.
 Reportable Deficiencies — are reported at the end of each audit, in detail, to the manager responsible for the
control and to the senior-management team and on a quarterly basis, in summary, to the Audit Committee.
 Significant Deficiencies — are reported at the end of each audit, in detail, to the manager and the senior-
management team and on a quarterly basis, in detail, to the Audit Committee.
Risk/issue: Prioritizing control deficiencies based on severity can make the correction of deficiencies more
effective and efficient.
Response: Established grading scale and reporting protocol for identified deficiencies.
Result: Enables the organization to more quickly, and with greater resources if necessary, address deficiencies
that may have the greatest effect on organizational objectives.
Report Externally
Internal Use Only

Guidance Summary: A properly designed and executed monitoring program helps support external assertions or
certifications because it provides persuasive information that internal control operated effectively at a point in time
or during a particular period.
External reports that assert as to the effectiveness of an internal control system may need to withstand scrutiny by
outsiders who (1) do not have management's implicit knowledge of controls, and (2) require enough persuasive
information to form their own opinions about the effectiveness of internal control. As a result, an organization may
wish to compare the scope of its monitoring program with the needs of external parties, such as auditors and
regulators, to ensure that all parties understand the available monitoring information, enabling them to maximize
its use. In addition, the organization might be able to enhance the efficiency of external parties' work by directing
them to portions of its monitoring procedures that they might use or by making modifications to its monitoring
program to better facilitate external parties' work. Such modifications might include:
 Using evaluators with a higher degree of objectivity in certain areas if doing so will enhance the ability of the
external party to use their work,
 Increasing the use of direct information in monitoring of certain areas if doing so will enable the external party to
more effectively and efficiently support its own conclusions, and
 Increasing the formality and detail of documentation in order to improve the external party's ability to understand
and evaluate internal control.
Example 35: Senior management and the internal audit department of a small financial institution hold an
annual audit planning meeting with the external auditor. They discuss management's approach to the evaluation
of internal control over financial reporting and consider modifications to that approach in areas where doing so
might increase the external auditor's ability to use the work of management and/or internal audit in the conduct
of their external audit procedures. For example, internal audit decided to increase slightly its sample size of
control tests in a few key areas in order to provide a large enough sample to meet the external auditor's needs.
Risk/issue: External auditor requirements may lead to avoidable duplication of efforts.
Response: Benefits of joint planning between the organization and the external auditor.
Result: Enables man-agement to modify mon-itoring where beneficial and increases the likeli-hood that the
external auditor can use the results of monitoring.
Internal Use Only

Example 36: For several years, an international manufacturer has utilized external specialists to perform
separate evaluations of controls over various aspects of the organization. Use of these specialists is determined
by management based on (1) the results of the annual risk assessment process, (2) consideration of the
external auditor's needs and its ability to use the work of these specialists in conducting its audit, and (3) the
capabilities of the organization's internal audit staff. Results and issues identified by these specialists are
reported and tracked internally.
Risk/issue: An organization may not have the skills necessary to objectively monitor internal control in certain
complex areas.
Response: Consideration of the use of external specialists.
Result: Enables the organization to use qualified personnel to assist in monitoring without hiring or training another
person.
V. Other Considerations
Monitoring Controls Outsourced to

Others
Guidance Summary: When organizations use external parties (also known as service providers) to provide
certain services, the associated risks to organizational objectives still must be managed properly. Users of
associated with those services. User organizations should also understand how the service provider's internal
control system manages or mitigates meaningful risks and obtain at least periodic information about the operation
of those controls. This understanding may be attained through reviewing an independent audit or examination
report provided by the service provider. Where such an audit or examination report is not available and where the
level of risk warrants, user organizations may conduct their own periodic separate evaluations of key controls at
the service provider.
Example 37: A medium-sized manufacturing company (the Company) outsources its payroll processing to an
experienced and reputable service provider. The service provider provides a semi-annual independent audit
Internal Use Only

report covering the design and operation of the service provider's internal control system as it relates to payroll
processing. The audit report lists:
 Control objectives and internal controls that are applicable to the Company;
 The independent audit tests performed and the results of that testing;
 Certain controls, referred to as "user control considerations" that are the responsibility of the Company, such as
control over the completeness and accuracy of the data submitted by the Company.
The Human Resources Director and the Controller review this semi-annual report noting (1) that the control
objectives and control design meet their expectations, and (2) any negative test results that might be relevant to
the organization, which may trigger further review by senior management. The internal audit department also
incorporates the user control considerations into its normal audit cycle. Finally, the Audit Committee receives a
status update twice per year.
Risk/issue: Significant services provided by an outside party may not be well controlled, leading to a failure in the
user organization's related objectives.
Response: Obtain and evaluate outside party's independent internal control audit report.
Result: Provides the information needed for the user organization to evaluate control design and performance at
the service provider. Also highlights controls that may need to be evaluated at the user organization.
Using Technology for Effective

Monitoring
Guidance Summary: Organizations often use IT to enhance monitoring through the use of control monitoring
tools and process management tools. Automated control monitoring tools perform routine tests and can enhance
the effectiveness, efficiency and timeliness of monitoring specific controls. Some control monitoring tools are used
to perform what is often referred to as "continuous controls monitoring." Process management tools are designed
to make monitoring more efficient and sustainable by facilitating some of the activities that affect monitoring,
including assessing risks, defining and evaluating controls, and communicating results. Most of these tools use
workflow techniques to provide structure and consistency to the performance of monitoring procedures.
Example 38: A beverage manufacturer and distributor utilizes a prepackaged reporting tool for internal controls.
The tool serves as a repository for:
Internal Use Only

 Control owners to document control self-assessments and for other evaluators to document the results of their
monitoring efforts;
 Documentation concerning process and control workflows; and
 Remediation plans, status and completion based on management's plan.
The tool also provides senior management and the board with a dashboard report showing the status of
monitoring procedures throughout the organization and their related results.
Risk/issue: Identified control deficiencies should be considered for correction and any determined corrections
Response: Use of a monitoring-status tracking tool and dashboard report.
Example 39: A provider of Internet-based securities brokerage and financial services uses an automated tool to
document its quarterly Internal Control Assessment Program (ICAP) in which business unit owners are required
to execute quarterly self-assessments and certify the controls for which they are responsible (see Example 9).
This tool facilitates the planning and performance of separate evaluations that monitor the effectiveness of the
ICAP process. It also serves as a reporting tool for senior management and the board.
The implementation of this tool has provided several benefits to the organization. First, the configuration of the
automated tool ensures that business unit owners take ownership of controls because the system forces the
owner of the control to affirm routinely that the reporting process is "complete" within the tool. Second, the
automated tool includes a comprehensive control deficiency reporting feature that tracks the resolution and
disposition of identified internal control issues and sends reminders and reports to appropriate personnel based
on pre-defined criteria.
Risk/issue: In a large or complex organization, management may need a way to track the status of monitoring
efforts.
Response: Use of a monitoring-status tracking tool.
Result: Management can easily see the status and results of monitoring.
Example 40: A beverage manufacturer and distributor utilizes a segregation-of-duties (SOD) tool to provide
continuous monitoring over SOD and to customize SOD based on established rules. Used in both a preventive
and detective manner, the tool produces a report that lists all SOD conflicts meeting pre-defined criteria. That
Internal Use Only

report is reviewed by appropriately objective personnel. This SOD tool has allowed the organization to push
accountability for SOD and system security out to the business units rather than maintaining it within IT.
Risk/issue: In a large or complex organization, personnel and/or system access changes can lead to the
inappropriate combination of incompatible duties.
Response: Continuous monitoring of segregation-of-duties controls.
Result: Management can quickly identify and address segregation-of-duties issues.
Example 41: The same beverage manufacturer and distributor uses a database tool to track and evaluate all
reconciliations, including their completion and review. Each general ledger account is risk-ranked based on
materiality, complexity, issues identified in the prior year, change in environment and risk for fraud. Management
uses this risk assessment, and any anomalies flagged by the tracking tool, to direct its independent evaluation
and review of the reconciliations. In the past, the organization would test, through separate evaluations, both the
preparation and the approval controls for the reconciliations. The implementation of this tool allows the
organization to monitor the completion and review of reconciliations more efficiently.
Risk/issue: A large number of account reconciliations can make monitoring their completion and review, where
necessary, more difficult for senior management.
Response: Improved monitoring through the use of a reconciliation tracking tool.
Result: Automates much of the tracking process, freeing up management to focus on other risks and controls.
Example 42: A large power-generation organization has implemented automated tools to perform daily, weekly
and monthly compliance monitoring. These tools perform conditional tests that match transaction data against
pre-defined parameters outlined and identified in the corporate trading policy manual.
Based on established risk policy standards, the tools assign a level of severity to identified anomalies and
automatically notify the people responsible for addressing them. Identified exceptions to the trading policy are
tracked by the trading risk manager, and a monthly summary of violations is presented to the organization Risk
Oversight Committee (ROC). Significant violations are discussed specifically with both the ROC and the Audit
Committee.
Use of these tools does not preclude the use of manual monitoring techniques, but it does influence the type,
timing and extent of manual monitoring.
Risk/issue: Manually evaluating procedural compliance in a high-volume, routine environment can be time
Internal Use Only

consuming and mistake prone.
Response: Continuous monitoring using conditional tests of transaction data.
Result: The organization can automatically test tolerances and compliance where possible, allowing evaluators to
focus manual monitoring procedures where more judgment is required.
Example 43: A large manufacturing company was using a labor-intensive separate-evaluation approach to
monitor controls in the company's procure-to-pay processes. In order to improve the efficiency and effectiveness
of the monitoring process, the company implemented a commercially available continuous monitoring tool.
Through the tool's use of advanced analytics (incorporating a library of 130 pre-defined integrity checks that are
consistent with those used by forensic accountants, auditors and fraud examiners to identify fraud, misuse and
errors in the procure-to-pay cycle), it monitors each transaction and flags potential control exceptions for review.
Implementing the tool enabled the company to uncover control violations, including improper and duplicate
transactions. The organization was also able to streamline and tailor its separate evaluations to serve more
efficiently as periodic confirmation of the effectiveness of the ongoing monitoring procedures.
Risk/issue: Manually evaluating procedural compliance in a high-volume, routine environment can be time
Response: Continuous monitoring using conditional tests of transaction data.
Result: The organization can automatically test tolerances and compliance where possible, allowing evaluators to
focus manual monitoring procedures where more judgment is required.
Example 44: Many financial institutions employ continuous control monitoring tools in areas such as (1) loan
granting/management, (2) loan provisioning/performance, (3) money laundering, (4) counterfeit checks,
(5) Suspicious Activity Reporting (SARs) and resolution, and (6) wire transfer anomalies.
One financial institution developed a simple regression analysis of nonperforming loans by branch, by loan
officer (see the figure below), as one form of monitoring indirect information related to controls over loan
origination. The red statistical precision intervals allow the organization to look for outliers across multiple
metrics (e.g., policy, industry standards, or statistical standard deviations). Further, the report can be
repopulated in either real-time or batch mode. This analysis helps the organization identify loan officers and/or
branches that may not be following loan origination policies.
Internal Use Only

Risk/issue: Manually evaluating procedural compliance in a high- volume, routine environment can be time
Response: Continuous monitoring using regression analysis.
Result: Management can more effectively time and scope separate evaluations commensurate with the level of
risk.
Example 45: Management of a large manufacturing company determined that access to systems with sensitive
information and segregation of incompatible duties between various systems is critical to achieving several
organizational objectives. To address this risk the company has implemented an automated process whereby
supervisors submit system access change requests to the IT department through an automated tool. The tool
contains "sensitive access" tables that flag certain requests, such as for systems containing sensitive information
or for rights that may not be compatible with an employee's duties or other access rights. Nonsensitive requests
are processed based on the supervisor's approval. Sensitive requests are routed to the assistant controller for
approval.
The system produces a weekly report for the controller that reflects sensitive system access changes. The report
includes the approving supervisors' names and highlights any potentially incompatible duties. The controller
reviews this report to confirm that the supervisors approving each change are authorized to do so. Semi-annual
reports of all personnel who are authorized to perform sensitive transactions are sent to the relevant supervisors
for review and approval. The approved reports are then forwarded to the controller for review.
To ensure the integrity of this system access change process, the internal audit department periodically:
 Reviews the sensitive access table definitions for propriety,

 Tests the assistant controller's approval controls by attempting to process a sensitive access rights change
without his approval, and
 Verifies the controller's review of semi-annual supervisor confirmations.
Internal Use Only

Risk/issue: Personnel with incompatible duties and/or system access can make inappropriate changes or execute
unauthorized transactions.
Response: Use of an IT tool to track system authorization changes and identify possible segregation-of-duties
problems.
Result: Automates a time-consuming part of monitoring system access changes and segregation of duties. It also
reduces the likelihood that incompatible duties might be overlooked.
Example 46: An electric utility calculates the billing and related revenue amounts for customers' kilowatt-hour
usage based on a number of parameters maintained in the utility's databases. Those parameters, among others,
are (1) hours used, (2) energy used, (3) time used, (4) customer type (residential or business), and (5)
contractual commitments. The extensive nature of these parameters and the potential consequences of
inappropriate changes to them make this a high-risk area for the utility. Accordingly, management has evaluated
as critical the risk of inappropriate changes to the databases.
The controls selected by management as "key" include change management and system access. The change-
management controls were tested extensively at initial implementation. They are re-tested periodically and when
a change is made. The databases include various security options that provide valuable monitoring information.
For example, they generate check sums that change if data is altered. A change in the check sum triggers an
audit record, e-mail or similar alert that changes were made to the database information. This automated data
allows the organization to identify and evaluate database changes quickly when they occur, thus supporting a
longer interval between scheduled separate evaluations.
Internal Use Only
Risk/issue: Unauthorized changes to critical databases.
Response: Selection of "key" IT-related controls.
Result: Enables management to address this IT-related risk efficiently.
VI. Comprehensive Examples
The brief examples presented in Chapters II-IV of this volume are intended to demonstrate how different
organizations might apply the concepts set forth in Volumes I and II of COSO's Monitoring Guidance. Their
brevity provides an easy reference point for specific concepts, but it does not provide a comprehensive look at
monitoring a given risk from beginning to end.
This chapter provides three comprehensive monitoring examples that flow from the point at which a given risk is
assessed, through the monitoring process and, ultimately, to the execution of monitoring procedures and the
reporting of results to management and the Audit Committee. The first two examples — one of a large retail
organization and the other of a mid-sized manufacturing company — are live examples of monitoring in two
organizations. The third example is compiled from project team members' experiences in helping companies
monitor information technology risks effectively and efficiently.
Large Retail Organization's Monitoring of

Controls Over Store Inventory
Background Information
1. A large retail organization has in excess of 3,000 store locations and a tiered management structure
for store operations, including:

 Executive management,
 Twelve senior vice presidents (SVPs), each of whom oversees approximately six regional directors,
 Approximately 75 regional directors, each of whom is responsible for six to eight districts,
 Approximately 500 district managers, each of whom is responsible for six to eight stores, and
 Individual store managers for each location.
Internal Use Only

2. Internal control monitoring takes various forms at every level of management. This example will
concentrate on risks associated with managing store inventory, which management has determined are
meaningful to the organization from both an operations and a financial reporting standpoint.
3. The primary responsibility for internal control of store operations rests with store managers. Through
procedures performed during store visits that occur at least monthly, district managers perform the most
direct monitoring of the continued effectiveness of controls in individual stores. Regional directors and
other members of management also visit stores periodically; however, their primary monitoring
procedures involve the review of detailed store statistics (i.e., indirect information that might identify a
store with internal control issues that affect operations and financial reporting) and their interactions with,
and observations of, district managers.
4. Given that the organization is large and its 3,000+ stores are statistically comparable, it is a practical
candidate for maximizing monitoring using indirect information. Thus, the senior vice presidents and
members of executive management monitor many controls, including store-level inventory controls,
through extensive ongoing monitoring of store operating statistics.
5. Over time, the increased number of stores placed stress on the previous approach to monitoring store
operations — an approach that consisted primarily of infrequent visits by the internal audit function. In
Internal Use Only
response, management performed a comprehensive review of the organization's internal control over
store operations (establishing a baseline of effective internal control) and made three significant changes
to the underlying monitoring structure. First, it shifted much of the monitoring responsibility to store
managers and district managers. Second, it enhanced the detail contained in operational reports
reviewed by managers at all levels. Third, it invested in the development of a monitoring function at the
corporate level — the Store Operations Group (SOG) — to enhance both the underlying control activities
and the ongoing monitoring of controls at the store level.
6. The SOG comprises former store managers, district managers, auditors and technology personnel.
The employee mix provides the group with both competence and objectivity in performing its monitoring
duties. Furthermore, to enhance its objectivity, the SOG is part of the organization's internal audit
function rather than part of operations or corporate finance. As discussed later, however, the SOG does
report potential internal control issues to appropriate personnel outside of internal audit.
7. The SOG accesses real-time store operations and financial data to perform its standard daily, weekly,
monthly, quarterly and annual reviews of that data. Using its extensive knowledge of store operations,
risks and related controls, the SOG designed custom database reports to cover key areas of operations
and internal control, including:

 Execution of weekly and monthly store inventory audits,
 Late-deposit activity,
 Cash-drawer activity,
 Inventory adjustments due to theft, spoilage and customer charge-offs,
 Inventory purchasing and item-receipt activity, and
 Pricing overrides.
Prioritize Risks
Internal Use Only

8. Annually, the organization completes a comprehensive, enterprise-wide risk assessment. Those
involved in the assessment include senior management, business unit leadership and, where
appropriate, direct reports of business unit leaders. The focus of this risk assessment is identifying the
effect and probability (sometimes referred to as "significance and likelihood") of financial, operational
and compliance risks at the store operations and corporate levels. Risks are scored numerically from a
low of "1" to a high of "5," which provides support to management's judgmental prioritization of the risks.
Once prioritized, the risks are segregated further into levels — or "risk factors" — that indicate how the
risks might manifest. The table below shows how the organization groups and prioritizes risks.[3]
9. Management recognizes that effective store inventory control is crucial to the organization's
operations and financial reporting objectives. As a case in point, we will follow one of those risk factors,
"Inaccurate/improperly adjusted store inventory balances" (risk factor 2.b. below), through the monitoring
process.
10. The organization's sales consist primarily of furniture, appliances and electronics. Inventory items are
generally large and easy to count for inventory purposes and are more difficult to steal than those at
other retailers, such as clothing or department stores. However, if pervasive theft or shrinkage occurs at
multiple locations, or if store managers can fraudulently misstate inventory balances, errors could occur
that, in the aggregate, would be material to the organization in terms of both its operational goals and
the accuracy of its published financial statements.
Internal Use Only

11. Knowledge of these factors, along with management's understanding of the organization and its
business, provides support for the organization's inventory-related risk assessment process. The
following table exemplifies the organization's more detailed risk assessment process for inventory.
Risk Factors
(i.e., What Can Go

Risks Wrong) Impact Ranking Probability Ranking Priority
1. Inappropriate a. Revenue 5 3 H
product type/quantity loss due to
mix, inventory levels inability to
or store purchasing meet
customer
demands
b. Carrying
excess store
inventory
c. Write-offs
from
stale/obsolet
e inventory
2. Inappropriate/ a. Not 5 3 H
inaccurate/untimely identifying
inventory-level damaged/ob
reporting solete
inventory
b.
Inaccurate/im
properly
adjusted
store
inventory
balances
3. Inappropriate a. Inventory 3 3 M
store-level inventory not being
Internal Use Only

receipt recognized/r
ecorded in
the system in
a timely
fashion
b.
Inadvertent
acceptance
of
damaged/ob
solete
inventory
c. Improper
inventory
costing
d. Hard/soft
expense
associated
with
correcting
delivery
errors
e. Increased
theft/damage
risk due to
re-deliveries
4. Inventory theft a. Direct 3 3 M

financial loss
b.
Overstateme
nt of
inventory
balances
c.
Understatem
Internal Use Only
ents of
expenses/ov
erstatements
of net income
5. Inaccurate/untimel a. Revenue 5 3 H
y store-to-store loss due to
inventory transfers inability to
meet
customer
demands
b. Carrying
excess store
inventory
c. Inaccurate
store
inventory
balance
d. Inability to
perform
accurate
store
inventories
6. Inaccurate/ a. Revenue 5 1 M
unavailable store loss due to
inventory data inability to
meet
customer
demands
b. Inaccurate
inventory
booking and
costing
adjustments
c. Poor
Internal Use Only

information
for purchase
price
negotiations
d. Inability of
store
managers
and district
managers to
perform
scheduled
inventories
accurately
12. Once management has prioritized the risks related to inventory management, the organization links
those risks to controls that address them. This process sets expectations for store operations
management, corporate finance and internal audit regarding how the internal control system should
manage or mitigate identified risks.
13. Management further refines monitoring efforts by identifying the controls that, when monitored, will
provide an adequate level of support regarding the internal control system's effectiveness.
Internal Use Only

14. In regards to "Inaccurate/improperly adjusted store inventory balances" risk, management has
implemented a number of controls:

 Periodic inventory — To ensure accurate inventory counts at the store level, the following
inventory-count procedures are performed:[4]
The store manager is required to perform a bar-code inventory (i.e., electronically scanning the bar
codes of items in inventory) three times per week on Monday, Wednesday and Friday. As it is
taken, the inventory is automatically recorded in the centralized information system.
The store manager is also required to perform a monthly serial-number inventory (i.e., counting
inventory by serial number and comparing the results with inventory records).
The district manager is required to perform a monthly serial-number inventory.
Store managers conduct their inventories using barcode scanners that automatically document the
results within the centralized information system. Inventories are also timed within the system so
that management can monitor how long it takes to conduct specific inventories and react
accordingly. Inventories that are performed too quickly may indicate a rushed and ineffective
inventory count; inventories that take too long may signal a need for training or other operational
improvements.
 Restricted access to record adjustments — To ensure proper oversight and approval of adjustments to
inventory balances, only the district manager is able to record inventory adjustments for spoilage, theft
or customer charge offs.
 Monthly analytical review — To mitigate risk of inappropriate store-level inventory management and to
assess overall store-level profitability, all inventory adjustments are reviewed during monthly district
manager and regional director profit and loss (P&L) reviews. Trends that surface over time in a
particular store are analyzed and compared, across a wide variety of key performance indicators, with
those of other stores.
 Daily inventory report review — To ensure that store-level inventory activity is accurate, the district
manager reviews a daily report that shows inventory balances on hand, inventory item receipt, open
purchase orders and inventory count exceptions.
 Exception report review — To ensure that inventory counts are performed on a timely basis, the SOG,
district manager and regional director are notified if inventory counts have not been completed in the
system for two weeks.
 Supervisory store audits - To ensure that store inventory counts are executed properly and that store
managers are effectively addressing idle inventory, the district manager performs comprehensive
quarterly store audits. Relative to inventory risk, these store audits include a review of completed store
manager inventory counts, identification and execution of inventory adjustments, and an assessment of
Internal Use Only

idle inventory (i.e., inventory idle for more than 90 days). The conduct of the quarterly store audits is
documented in the centralized information system, and the audit results are reviewed by the SOG and
reported to the applicable regional director.
15. Note that no individual store's inventory could be so wrong that it becomes material to the
organization as a whole, even if it were 100 percent wrong. Only a pervasive failure of the store
manager inventory control, covering multiple district managers, could become material to the
organization as a whole. Therefore, by focusing monitoring efforts at the store level, and by spreading
the risk of control failure across numerous district managers, the organization effectively reduces the
potential for inventory control failures to become material. These organizational factors are important in
considering the type and amount of persuasive information necessary to support a conclusion that the
internal control system is effective in relation to the risk.
16. Relative to the identified risk (i.e., inaccurate/improperly adjusted store inventory balances), the store
managers' tri-weekly and monthly inventory counts are the key controls designed to ensure the accuracy
of inventory balances in the system. With the exception of the control restricting access to record
adjustments, all other controls identified by management provide various levels of monitoring to ensure
that (1) the store managers' periodic inventories are performed accurately, or (2) inventory balances and
adjustments appear reasonable on a store-by-store basis. In this particular organization, management

personnel at each level of the organization seek to identify sufficient relevant, reliable and timely
information to indicate whether store inventory control is working and inventory balances are accurate.
Internal Use Only
17. Because of the organization's size and tiered management structure, executive management's
monitoring efforts (in this case, the CFO's monitoring efforts) depend on (1) the effectiveness of
monitoring at the SVP, regional-director and district-manager levels; (2) the effectiveness of monitoring
performed by the SOG; and (3) executive management's own ongoing monitoring of store statistics
across the organization.

Direct Information
18. Available relevant, reliable and timely direct information regarding the operation of the store
managers' tri-weekly and monthly inventory counts includes the following components:
 System records detailing the date, time and results of the store managers' inventories;
 The district managers' direct observation of store managers taking inventories; and
 The results of the district managers' own monthly inventories, which would identify the failure of any
store manager's inventory count before that failure could contribute to a material error.
Indirect information
19. Available indirect information that may indicate a potential failure in the store manager inventory
controls includes the following components:

 Detailed store-level metrics that show store trends and comparative metrics, including product-level
analyses, cost of goods sold, profitability, etc.;
 System records detailing the duration of each inventory count; and
 Store-level inventory records in the system, including on-hand balances, inventory items received by
the store, open purchase orders and, based on inventory counts, any needed adjustments to inventory
balances.
Implement Monitoring
20. The following table highlights how various levels of management monitor the effectiveness of the
store manager inventory controls, beginning with the district manager and ending with the CFO. Note
that all of these monitoring procedures, including the separate evaluations, are part of the organization's
normal operating activities. The procedures were not developed solely to meet an established regulatory
requirement.
Monitoring Procedure Information Type Monitoring Type Comments
District Managers
Internal Use Only

1. Review daily store-level Indirect Ongoing This report enables the
inventory report. district manager to gauge
quickly whether current
and near-term inventory
balances are reasonable. It
also gives the district
manager an idea of
inventory that should be on
hand when he or she visits
the store.
2. Conduct monthly store Direct Ongoing This procedure serves as

inventory by serial number. both a control activity
(identifying errors in the
inventory balances) and a
monitoring procedure (re-
performing, and thus
validating, the store
manager's inventory
control).
3. Conduct monthly store- Indirect Ongoing Through this monthly

level analytical reviews analytical review, the
between the district district manager and
manager and the regional regional director can
director. identify inventory
anomalies that warrant
further investigation.
4. Conduct quarterly store Direct Separate Evaluation This monitoring procedure

audits, including an provides for periodic
examination of store- examination of store
manager inventory records. operations, including
inventory management, at
a detailed level that
revalidates the effective
Internal Use Only

operation of internal
control.
5. Follow up on any Direct Separate Evaluation If the SOG identifies a

inventory exceptions store that either has not
identified by the SOG. taken a required inventory
in two weeks (see the SOG
below) or presents other
anomalies identified
through analysis, the
district manager and
regional director are
notified so that they can
follow up on the exception.
Regional Directors and Senior Vice Presidents
1. Review daily, weekly Indirect Ongoing This report enables the

and monthly store district manager to gauge
operating reports that quickly whether current
highlight numerous and near-term inventory
statistics relevant to balances are reasonable. It
inventory levels, cost of also gives the district
goods sold and profitability. manager an idea of
inventory that should be
on-hand when he or she
visits the store.
2. Discuss store Indirect Ongoing This discussion, while high-

operations, including level given the number of
inventory management, stores, gives regional
during regularly scheduled directors and SVPs an
operational meetings opportunity to inquire about
between the SVPs and stores and store managers
their regional directors, and that may not be as
between the regional effective as others.
Internal Use Only

directors and their district
managers.
3. Periodically visit store Indirect Separate Evaluation Regional directors and

locations. SVPs are unable to visit a
large number of stores or
to conduct or observe the
inventory controls in action.
Nonetheless, periodic visits
send a message to the
field about the importance
of internal control. They
also enable the regional
directors and SVPs to see
firsthand the quantity and
condition of inventory on
hand.
4. Follow up on any Direct Separate Evaluation If the SOG identifies a

inventory exceptions store that either has not
identified by the SOG. taken a required inventory
in two weeks (see the SOG
below) or presents other
anomalies identified
through analysis, the
district manager and
regional director are
notified so that they can
follow up on the exception.
Store Operations Group
1. Perform detailed store- Indirect Ongoing This detailed analysis

by-store analytical reviews, provides an objective,
examine exceptions and educated review of store-
report results to level statistics that has a
Internal Use Only

management. high likelihood of
identifying problem stores
before they can contribute
to a material error.
The SOG developed its list

of key indicators based
upon professional
experience and with
assistance from dedicated
technology personnel who
"mine" corporate
databases to gather and
evaluate the applicable
data. On a monthly basis,
this list of key indicators
and the results of the
monitoring performed by
the SOG are reviewed by
internal audit, store
operations executive
leadership at the home
office, and the
organization's executive
committee.
2. Review evidence in the Direct Ongoing Store-manager inventories

information system of the are taken by electronically
completion and results of scanning the unique bar
the store managers' tri- code on each item in stock.
weekly bar-code inventory. The SOG receives direct
information from the
system telling it when the
inventory was completed,
its duration and its results.
The SOG then compares
Internal Use Only

these results with those
from the other 3,000+
stores in order to spot
potential anomalies.
3. Perform store-level Direct Separate Evaluation Internal audit and the SOG
audits of inventory and have the ability, if
inventory controls, if necessary, to conduct
necessary. separate evaluations of
inventory controls.
Chief Financial Officer
1. Review weekly Indirect Ongoing The weekly statistical

statistical reports report gives the CFO
highlighting stores with frequent and detailed
potential inventory or information about the
profitability issues. results of operations. It
also highlights possible
anomalies that he or she
can discuss with other
members of management
and operations.
2. Discuss store Indirect Ongoing Like the discussions

operations, including between the SVPs and
inventory management, their regional directors, and
during regularly scheduled those between the regional
operational meetings. directors and their district
managers, the CFO's
participation in regular
operational meetings
provides him or her with
much indirect information
about the effectiveness of
store management
Internal Use Only

controls.
3. Review reports from Direct and Indirect Separate Evaluation In most organizations,
internal audit and the SOG reports from internal audit
regarding the results of consist primarily of direct
their monitoring information. In this
procedures. organization, however,
most of the monitoring
performed by the SOG is
indirect. One exception is
information derived from
the store managers' tri-
weekly bar-code inventory,
which consists of direct
information about stores
that have not conducted
proper tri-weekly inventory
counts.
Given the nature of the

organization (i.e., a large
number of homogeneous
locations that are
statistically comparable)
and the monitoring using
direct information that
takes place elsewhere in
the organization, the CFO's
monitoring procedures
provide him or her with
adequate support to
determine whether the
store-manager inventory
controls are effective
across the organization.
Internal Use Only

21. Internal control issues identified by the district managers are normally corrected through
communication between the district manager and the store manager.
22. If a store manager does not perform an inventory count over a two-week period, the SOG team is
alerted to the lapse during a review of its statistical reports. After receiving this alert, the SOG team
notifies the store manager directly and requests an explanation for failing to perform the inventory. The
district manager and regional director responsible for the store are also notified. In addition, the issue is
documented on a Store Operations Recap Report, which serves as a clearinghouse for all exception
items identified by the SOG.

23. The Store Operations Recap Report is sent monthly to the director of internal audit and the
organization's Executive Committee. Items included in the report are maintained there until the item is
considered "cleared" by the SOG.
24. In one instance, during a review of its statistical reports, the SOG identified a store that had an
abnormal level of late deposits and cash drawer shortages. The SOG also noted abnormalities in
several key store metrics that could be signs of fictitious customers and inventory manipulation. Those
metrics included a lapse in the store manager's tri-weekly inventory counts for over 100 items, unusual
fluctuations in the number of new sales contracts and new customers, a high level of past-due accounts,
and abnormal fluctuations in collections and profit margins.

25. The district manager responsible for the store and the organization's loss prevention team (a
separate group within corporate operations responsible for investigating inventory-shrinkage issues)
were apprised of the issues in question. Through a store visit and investigation, the district manager and
the loss prevention team discovered that the store manager was stealing cash from the cash drawer and
covering the shortage by recording sales on credit to fictitious customers, thereby removing the item
from the store's inventory records. The store manager would then sell the off-the-book inventory item for
cash, which was used to cover (1) the cash-drawer shortage, and (2) the balances due from the fictitious
customer. The store manager would keep any remaining cash.
26. The fraud was discovered because the SOG evaluated (1) persuasive information indicating that a
key control focused on inventory counts was not operating effectively, and (2) other indirect information
that identified unusual activity. Additionally, the SOG was competent and objective, which enabled it to
understand the implications of the failure of this control. By communicating/reporting this control failure
Internal Use Only
to the appropriate parties through proper channels, the SOG was able to perform further investigative
procedures, leading to the identification of the problem's source and its correction.
27. This type of fraud, which occurs often in large retail organizations, would likely have been discovered
at some point either through increased receivable write-offs or through controls related to extending
credit. However, because of the robust monitoring procedures in place, the organization was able to
identify the fraud quickly, take appropriate corrective action and reduce the potential for loss.
Internal Use Only

Internal Use Only
Observations
28. This brief example cannot fully convey the organizational context in which the internal controls,
including monitoring, were developed. The personnel involved in assessing risk, designing controls and
related monitoring procedures, and overseeing the internal control system have extensive experience in
this organization and industry. Accordingly, they have developed and implemented monitoring
procedures that provide information they believe to be suitable and sufficient regarding the effectiveness
of the underlying controls. They continue to refine those procedures as risks and controls change.
29. The COSO project team responsible for authoring this example has identified possible modifications
to the monitoring procedures described. Other organizations may benefit from the following discussion of
those modifications as they consider applying the procedures to their unique circumstances. The
common goal across all organizations is implementing internal control, including monitoring, that
adequately and cost-effectively manages or mitigates meaningful risks to organizational objectives.
30. First, some of the monitoring performed by the district managers (e.g., taking a monthly store
inventory at six to eight stores) may seem excessive to some organizations. Because the store
managers' tri-weekly inventory is recorded electronically through a bar-code scanner, the district
manager may be able to review a system report documenting the results of the store managers'
inventory, then conduct a separate inventory on a less frequent basis.

31. Second, above the district-manager level, little direct information is used in monitoring. Because this
organization has a large number of statistically comparable stores, it is better able than many other
organizations to use indirect information to identify possible control problems. Over time, though, that
indirect information can become clouded by other factors. In some cases, pervasive internal control
problems can gradually influence the indirect information so that even material errors appear normal.
However, an organization can cost-effectively improve the persuasiveness of the information used in
monitoring.
32. In this example, virtually no opportunity exists for development of store-level pervasive control
problems that could be material to the organization's objectives — that is, if the district managers
conduct their monitoring procedures correctly. Thus, periodic objective monitoring of their procedures
(possibly through internal audit) may be prudent.
33. These periodic procedures need not necessarily subject every district manager to evaluation every
year. Objective monitoring might examine a random group of district managers each year. The results
Internal Use Only
could provide management with direct information supporting a belief that the district managers are
performing their
duties effectively. Such monitoring might also encourage the district managers — knowing their controls will be
subject to review — to execute their control responsibilities properly.
Summary and Conclusion

34. This retail organization improved both the effectiveness and efficiency of its internal control system
by taking steps that are consistent with COSO's Monitoring Guidance. In responding to certain identified
control failures and recognizing that existing monitoring procedures were not achieving their objectives,
management first performed a comprehensive review of control over store operations. It then:
 Identified and prioritized risks to its operations and to its financial reporting and compliance objectives,
 Improved the internal controls where necessary and selected key controls to monitor at various levels,
 Identified persuasive information (both direct and indirect) that would provide support for a conclusion
regarding the effectiveness of the internal control system, and
 Developed monitoring procedures throughout all levels of management to evaluate the information
through a mix of ongoing monitoring and periodic separate evaluations — all with an emphasis on
35. Other organizations — even organizations similar to the one in this example — may adhere to similar
general principles, yet implement different controls and different monitoring procedures. COSO's
Monitoring Guidance is not intended to lead every organization to the same conclusions regarding what
risks are meaningful, how the risks should be controlled, or how internal control should be monitored. It
does, however, provide an outline any organization can use to develop monitoring procedures that will
support the organization's conclusions about the effectiveness of internal control.
Monitoring of Controls Over Certain

Operational Risks in a Mid-Sized
Manufacturing Organization
Background Information
Internal Use Only

1. A mid-sized manufacturing organization produces complex equipment and engine components. These
components typically operate for extended periods (up to 40 years) and have very low tolerance
thresholds for failure. In fact, the failure of some components can have life-threatening consequences.
2. As part of global sourcing, many of the organization's customers require product delivery on a just-in-
time basis. Profitably serving the original-equipment-manufacturer (OEM) and after-market demands for
these products is the organization's strategy. As a result, the organization must carry, or be able to
produce, inventory to address the need for a product that may be 40 years old.
3. At one point, the organization's board of directors expressed concern about inventory growing faster
than revenue — a disturbing trend given that technological advancements could render existing
component inventory parts obsolete. The board and management agreed that a focus on production
methods and inventory management was a strategic goal. They recognized, however, that the goal
should not be achieved at the expense of product quality.
Organizational Structure and Goal Setting

4. The organization is structured around three product business groups, each of which is managed by a
business group vice president who reports directly to the chief executive officer (CEO).
5. Product business groups are supported by centralized corporate finance, human resources, internal
audit, and other standard back-office functions and have a dotted-line relationship with a product
business group controller who is a member of the corporate finance team.
Internal Use Only

6. Each business group vice president is responsible for all aspects of his or her product business group
within the overall corporate strategy, including:

 Marketing, development and growth of the customer base for the product line;
 Oversight of the research and development of requested components for customers;
 Product-line supply chain and supply chain relationship management;
 Product manufacturing process;
 Delivery of manufactured components to customers; and
 Inventory management that supplies high-quality products to customers when they are needed, yet
minimizes on-hand quantities in order to reduce overhead and risk of obsolescence.
7. Components are manufactured to the product-design specifications and quality standards provided by
customers, as well as to internal quality standards defined through the organization's strategic planning
process.
8. Each product business group comprises a team of design engineers and process engineers led by an
engineering team leader. Each team oversees the design and execution of its manufacturing processes.
9. Executive management develops long-term strategic focus goals, which are updated every year.
These strategic focus goals have been defined by the organization as:
 Focused growth,
 Financial excellence,
 Commercial and technology excellence,
 Process excellence, and
 Outstanding employees.
10. The executive team further develops annual goals and objectives that are linked to the strategic plan.
Compensation is based, in part, on the achievement of the specific plans for the product business group.
For example, the "commercial and technology excellence" and "process excellence" strategic focus
goals include objectives for component product-manufacturing quality, which will be a focal point of this
example.
11. Business group vice presidents compare monthly, quarterly and annual results with the annual
strategic goals and report the results to the CEO, CFO and board. These reports include analysis related
to quality, delivery, rework, cost and overall financial performance.

12. Each product business group employs a quality assurance team that reports directly to the business
group vice president. The quality assurance teams are responsible for product-quality monitoring and
Internal Use Only
verifying compliance with manufacturing standards. Business group quality assurance teams comprise
former manufacturing process team leaders, process engineers and quality assurance professionals
with independent quality assurance certifications.
Prioritize Risk
13. Through the goal-setting process, executive management identifies the risks to achieving the
organization's goals and objectives, prioritizing them based on their likelihood and significance.
14. The organization has identified a critical risk related to the potential failure to manufacture
components that meet pre-defined quality standards and the customers' cost requirements. The
probability of the risk's occurrence has increased as the organization seeks to improve production
efficiency, reduce finished-goods inventory levels, and continue to meet customer delivery expectations.
Thus, the organization seeks to integrate quality considerations into all aspects of the product life
cycle — from product design, to manufacturing, to delivery.

15. Product-quality expectations are set forth by the CEO and executive management as part of their
commercial and technology excellence and process excellence strategic focus goals. To enhance
quality and efficiency, the organization has implemented a number of lean-manufacturing and quality
standards, including the recent adoption of Six Sigma, which business group vice presidents are
required to follow as part of their long-term strategic objectives. Six Sigma — originally developed by
Motorola, Inc. — is a set of practices designed to improve processes by eliminating defects. The
methodology typically includes the following five steps: define, measure, analyze, improve and control.
Internal Use Only

16. During the annual strategic-planning process, business group vice presidents and the leadership
teams reporting to them identify and prioritize manufacturing-process quality risks. The activity is
subjective (i.e., not driven by a quantitative analysis of risk significance and likelihood) and draws on the
extensive experience of the people involved. The table below demonstrates the risk-assessment thought
process and related results.
Product Life Cycle Quality Risks Risk Cause Risk Priority
1. Improper design of customer- a. Inadequate specifications M

requested components and related received from customer
manufacturing processes
b. Failure (through lack of skills or

proper design-analysis procedures) H
to address the risk that the

component will fail
c. Failure (through lack of skills or

proper design-analysis procedures)
to address the risk that the H
component will cause a system

failure, or not operate as intended, in
the system in which it is installed
d. Failure to follow
established manufacturing
design procedures related
H
to:
 raw material selection
 production methods
 testing routines
2. Improper manufacture of a. Failure to establish proper quality- H

components to meet quality tolerance metrics
tolerances
Internal Use Only

b. Failure to follow up when M
tolerances are exceeded
c. Inadequate skills of M
manufacturing personnel
d. Inadequate oversight of
M
manufacturing process (other than
risk 2.b. above)
3. Untimely delivery of components a. Failure to establish reasonable M

to customer delivery deadlines with customer
b. Failure to recognize delays in a

timely manner, thus losing the M
opportunity to correct or to discuss

with customer
17. This example will elaborate on internal control and related monitoring regarding Risk #1 above,
improper design of components and related manufacturing processes. For simplicity we will refer to this
risk as "Design Risk."
Internal Use Only

18. Management has implemented the controls in the following table to address Design Risk (Risk #1 above).
Controls with the "" symbol are designated as key controls. Note that the organization does not formally
designate controls as "key" or "not key." Management has designated some controls as key because it has
determined that, by monitoring them, it can reasonably conclude whether the internal control system is operating
as intended with respect to the identified risk. Note, too, that the designation as "key" is not necessarily
indicative of the control's overall importance to the internal control system. Rather, it demonstrates the relative
contribution that monitoring the control will make toward a conclusion about the effectiveness of the internal
control system in addressing the related risk. All of the controls below are important, but the effectiveness of
some can be determined through the monitoring of others.
Control Description Comments
1. Proper skills and oversight An experienced project manager Management's direct interaction with
from the business group engineering project team members and their
team oversees the execution of the monitoring of the key controls
component-manufacturing process selected below provide the
and leads a manufacturing project necessary support for a conclusion
team composed of system, design about the level of skills present and
and manufacturing-process the adequacy of manufacturing
engineers and a representative from oversight.
the business group quality
assurance team.
2. Standard development templates The project manager uses Management's monitoring of the key
standardized templates and controls below will identify a failure to
develops proposed time and use standard development templates
resource budgets to track project before the failure would be likely to
results against expected outcomes. cause a material error.
He or she also coordinates project
budgets and costing with the
organization's corporate finance
team.
3. Standard contract language The standard customer contract Standard contract language is an
contains specific language that important control, but monitoring key
highlights the requirement for the control #12 below (the customer's
Internal Use Only

customer to submit complete and approval) is a better indicator of the
accurate component specifications. customer's understanding and
The standard contract language is a acceptance of its responsibility.
communication mechanism for
ensuring that the customer
understands its responsibilities.
4. Component Design Risk To address the risk that a designed These two controls are selected as
Analysis component will not function properly, key because (1) their failure would
the manufacturing project team raise the organization's risk

completes a Component Design Risk regarding the design of a component
Analysis, identifying and ranking the to unacceptable levels, and (2)
cause and effect of potential monitoring their effective operation
component failures. helps support a conclusion about the
effectiveness of earlier controls.
5. System Risk Analysis Ñ To ensure proper operation of the

component within the system for
?
which it is intended, members of the
manufacturing project team perform
a System Risk Analysis that
identifies and ranks the cause and
effect of potential system failures
after the component is installed.
6. Review and approval of Before designing the component- This self-review procedure is an
component design manufacturing process, the important control, but (1) it is not
manufacturing project team reviews conducted by someone objective
and approves both the Component enough to provide persuasive
Design Risk Analysis and the support to management levels above
System Risk Analysis. the project team, and (2) its failure
would most likely be detected
(before it could allow a material
error) by monitoring key controls #4
and #5 above. As a result, it is not
Internal Use Only
selected as a key control for
monitoring purposes.
7. Preparation of Manufacturing The manufacturing project team A failure of this control would be
Process Flow completes a Manufacturing Process detected on a timely basis through
Flow to establish the most effective monitoring of key controls #8, #9,
and efficient manufacturing process #10 and #12 below. Thus, it is not
and to assist in completing the selected as a key control for
Manufacturing Process Risk monitoring purposes.
Analysis.
8. Manufacturing Process Risk The manufacturing project team Similar to key controls #4 and #5
Analysis completes a standard Manufacturing above, these three controls are
Process Risk Analysis that identifies selected as key because (1) their

and prioritizes potential failures of failure would raise the organiza-
the manufacturing process. tion's risk regarding the manufacture
of a component to unacceptable
levels, and (2) monitoring their
effective operation helps support a
conclusion about the effectiveness of
earlier controls.
9. Manufacturing Process A Manufacturing Process Control

Control Plan Plan (including key sampling metrics,
expected manufacturing results and

approved responses to identified
results that are outside process
expectations) is completed to ensure
that design specifications are met
during production.
10. Manufacturing testing Prototypes are manufactured and

process tested during the development of the
Manufacturing Process Risk Analysis

and the Manufacturing Process
Internal Use Only

Control Plan. The manufacturing
project team is advised of deviations
from expected results outlined in the
Component Design Risk Analysis
and System Risk Analysis and
updates those analyses
appropriately.
11. Review and approval of The manufacturing project team Consistent with control #6, this self-
manufacturing design reviews and approves the review procedure is an important
Manufacturing Process Flow, control at the manufacturing project
Manufacturing Process Risk Analysis team level, but it is not objective
and Manufacturing Process Control enough to be considered a key
Plan before design commences of control at higher levels in the
the component-manufacturing organization.
process.
12. Customer approval Before the organization initiates This control completes the
production of the component, formal communication cycle with the

customer approval is required of the customer and provides independent
following documentation: verification that the customer is
satisfied with the component design
 Component Design Risk
and manufacturing plan. It is
Analysis,
selected as a key control because its
 System Risk Analysis,
failure could increase the
 Manufacturing Process Risk
organization's risk to unacceptable
Analysis, and
levels, and that failure could go un-
 Manufacturing Process Control
detected by other controls for some
Plan.
period of time.
Internal Use Only

19. Because product quality is a critical organizational objective, management has developed robust
ongoing monitoring of quality indicators, including:

 The results of the Six Sigma process mentioned above;
 Monthly comparison of quality metrics (described below) across product lines;
 Monthly operating calls, facilitated by the CFO and including business group vice presidents and
business group controllers, to discuss operating results and quality issues; and
 Routine reporting of defect and warranty levels to manufacturing plant leadership, business unit
leadership, executive management and the board of directors.
20. The information used in these ongoing monitoring procedures is indirect. Available indirect
information that may indicate a manufacturing-process quality failure includes:

 Number of prototype failures;
 Qualitative prototype failures compared to expectations outlined in the Component Design Risk
Analysis or Manufacturing Process Control Plan (e.g., failures of a type not anticipated in the design
phase may indicate improper risk-of-failure analysis);
 Prototype-development scrap levels;
 Extent of revision information noted on the Component Design Risk Analysis and System Risk Analysis;
 Project time budgets and costs;
 Project status updates from the project manager to the engineering team leader and from the
engineering team leader to the business group vice president; and
 Production statistics regarding scrap, rework and warranty levels.
Internal Use Only

21. The frequency and level of detail of this indirect information are such that the organization can
quickly identify quality problems — however, nearly all of the information is produced either late in the
component-manufacturing development process or after production has already started. Further, some
of the information, such as levels of prototype failures, could lead to inaccurate conclusions about
control effectiveness. For example, low levels of prototype failures may indicate that both the component
and the related manufacturing processes have been designed well, but such low levels could also result
from ineffective prototype-testing procedures. Accordingly, the organization also performs direct
monitoring of certain controls in order to gather more timely and reliable information about the operation
of underlying controls. The organization has access to the following direct information regarding the
operation of controls that address Design Risk:

 Manufacturing project team's documented acceptance or rejection of the Component Design Risk
Analysis and the System Risk Analysis (Key Controls #4 and #5);
 Manufacturing project team's acceptance or rejection of the proposed Manufacturing Process Flow,
Manufacturing Process Risk Analysis and Manufacturing Process Control Plan (Key Controls #8 and
#9);
 Information obtained during development of the manufacturing project team's Manufacturing Process
Control Plan (Key Control #10);
 Customer's acknowledgement that it provided to the organization complete and accurate component
requirements and information (specifications, tolerances, systems in which component will be used,
etc.) (Key Control #12); and
 Customer's acceptance or rejection of the Component Design Risk Analysis, System Risk Analysis,
Manufacturing Process Risk Analysis and Manufacturing Process Control Plan (Key Control #12).
Implement Monitoring
Internal Use Only

22. The following table highlights how the various levels of management — from the component-
manufacturing project manager, to the business group vice president, to the CEO — monitor the
effectiveness of an individual component-manufacturing process:
Monitoring Procedure Information Type Monitoring Type Comments
Component-Manufacturing Project Manager
1. Day-to-day interaction Direct Ongoing The project manager's

with and oversight of the direct involvement in
component design and overseeing every aspect of
manufacturing design the manu-facturing process
processes. and in completing the self-
review procedures gives
him or her relevant, reliable
and timely information
about whether internal
control over Design Risk is
operating effectively. This
direct interaction can relate
to all of the controls
identified above, but is
espe-cially important with
respect to the selected key
Internal Use Only

controls.
However, the project

manager's extensive
involve-ment can also
impair objec-tivity, which
affects the ability of others
above the project-manager
level to rely on monitoring
at this level.
2. Completion of the self- Direct Ongoing

review procedures
described in controls #6
and #11 above.
Business Group Vice President
1. Direct reports Direct Ongoing These quality assurance

from the quality teams report formally to the
assurance teams. business group vice
The quality presidents. While they
assurance teams work closely with the
review direct manufacturing project
information teams, they are objective
supporting the with respect to the
effective component and
completion of each manufacturing design
of the key controls processes. Their primary
identified above, responsibility is to ensure
including the: that proper quality
 Component procedures are followed.
Design Risk
Their close proximity to the
Analysis
operation of the controls,
(Control #4)
coupled with their
 System Risk
objectivity, allows the
Analysis
Internal Use Only
(Control #5) quality assurance teams to
 Manufacturing be a primary monitoring
Process Risk mechanism for
Analysis management.
(Control #8)
 Manufacturing
Process
Control Plan
(Control #9)
 Manufacturing
testing
process
(Control #10)
 Customer
approval
(Control #12)
2. Daily, weekly, monthly Indirect Ongoing As noted earlier, the level

and quarterly review of the of detail provided by this
indirect information indirect information
described earlier. enables the organization to
identify and react quickly to
manu-facturing quality
issues if they arise. Typical
reactions include correcting
the design or
manufacturing problem and
initiating a separate
evaluation of the controls
to identify and correct the
root cause of the problem.
CEO and Executive Management Team
1. Daily interactions with Direct and Indirect Ongoing Because the organization
the three business group is highly focused on
Internal Use Only
vice presidents during product quality, daily
which the results of other interactions between
quality monitoring executive manage-ment
procedures are discussed and the business group
(e.g., quality assurance vice presidents often
team results, quality address quality-related
metrics results and matters. These
financial results). interactions, though they
are frequently informal,
serve as valuable support
for executive
management's conclusions
about controls over product
quality, including design
risk.
2. Monthly management Direct and Indirect Ongoing These monthly meetings,

meetings in which the conducted in the first week
results of other quality- of every month, provide a
monitoring procedures are more rigorous analysis of
discussed more formally. the results of direct
monitoring below the
executive-management
level and of the indirect
quality metrics.

23. Because the organization's structure is relatively flat, the results of monitoring can be communicated
to the proper levels quickly and accurately. Also, because product quality is so important, the
communication protocols regarding quality issues are designed to escalate rapidly to the business group
vice presidents, executive management and the board.
Internal Use Only

24. The organization does not have a formal control-deficiency prioritization protocol, but it does track
issue identification and resolution through a "Corrective Action Status" report that is updated
continuously and reviewed at the monthly management meeting.
Summary and Observations

25. This manufacturing organization has quality-related risks that must coexist with competing risks
associated with financial goals, such as those related to efficiency, on-time delivery, profitability and
inventory valuation. Unnecessarily long lead times for finished goods would require higher levels of
finished-goods inventory, which negatively affect the financial goals. Further, a singular focus on
production efficiency would likely lead to an unacceptable reduction in product quality.

26. Management and the board have been successful in developing an internal control system and
related monitoring that enhance product quality and efficiency through a focus on minimizing defects and
planning up-front. The controls associated with ensuring that the designed component will work within its
intended system, and the controls over the design of the manufacturing process, are also critical to
meeting the organization's quality and financial goals.
27. The organization monitors these controls on an ongoing basis through the use of both direct and
indirect information. Most of the direct-information monitoring occurs through the normal functioning of
the quality assurance teams. These teams, which include highly competent and objective personnel,
have direct access to the information they require to determine whether these controls are operating
effectively. Day-to-day interactions — the effectiveness of which is bolstered by the flat organizational
structure and the high-profile nature of the quality-related risks — are also a valuable form of direct
monitoring.
28. The results of the ongoing monitoring are further supported by robust monitoring using indirect
information. This indirect information, which includes specific quality metrics as well as financial metrics,
enables the organization to identify issues that may negatively affect the quality goals, financial goals, or
both. This detailed information is reviewed at every level within the organization, including the executive-
management level, to ensure that any significant deviations from expectations are identified and
explained.
29. The organization makes extensive use of ongoing monitoring procedures because they enhance its
ability to achieve its objectives. By building monitoring into daily operations, the organization can quickly
identify and correct control problems before they can lead to a material failure. As ongoing monitoring
Internal Use Only
identifies real or potential problems, the organization can employ separate evaluations to examine and
correct them.
Monitoring Certain IT Controls

1. The earlier examples in this section are based on the internal control systems and experiences of
specific organizations. They are designed to demonstrate monitoring by following an identified risk
through the process of prioritizing the risk, selecting the key controls and identifying persuasive
information about those controls, selecting and executing a monitoring procedure, and assessing and
reporting the results. The scope of the examples is narrow (concentrating on a few risks and controls) in
order to focus on each step in the monitoring process.

2. The examples in this section on Monitoring Certain IT Controls differ from the others in that they
explore several common IT-related risks associated with financial reporting and the monitoring of
internal controls related to those risks. This section considers the types of controls used to mitigate
common risks, discussing the types of information used to verify that those controls are operating. It also
provides examples of common IT management processes that, in the right circumstances, might be
considered to be control monitoring activities and examines how technology tools can be used to
monitor certain controls. Note that while these examples focus on financial reporting objectives, the
concepts can be applied to operations-related objectives or to compliance with laws and regulations.
3. The process for designing and executing monitoring of IT controls is consistent with that of other
controls. It starts with prioritizing risks, understanding and identifying the controls designed to mitigate
those risks, and identifying persuasive information about the operation of selected key controls. The
process ends with the implementation of the chosen procedures.

4. The following are some general points to consider when designing an approach for monitoring IT
controls:
 The consistent operation of information systems may be dependent on certain IT-related controls, often
referred to as "general controls."5 If these general controls are determined to be "key controls" as
discussed in Volumes I and II of this guidance, they likely would be subjected to appropriate monitoring
procedures.
 An IT process or system may be the only source of information needed to monitor some controls,
possibly increasing the need to monitor related IT controls. For example, vendor master file changes,
and the names of individuals making and approving those changes, may be generated only from an IT
Internal Use Only

system. The effectiveness of controls over that IT system thus affects the monitoring of other controls
and may warrant monitoring.
 Monitoring of certain IT-related controls can be automated and performed repetitively — even
continuously. See paragraphs 9 through 17 in this section for examples of such monitoring.
Understanding and Prioritizing Risk

5. Although nearly every organization is exposed to IT-related risks, the process of prioritizing the risks
and identifying the key controls that mitigate them will vary from organization to organization. The table
below summarizes some common IT-related risks associated with financial reporting and contains
examples of factors to consider in determining their relative importance.
Nature of Risk6 Risk Description
1. Inappropriate Access Application programs are accessed and used inappropriately, resulting in
errors, invalid transactions or fraud.
Example Factors Influencing Risk Prioritization:
• Degree to which inappropriate system access might benefit someone who obtains it — For example,
access that might allow someone to steal money, manipulate transactions for personal benefit, or conceal
illegal activity is a greater risk than access that offers little or no benefit.
• Significance of the data processed by the system and the data's potential material effect on organizational
objectives.
• Complexity of the computing environment — Increased complexity of the computing environment may increase
the potential for undetected, inappropriate system access.
2. Program Integrity Application program processing logic (source code, configuration

information, etc.) is subjected to unauthorized or improper setup or
modification, rendering the system incompatible with user needs or
expectations and causing incomplete or inaccurate information processing
or reporting.
Internal Use Only

 Packaged versus internally developed application systems — Relative to programming logic, packaged
application systems may carry less risk than internally developed systems because packaged systems
offer limited or no access to the source code. However, because they are created to be used by a wide
variety of organizations and typically include more configuration options than do internally developed
systems, packaged application programs can carry a higher level of risk regarding the selection of
options and the resulting integrity of the configuration information that controls how programs function.
Program-integrity risk will increase according to the extent to which packaged application systems allow
customization.
 Programming complexity — Application programs that perform complex calculations or controls (sophisticated
financial computations, pricing discounts, etc.), where end-users are less able to confirm complete or accurate
processing, typically are higher risk than applications that merely accumulate and aggregate business
transactions. For example, a bank's program-integrity risk profile related to loan and deposit applications might be
considered "high" due to the nature of processing a large volume of transactions having a vast array of
calculations across different product types. By comparison, a manufacturer's customer invoice computations may
be less complex and easily verifiable to specific customer orders and physical shipment records.
 Significance of the data processed by the system and the data's potential material effect on organizational
objectives.
3. Data Integrity Data is improperly added or altered and could include business transaction
data (e.g., an invoice), master file data (e.g., a customer credit limit), or
parameter settings that control processing logic or enable controls (e.g., a
system setting that triggers an additional level of approval for amounts over
a certain dollar limit).
 Degree of complexity associated with data entry — Data-integrity risk is greater in systems requiring
complex and/or multi-step data entry than in systems with simple data-entry procedures.
objectives.
4. Information Processing Processing fails or is erroneous, resulting in incomplete, inaccurate or lost

data.
Internal Use Only

 Extent of information interchange — Information-processing risk is commensurate with the number of

internal and third-party data interfaces.
 Potential for system outage or failure that results in disrupted or impaired information processing.
objectives.
Identifying Key Controls and Information Used to

Monitor Those Controls
6. The size and sophistication of an organization, the number, nature and location of its underlying
technology resources, its organizational structure, and its

IT-development philosophy — all of these variables can affect the nature of the specific controls in place for
managing IT-related risks and how those controls are monitored. Also, manual controls can, at times, detect and
correct the failure of IT controls that operate earlier in the transaction process. For example, after reviewing
supporting invoices, the chief financial officer (CFO) in a small organization may sign every check. This control, if
it operates effectively, enables the CFO to identify unauthorized checks generated by someone with improper
system access. It can also serve as a compensating control where segregation of duties between check writing
and cash accounting is not practical.
7. Although specific controls and their related monitoring processes are unique to individual
organizations, the following table summarizes IT controls that are typical to managing or mitigating one
or more of the broad financial reporting risks defined earlier. This table also links to the types of risk that
the controls address (see Nature of Risks above) and provides a high-level view of the direct information
commonly used to monitor whether these controls are operating.
Information Used in
IT Control Type Risk(s) Addressed Control Description Monitoring
Access controls that limit to  Listing of access rights

Limited Access to  Inappropriate Access
specific personnel the to source code
Application Program  Program Integrity
ability to make application libraries
Source Code
programming and/or  Evidence of
Internal Use Only

configuration changes, appropriate access
e.g., personnel who are: rights approval
 Security logs
 trained in
indicating who has
programming tools,
accessed a given
and
program
 authorized to make
programming changes
Application access controls  Listing of access rights

that: to application
 based on program programs and/or
users' responsibility, specific transactions
provide them a within those programs

Application Security • Inappropriate Access restrictive set of  Evidence of
access rights, and/or appropriate access
 provide a foundation rights approval
for segregation of  Security logs
duties within or indicating who has
between application accessed a given
programs program
 Listing of access rights

Access controls that
to relevant data files,
restrict to (a) business
databases or tables
users of authorized
within a database
application programs, or
 Evidence of
 Inappropriate Access (b) a limited group of data
Data Security & Change
appropriate access
 Data Integrity administrators the ability to
Control
rights approval
 Program Integrity add or alter financial
 Evidence of
reporting data
appropriate
Approval controls that
configuration of master
provide visibility to and
database rules,
approval of data and
including application-
database changes made
program access rights
Internal Use Only

by data administrators  Security logs
indicating who has
Periodic review of access
accessed a given
rights
application or
database
 Evidence of the
identification and
transparency/approval
of data changes on an
exception basis (i.e.,
changes made
through any means
other than normal
business processes
and application
programs that require
certain levels of
approval)
 Listing of access rights

Access controls and
to relevant production
operating-system security
program libraries, files
configurations that restrict
and related
to a limited and defined
configuration
group of personnel the
Limited Access to information
 Program Integrity access to operating-system
Production  Evidence of
 Data Integrity administration capabilities
appropriate access
(i.e., restrict the ability to
rights approval
"push" program changes
 Security logs
into the production
indicating who has
environment)
accessed a given
program
Controls designed to  Documentation of

Program Testing • Program Integrity
ensure that application proper testing of
Internal Use Only
program changes are program changes,
sufficiently tested before including changes to
their introduction into a configuration data
production environment  Documentation of
business unit or user
approval of relevant
changes
 Listing of program
changes made,
indicating source and
approval
 Documentation of
appropriate testing
Access and approval and approval of
controls that, collectively, program and
ensure the visibility and configuration changes
Program Change Control • Program Integrity
approval of application before they are moved
program and/or into a production
configuration changes environment
 Evidence of approval
of appropriate access
rights that enable an
individual to move
programs to a
production
environment
Access and approval  Listing of access rights

controls over the to relevant job
Job Scheduling &
• Information Processing scheduling and scheduling and
Management
management of the "jobs" management tools
(meaning batch jobs and  Evidence of
other operational appropriate access
processes originated within rights approval
Internal Use Only
IT that are relevant to  Evidence that relevant
information processing or "jobs" and other
protection) that enable activities are
complete and accurate completed as planned
processing of data and (including correcting
information and resubmitting failed
"jobs")
Problem and incident
 Problem and incident
monitoring
management reports
 Reports from backup

tools, confirming that
all relevant data files
Technology and
and programs are
processing controls,
backed up
including data mirroring
 Comparisons of
 Data Integrity and disk or tape backups,
Data Redundancy mirrored data, showing
 Information designed to ensure that
equivalence thereof
Processing data is not lost due to
(usually performed
operational or processing
automatically as part
failures
of the system's
mirroring process)
 Results of periodic
data recovery tests
Implementation of IT Controls Monitoring

8. IT controls typically are monitored through a combination of ongoing monitoring and separate
evaluations. Many IT departments employ specific processes that can provide management with
information about the effectiveness of certain controls. To the extent that those processes work
effectively, management may be able to reduce or streamline monitoring work performed through
separate evaluations. Some of these processes provide direct information about control effectiveness;
others provide only indirect information at a much higher level or on a composite (rather than specific-
Internal Use Only

control) basis. The following table provides some details about typical monitoring procedures related to
IT controls.
Monitoring Procedure Information Type Controls Addressed
 Limited Access to Application Program Source Code

 Application Security
Access Recertification Direct
 Data Security & Change Control
 Limited Access to Production
 Job Scheduling & Management
Description:
Security access recertification is a process through which, at a given point in time, the existing access
rights to an IT resource (e.g., an application program or an infrastructure component) are provided to the
person responsible for that resource. The responsible party compares the existing access information to
his or her expectations and identifies potential exceptions, which are investigated and addressed, as
required.
Because this process occurs outside the normal process for adding and changing user access rights, it can serve
as a method of monitoring the effectiveness of the security administration process (whereby user access rights are
added, changed or removed). To qualify as an effective monitoring procedure, exceptions should be analyzed to
determine why the security administration process allowed them to occur.
 Limited Access to Application Program Source Code

 Application Security
Security Log Monitoring Indirect
 Data Security & Change Control
 Limited Access to Production
 Job Scheduling & Management
Description:
A common control in any IT environment is the unique identification and authentication of users — a
process that typically is accomplished by "signing on" to an IT resource using some combination of user
ID and password or an equivalent. Many organizations log this activity to provide an audit trail of
Internal Use Only

authorized IT resource users. Logging also records failed sign-on attempts whereby either the user ID did
not exist or the password was incorrect for a valid user ID. Analyzing these access failures is a fairly
common procedure that informs security-management personnel of any unusual activity that may be
occurring. For example, impersonation attempts using a person's valid user ID, and guessing that
person's password, would be logged as the same user ID making multiple invalid password-access
attempts. This analysis provides only indirect information about the effectiveness of the internal controls
since the information that is being monitored represents an analysis only of failures to gain access to
information resources — it cannot identify inappropriate access that is successful in circumventing the
controls.
Independent Quality
Assurance or Peer Review
Direct  Program Testing
Over Program
 Program Change Control
Development
Description:
In many larger IT environments, an independent quality assurance function (or a peer review process)
may review all proposed program changes prior to their movement into the production environment. In
reviewing the program changes, the quality assurance team looks for evidence of testing and required
approvals. In some cases, this function may also independently verify key aspects of the underlying
process.
Change Review Board Direct and Indirect  Program Testing

 Program Change Control
Description:
Some organizations with frequent and potentially disruptive changes to the IT environment have
appointed a "change review board" that provides oversight to the change process. Typically comprising
cross-functional IT (and, possibly, business unit) managers — and less formal than the independent
quality assurance or peer review discussed above — a change review board determines whether all
requirements were met (approvals, testing and communication) before the changes were approved for
Internal Use Only

movement or production, then, collectively, reviews and approves all changes. Whether this activity
provides direct or indirect information about the effectiveness of controls depends on the nature of the
information gathered and analyzed during the change review process.
Post-Implementation
Reviews of Program Indirect  Program Testing
Changes  Program Change Control
Description:
Similar to the independent quality assurance processes discussed above, a post-implementation review
of major program changes can provide indirect information about the effectiveness of internal controls
over the development process. The distinction between the two review processes is that, as evidenced by
its name, the post-implementation review occurs after a program has been placed into production and is
being used in the business. The most effective post-implementation review processes include evaluations
of (1) the functionality and usefulness of the program, and (2) the effectiveness of the internal controls
that are built into the application programs and business or accounting processes.
Recovery Testing Direct

• Data Redundancy
Description:
IT management may perform different levels of recovery-capability testing for different forms of disruption
or disaster. To the extent that this testing involves the re-establishment of IT systems using either backup
tapes or redundant/mirrored systems, it provides management with direct information regarding the
effectiveness of the redundancy or backup controls.
9. Many organizations use automated tools to monitor the continued effectiveness of some IT-based
controls. The general nature of such tools is discussed in the "Using Technology for Effective
Monitoring" section of Volume II. The examples below are specific to IT controls and generally fall into
one of four main categories (see figure below).
Internal Use Only

Monitoring Tools
Tools that Evaluate System Conditions

10. Many information system controls are enabled by configuring specific parameters or defining a set of
rules. The automated tools in this first category monitor the consistency of such controls by examining
the parameters or rules at a given point in time. These tools compare the resulting data to baseline data
to determine if changes in the parameters have occurred and, if so, whether the changes were
appropriate. Often these tools are used to monitor controls by:
Internal Use Only

 Comparingsystem parameters to pre-established requirements — Certain security controls and policies
are enabled through parameter settings in the base operating system, a database environment, or the
configuration of an application program. For example, controls such as the length and complexity of
passwords and the frequency with which they must be changed are enabled by security parameters.
Automated tools can be used to scan control settings and compare them to the resources' internal
security policies and internal control requirements.
 Comparing system results to pre-established tolerance levels — Certain controls within application
programs depend on the base configuration of the application. The configuration options can affect
transaction processing (e.g., billings and payments) and/or the integrity of the application environment
(e.g., security parameters and change control). For example, an inventory system's use of either LIFO
or FIFO depends on the parameters that define the application configuration. Similarly, the tolerance
levels for matching processes (e.g., vendor invoice quantities to a receiving report) are dependent on
application configuration. Automated tools can provide for periodic or continuous visibility of system
configuration settings for identifying and evaluating out-of-tolerance settings.
 Evaluating system access rights for possible segregation-of-duties issues — Within ERP systems,
limiting access rights to segregate incompatible duties is enabled by application security rules that are
based on an organization's definition of roles and the access rights associated with those roles. For
example, incompatible duties within or between application programs are identified by comparing
existing user access rights to a baseline set of incompatible rights either within a single application or
across multiple applications. Some automated tools can enhance the effectiveness and efficiency of this
potentially complex, time-consuming task by continuously monitoring the compatibility of duties.
 Evaluating propriety of administrator rights access — In any technology environment, "administrator
rights" must be assigned to those responsible for administering the resource(s). Since someone with
administrator rights to a resource can perform any function with respect to that resource, most
organizations limit these rights to a small group of personnel. Automated tools can provide
management with the information it needs to monitor the assignment of administrator access rights.
11. Tools that monitor information-system conditions increase the speed and effectiveness of monitoring,
allowing it to be performed on a more frequent basis. Such tools may operate periodically (sometimes
described as "scanning based"), or they can operate continuously as an integrated component of

software or hardware (sometimes described as "agent based"). Many factors drive the decision as to
which approach is correct, including the:

 Importance of the related control,
 Prioritization of the risk the control is designed to mitigate, and
 Effort and/or cost associated with using the tool.
Internal Use Only
Tools that Monitor for Changes in Applications
12. Tools that identify changes are an extension of those that focus on conditions. The basic difference
is that change-identification tools are designed specifically to identify and report changes that have been
made to critical programs, infrastructure resources, databases or data so that management or its
designees can verify the appropriateness and authorization of those changes. They usually operate
continuously to identify relevant changes or, much like tools that focus on business transactions, they
analyze log information created by different IT resources, thus highlighting relevant change-related
activity that may be significant.
13. Where controlling change is important, organizations typically employ a form of "change control" that
includes both a preventive control (e.g., limits to specific personnel the ability to make changes) and a
detective control (e.g., all changes are recorded, reviewed and approved by someone who is
independent of those making the changes). When evaluating change control, the following
considerations should be taken into account:

 Not all IT resources are capable of recording changes;
 In large IT environments, individual resource components may be so numerous that detective analysis
would be overwhelming;
 Some resources' built-in logging capabilities may have unacceptable effects on system performance;
and
 The built-in logging features of some systems are easily disabled, making them unsuitable for use in
higher-risk areas.
14. Tools in this second category can be used as part of a control activity, part of monitoring activities, or
both. For example, an evaluator performs a monitoring activity when using information from a tool to
identify a change requiring approval confirmation. In contrast, if a user employs that same information to
investigate and seek approval for the change, it is likely being used in a control activity. If both users and
evaluators make use of the information, the tool serves dual purposes. Specifically, tools in this category
can:
 Identify changes that have been made to application programs, database structures or data, and
security rights and permissions. These tools can provide visibility to change-related activity so that the
activity can be validated independently, thus establishing whether the underlying change-control
process works as designed.
 Alert appropriate personnel when certain types of "mission-critical" changes are being made, ensuring
transparency throughout the organization and, as necessary, timely action. For example, the tools may
Internal Use Only
identify when someone with "administrator" rights makes particular changes or performs certain actions,
facilitating an independent review of the activity.
 Evaluate the propriety of changes (i.e., whether all planned changes were made consistently and
completely). For example, in a certain distributed, integrated and high-volume transaction system,
application program consistency between locations can be part of the controls over the system as a
whole. That consistency may depend on all remote locations running an identical version of the
application program.
Tools that Evaluate Processing Integrity

15. These automated tools are designed to verify and monitor the completeness and accuracy of the
various steps that might occur in high-volume and complex application program process streams. For
example, multi-site retailers with distributed point-of-sale (POS) systems at stores often employ daily —
or even more frequent — processes for transmitting POS data from each store to a central processing
environment. Usually, the tools in this category balance and control data as it progresses through
processes and systems, performing activities such as:

 Independently verifying the format and content of data to be processed, avoiding the processing of bad
data;
 Reconciling financial totals and/or transaction/record counts between disparate files or databases (for
example, ensuring the completeness and accuracy of data from source systems to the general ledger
and from the general ledger to data warehouses);
 Confirming data file, record and field accuracy as data is aggregated or disaggregated and as it moves
across systems and processes; and
 Automatically verifying, reconciling and confirming data.
Tools that Facilitate Error Management

16. Most application programs that interface with other systems are designed to detect transactions that
do not meet defined criteria. Such transactions are sometimes captured in a suspense area, investigated
and corrected before transaction processing can be completed. For example:

 An automotive parts supplier may receive a technically valid electronic data-interface message
describing an authorized shipping schedule; however, the message may contain an invalid order
identification that requires investigation and correction before being processed further;
 A telecommunications provider may receive message information from its telephone switching systems
regarding a customer's phone usage, but the customer may not yet have been added to the billing
system so that those messages could be rated and billed; or
Internal Use Only

 A bank may receive properly directed deposit or checking activity, but the customer account number
may be invalid.
17. Although these types of systems operate as control activities, monitoring and resolving the activity in
the suspense areas substantiates the effective operation of controls over error resolution. Typically
these tools also document error resolution, which provides an audit trail evidencing control operation.
Assessing and Reporting Results

18. Reporting the results of monitoring controls that address IT-related risks mirrors that of other
controls. However, assessing the impact of identified deficiencies may be complicated by the fact that,
while many IT controls can be pervasive, compensating controls that mitigate deficiencies may also exist
in business and accounting processes. As such, the efficient and effective assessment of the results of
monitoring requires effective communication between the IT, accounting and financial reporting
departments.
19. Some organizations also have IT "problem management" processes. Problem management differs
from, but relates to, incident management. The purpose of incident management is to return IT
applications and services to normal levels as soon as possible and with the least possible business
impact. The principal purpose of problem management is to find and resolve the root cause of a
problem, thereby reducing future incidents.
Summary and Observations

20. Nearly every organization has information technology risks that are meaningful to organizational
objectives. However, those risks may be prioritized differently across different systems and
organizations. The risk factors discussed above are intended to help organizations customize their IT-
related risk prioritization efforts.
21. Once risks are prioritized, organizations can focus monitoring efforts on the controls that provide the
most value in reaching a conclusion about the effectiveness of the internal control system — noting that
the controls may reside outside of the IT environment (e.g., the CEO's manual check signing or other
manual controls that, on a timely basis, confirm the validity of information processing).
Footnotes
Internal Use Only

[3] 3. Some organizations may choose to conduct their risk prioritization efforts at the level this
organization refers to as "risk factors." For this organization, however, prioritizing risks one level higher,
then focusing on the controls that address the related risk factors, provides an adequate level of support
for its internal control decisions, including the internal controls it will monitor and how it will monitor
them.
[4] 4. These extensive store inventory controls are possible because inventory consists of a relatively
small number of large items that are easily counted. The scope of these controls may not be feasible in
other types of organizations, including other retail organizations.
5 General controls (also known as infrastructure controls) apply to a defined group of application systems
or their related data. They include, but are not limited to application program access, testing and change
control, data and database security, IT operations and job management, backup, recovery, and
business continuity.
6 The terms in the Nature of Risk column in this table serve only to assign a brief name to each risk,
providing a linkage throughout the remainder of the discussion. Readers may note that the names do
not fully reflect the essence of the related risk.
Appendices
The appendices include excerpts from real organizations' documents that relate to one or more of the examples
presented earlier in this volume. Organization names have been removed, and other potentially identifying
features, such as department names and report titles, have been altered to preserve the organizations' privacy.
Note that the appended examples are not intended to dictate how monitoring should be performed, documented
or reported. Instead, they merely represent documents and tools that some organizations have used in their own
monitoring procedures. Each organization should determine independently the documentation and tools it needs
to facilitate monitoring.
Appendix A: ABC Company COSO Usage

Document
Internal Use Only
Related to Example 1
Notes about the material
Appendix A contains excerpts from a longer, 30-page document prepared by a large professional services
organization (ABC Company). The organization updates the document annually and uses it to facilitate and
communicate responsibilities and expectations about how the organization adheres to the principles contained in
the COSO Framework. These excerpts relate specifically to how the organization addresses the risk assessment
and monitoring components of internal control.
Overview
Implementation of the COSO Framework
1. ABC Company has selected the Committee of Sponsoring Organizations (COSO) Framework as the
guiding framework for internal control over financial reporting. In relation to its Financial Reporting
section, the framework's general objectives and guidelines have been mapped to ABC Company's
processes and activities; thus, execution of the framework's objectives should occur naturally as part of
ABC Company's normal activities.

2. The COSO framework includes a number of specific activities that support and reinforce each other.
As a set of general principles:

 Control Environment activities set the "tone at the top," are widely spread and set the appropriate tone
for the organization. These activities are evaluated annually to demonstrate good enterprise-wide
awareness and compliance.
 Widely spread control activities that relate directly to financial integrity and/or fraud prevention are noted
as part of the Control Activities and are evaluated regularly.
 Closely held activities that do not require the same level of widespread execution are listed in
Monitoring, Risk Assessment or Information & Communication. While some of them are included in
the Control Activities, most simply are outlined and confirmed as executed on an annual basis.
Internal Use Only

3. Each section of the COSO framework is summarized, and the key ABC Company activities are
patterned after the COSO framework summary.7
Risk Assessment
4. As defined by COSO, Risk Assessment recognizes that, for an entity to exercise effective controls, it
must establish objectives and understand the risks it faces in achieving those objectives. Management
Internal Use Only

should understand the implications of relevant risks that might hinder progress toward the objectives and
provide a basis for managing those risks.

5. At the summary level, the COSO framework outlines several areas of focus that should be considered
in order to establish an effective Risk Assessment process.
Area of Focus ABC Company Expectations
Entity-Wide Objectives  Broad statements of what an entity desires to

achieve, supported by strategic plans.
 Effective communication of those objectives (to
board and employees).
 Consistency of strategy and objectives.
 Consistency of business plans and budgets with
entity-wide objectives, strategic plans and current
conditions.
Activity (Unit)-Level Objectives  Activity (unit)-level objectives should link to entity-

wide objectives and strategic plans.
 Activity-level objectives should be consistent and
complementary.
 Objectives are established for each significant
business-process area.
 Adequate resources exist to achieve objectives.
 Objectives are prioritized to ensure achievement of
entity objectives.
 All levels of management are involved in objective
setting to ensure commitment to objectives.
Risks  Consideration of external and internal factors that

could impact achievement of objectives (with risk
analysis to provide management a basis for
managing the risks).
 Adequate mechanisms to identify risks externally and
internally.
 Identification of risks for each activity's (unit's)
Internal Use Only

objective(s).
 Thoroughness and relevance of the risk-analysis
process (formality of the process, involvement of
senior management, etc.).
Managing Change  Mechanisms must exist to identify and react to

routine events or activities that could affect
 Mechanisms must exist to identify dramatic or
pervasive shifts — such as programs to identify
customer demographic or paradigm shifts and
workforce skill shifts.
 Introduction of new personnel is appropriately
managed to orient them to the organization's culture
and ensure awareness of their controls.
 New information systems are adequately assessed
for impact to ensure that controls are adequate and
that the system was appropriately developed and
properly implemented (processes designed,
employees trained, etc.).
 Rapid growth is managed via (1) supporting systems-
capability
growth, (2) supporting workforce additions as needed to

support the growth (e.g., accounting staff), (3)
appropriate revision of budgets, and (4) addressing
interdepartmental issues caused by plan revisions.
 New technology developments are monitored

(information is gathered, competitors' use is
considered, mechanisms exist to introduce new
technology into the organization).
 New products are reasonably forecast, IT and
staffing are sufficient, early results are tracked,
impact on other company products is evaluated, and
overhead is evaluated to reflect product contribution
Internal Use Only

accurately.
 Restructuring or downsizing is planned in such a way
that reductions are analyzed for impact on
operations, terminated employees' control
responsibilities are reassigned, impact on morale is
considered, and safeguards exist to protect against
disgruntled employees.
 Foreign operations are evaluated regularly,
management is aware of political and regulatory
issues, personnel are aware of accepted customs
and rules, and procedures exist to deal with potential
communications interruptions.
Risk Assessment & Risk Management Activities

6. While utilizing other frameworks to manage overall risk, ABC Company includes a set of activities that
align with the first three areas of focus: the company-wide (or entity) level, the division level, and the
project level. Change-management activities are summarized at the end of the section.
Entity- & Unit-Level Objective Setting
7. Entity and activity objectives are established and communicated through the planning process:
 The planning process is anchored by a five-year strategic plan, which is updated annually. The five-year
plan encapsulates the entities' strategic intent in a series of strategies relative to type of work mix
(revenue growth by offering), target margin structures by offering, workforce evolution to support target
work mix, SG&A targets, executive through staff pyramids headcount, and overall financial strategy
(sources and uses of cash, equity programs).
 The five-year plan is then used as a key input into the next fiscal year annual plan (along with current
operating data), which drives the entities' key financial objectives into each division. The annual plan is
an integrated plan; all major entities are included and plan results are aligned to overall entity results.
 Each entity then completes a detailed plan, considering a variety of factors (e.g., market conditions),
and the opportunity to adjust the top-level plan as detailed plans are completed. Plans are completed at
the lowest P&L level, approved by the leader of that division, and reviewed by management as needed.
 During the fiscal year, each division completes a quarterly forecast. Once the top-level plan is
completed, it is updated quarterly through the quarterly forecasting process, and adjustments in
operations (such as reductions or increases in hiring) are identified and communicated as required to
achieve the plan across entities. Each entity is then responsible for operationalizing specific changes
Internal Use Only

(such as cost reductions) required to achieve the corporate objectives. The forecasting process also
provides opportunities to request additional funding and modify budgets as appropriate (based on
reviews).
 Achievement of objectives is monitored through a variety of reporting packages; a common core set of
reports is produced by SAP with a common core set of metrics. Metrics vary logically between revenue-
generating divisions and those responsible only for costs.
8. Once completed, a summary of the plan is communicated in a variety of ways (including but not
limited or exclusive to):

 The board of directors reviews and approves a summary of the financial plan.
 Corporate executives are given a copy of the ABC Company business plan, which includes an overview
of the company's financial and operational priorities for the year.
 Most personnel have the opportunity to attend communication events to learn about the organization's
focus. These generally occur via Web cast or possibly via location meetings. (Exceptions relate to
technology access and some specific business situations.)
9. In addition to the planning process outlined above, a number of detailed (but relevant) activities occur
to monitor risks and drive strategic objectives through the organization. Specifically:
 The ABC Company Corporate Strategy team completes a number of strategic assessments, which
address various strategic and operational issues (for example, analysis of margin results) or external
issues. The efforts of the Corporate Strategy team are under the direction of the Corporate Executive
Leadership team, reporting directly to the chief strategy and corporate development officer (by role, title
may vary), to ensure appropriate visibility to the "road signs" of change.
 Periodically, as determined primarily by the chief executive officer, ABC Company may undertake a
large-scale, comprehensive review of its strategy, which would include an examination of internal (e.g.,
ABC Company recent performance) and external (e.g., competitive environment, market trends) factors
that inform the refinement of its strategy. This process also includes an analysis of various risks
including market and competitors.
 ABC Company maintains an Office of Government Relations team and a Worldwide Asset Security
team that monitor political trends. As with the Corporate Strategy team, specific issues are identified
and acted upon based on the political risk to the organization. As-needed briefings are provided to the
ABC Company Corporate Executive Leadership team.
 ABC Company completes an annual risk assessment, which is a cross-functional, external and internal
risk assessment. A number of different risk areas are evaluated (for impact and increasing/decreasing
risk), and senior management uses the resulting data as an input into the planning process. The
Internal Use Only

process reports to the chief risk officer, and is driven by internal audit; results are shared with the ABC
Company Corporate Executive Leadership team.
 ABC Company's Office of the CEO maintains an organization operating model that establishes how the
company operates, how the company is organized, and how the various entities and roles in the
organization work together to provide effective and efficient customer service. This document is
updated throughout the annual cycle to reflect any changes in the organization and serves as one of
many management tools to execute the strategic plan and objectives that are developed.
 Programs are created to address specific risks or drive specific objectives across units. Program
execution is monitored by the Corporate Strategy team, reporting to the chief operating officer.
 Regular management meetings occur at all levels to monitor risks, address issues and prioritize
activities and objectives, and to monitor progress in achieving objectives (division level and corporate
level).
 Specific activities occur in each node to monitor specific risks. For example, HR monitors attrition, and
the CIO monitors application backup activities. Specific to IT, strategic technology trends are regularly
considered as a part of the IT strategy; this is outlined in more detail in the IT controls strategy
document.
 Benchmarking of major functional areas (cost of Finance, HR, Sales, CIO, etc.) occurs to ensure
competitive and reasonable results across the organization.
Contract-Level Risk Assessment and Management Activities
10. ABC Company's business revolves around unique contracts with its customers. Accordingly, a set of
risk assessment and management activities exists to ensure that contract risks are appropriately
identified, considered, and managed:

 Each division considers the appropriate customers to pursue as a part of its annual planning exercise
(including considering risk to the unit and to ABC Company as a whole). The resulting target set of
customers, while not exclusive of other customers, is the focus of most of sales & marketing's efforts.
 All contracts go through an approval process at various levels in the division. During that process, the
risk inherent in the contract is considered, and the return on the contract is balanced with the risk.
 Larger, riskier contracts meeting specific criteria go through a special corporate-level approval process
via a Contract Approval Committee chaired by the chief risk officer. This process ensures that senior
leadership has the opportunity to consider the risks on these large contracts. The Contract Approval
Committee's process includes reviews by a number of subject matter experts (such as legal) and an
explicit, standardized risk-management assessment.
 In accordance with the quality assurance (QA) process, a QA review is required for all opportunities
during the selling phase prior to submission to the customer for all new opportunities. The frequency
Internal Use Only

and timing of opportunity QA reviews vary based on the size and risk of the opportunity — larger/riskier
opportunities are subject to more-frequent QA reviews. QA reviews are required for all contracts during
the delivery of services under the contract. Service-delivery QA reviews vary in their frequency and
timing because they align with key project milestones; however, they must be performed at least
quarterly on the highest-risk projects.
 To reduce risk, ABC Company employs a standard methodology in its delivery of services. Methods are
updated regularly to reflect changing market dynamics and new research.
 Customer satisfaction is monitored on an ongoing basis via Web-based surveys, providing customers
with an independent method of raising issues across the scope of work being performed for them. ABC
Company management monitors all customers' feedback for market trends and issues.
Corporate-Level Contract Risk Monitoring
11. At the corporate level, high-risk contracts are monitored for risks that would harm the entity.
Contracts with a specific risk profile are identified and escalated through the "high impact" reporting
process. As a contract's risk-profile level increases, management attention intensifies to ensure that
monitoring and intervention are appropriate.

Other Risk Monitoring Activities
12. Various other activities occur to monitor risk, the most notable of which include crisis monitoring and
response:
 ABC Company's Worldwide Asset Security Team monitors news and security sources for geopolitical
issues or natural disasters that impact the organization's operations worldwide. As situations warrant, it
contacts or is contacted by local management. The team has an escalation path to a corporate
Situation Management Committee, which includes appropriate (based on situation) senior leadership.
Risk Monitoring Summary

13. The following chart summarizes how ABC Company's activities support the risk assessment area of
the COSO framework. It is meant to be illustrative in nature, with the detail above representing the actual
activities.
Area of Responsibility
Activity (Unit)
Activity Responsible Party Entity Objectives Objectives Risks
Annual risk Chief Risk Officer

  
assessment
Internal Use Only

Five-year strategic Chief Strategy and
plan, updated at least Corporate 
annually Development Officer
Annual plan, driven Finance Operations

 
to division level
Quarterly forecast, Finance Operations

tied to corporate 
objectives
Customers are Division Chief

targeted, including Operating Officer
 
assessment of
aggregate risk
Contracts are Division

reviewed and
  
approved, including
risk assessment
Large, high-risk Contract Approval

contracts meeting Committee
criteria are reviewed
  
separately via
Contract Approval
Committee
Contracts subjected Chief Risk Officer/

to quality reviews Division Chief 
Operating Officer
Customer satisfaction Chief Risk Officer/

is monitored regularly Division Chief 
Operating Officer
Key customer CFO


financial situation is
Internal Use Only
monitored
High-risk contracts Chief Risk Officer

with potential issues
are monitored by  
various levels of
senior management
Geopolitical Corporate Strategy;

monitoring Office of Gov't

Relations; Asset
Protection
Periodic ethics and Compliance Officer

compliance risk 
assessment
ABC Company Change-Management Activities
14. The COSO framework notes that effective change management is an important part of risk
assessment, and ABC Company completes a number of different activities to monitor and address
events that could disrupt operations. Management of these change events — at the ABC Company or
entity level — is distributed across a number of different groups, as outlined below.
COSO Change- Management Area Responsible Party ABC Company Activity
Office of Gov't Relations; Corporate  As noted above, external risk-

Anticipation of internal & external
Strategy; Internal Audit; Worldwide assessment activities include
events that could impact ABC
Asset Security monitoring of key external trends
Company
and political risks that could
disrupt the entity.
Corporate Strategy • Internally, the Corporate Strategy

team tracks major internal programs
(combined with selected external
trends) and provides that information
to senior management, who can
Internal Use Only

influence major changes in the
organization.
Operations • Operational programs tracks

major internal operational programs
that are outside the realm of the
strategic programs tracked by
Corporate Strategy.
Changed operating environment — Corporate Strategy; Internal Audit • As noted earlier, Corporate
Changes in the operating Strategy and internal audit both
environment that could impact ABC assess external trends that would
Company result in risk to the entity (such as
declining margins).
Legal • Legal monitors selected elements

of the regulatory environment for
changes that would create risk for
the entity, and provides updates to
management on key trends.
Corporate Strategy; HR • External labor-market trends are

monitored primarily by HR, with
some work performed by country
operation teams; internal employee
trends are monitored via global
employee surveys. Employee
engagement is explicitly included
and monitored as a part of corporate
metrics.
Division • Division resource planning

process considers inputs from a
variety of sources to balance
resource needs and regularly
(quarterly) revise the staffing and
Internal Use Only

recruiting needs as a part of the
quarterly forecasting process.
HR/Ethics and Compliance Office • New personnel go through an

orientation process that touches on
key aspects of ABC Company's
culture, including the code of
New personnel —Certainty that business ethics and related policies,
personnel are aware of ethical and as appropriate. They also
standards participate in training on internal
controls over finance reporting as
well as operational controls related
to other processes, if relevant. Also
includes specific corporate-required
training based on level and function.
HR • Control responsibilities (macro

level) have been added when
relevant to position responsibilities to
ensure the responsibilities are kept
independent from the incumbent and
remain intact as people change jobs.
Division Internal Control Leads • Division internal control leads are

responsible for communicating and
monitoring assignment of controls to
ensure execution responsibilities are
clear.
New information systems — CIO  IT controls include controls

Consider controls are properly related to the system
developed and the impact on the development lifecycle, including
organization when the go-live is the appropriate development,
assessed testing, and installation controls.
 System-development projects
include a communication or
Internal Use Only

change-management aspect
(unless approved to exclude, or
impact on organization is
nominal). For major changes,
this generally will include
communication, training, process
change.
 To ensure that key activities are
executed for large financial-
system projects, system
development is monitored via
steering committees, quality
assessments, and CIO
development controls.
 For key financial systems,
consideration of control impacts
is explicitly considered.
Corporate Strategy; Global Business • ABC Company's strategy is

Rapid growth is monitored and
Operations; HR considered when internal budgets
budgets are revised according to
and non-financial targets are set;
results
monitoring considers resource
shortfalls as well as excesses.
Finance Operations • As noted earlier, budgets are

revised quarterly, and growth can be
accommodated based on business
need.
CIO • CIO spend is guided by an IT

Steering Committee that considers
both growth and ABC Company's
strategy in assigning budgets and
resources.
New technology is monitored to CIO • CIO strategy (updated
Internal Use Only

assess impact on organization periodically) considers developments
in technology.
Divisions  New service offerings are

monitored for financial and
market success.
 Needs for new skills are
monitored and communicated to
recruiting (for acquiring
New product offerings or acquisitions externally) and training (via
are monitored for impact internal capability-building
plans).
 Impacts of new service offerings
and new skills are monitored via
standard reporting (for example,
impact of a new service offering
on the success of an existing
one).
Finance Operations • Overhead allocations (and other

related financial reporting
mechanisms) are adjusted annually
to consider new service offerings
and other changes.
Divisions; HR; Global Controllership • Acquisitions are reviewed and

monitored by various teams —
Financial performance is monitored
by the division to which an
acquisition reports; HR reviews the
compensation and benefit plan of
that acquisition, global controllership
monitors financial reporting.
Acquisitions go through a due
diligence process, which includes
legal, compliance, ethics and
Internal Use Only
business reviews.
Global Business Operations; Legal; • Macro-level areas subject to staff

HR reduction are reviewed by HR
Corporate restructuring activities are
leadership to ensure that planned
managed to minimize disruption
service reductions will not adversely
impact operations and are in
compliance with local laws.
Division Internal Control Leads • In the event of restructuring,

division internal control leads remain
responsible for assigning controls
responsibilities to new personnel.
Division Leadership • Morale is monitored via the global

employee surveys; each entity's
leadership sets its monitoring or
improvement goals.
CIO; Facilities & Services • Once employees are removed,

access (physical, logical) is quickly
revoked.
Global operations are monitored to Geographic Managing Directors • Geographic managing directors
ensure that changes are identified are responsible for monitoring the
local environment and raising issues.
Legal • Local legal personnel monitor

local regulatory environments,
raising issues as necessary to global
legal leadership.
Worldwide Asset Security • At the corporate level, an ABC

Company security team monitors
trouble areas, maintaining
evacuation plans and backup
communication plans.
Internal Use Only

Various • Local financial operating results
are monitored by appropriate division
or country finance personnel.
Monitoring
15. Monitoring is a continuous process employed by management to assess the quality of internal
control performance over time. At the highest level, it encompasses ongoing monitoring and periodic
evaluations and the reporting of deficiencies to the appropriate level of management and the board of
directors.
16. At the summary level, the COSO framework outlines several areas of focus that should be
considered to ensure effective monitoring:
Area of Focus ABC Company's Expectations
Ongoing Monitoring  Personnel, in performing their normal activities,

obtain evidence that the system of internal control
is functioning — for example:
 Operating management compares sales,

production and other data to system-generated
data
 Data used to manage operations is reconciled
with data generated by financial systems
 Operating personnel sign off on the accuracy
of their units' financial statements and are held
responsible if errors are discovered
 Communications from external parties corroborate

internally generated information
 Customers corroborate billing data by paying

on time
 Communications from vendors are used as a
monitoring technique
 Controls that failed to prevent or detect
Internal Use Only

problems are assessed
Ongoing Monitoring (cont'd)  Amounts recorded by the accounting system are

compared periodically with physical assets
 Inventory levels are checked when goods are

taken for shipment; differences are corrected
 Securities held in trust are counted periodically
and compared to records
 Management receives feedback from training

seminars, planning sessions and other meetings
 Relevant issues raised at seminars are

captured
 Employee suggestions are communicated
upstream
 Personnel are asked periodically to state whether

they understand and comply with the code of
conduct, or signatures are required to evidence
performance of critical control functions
 Internal and external auditor recommendations are
considered
 Executives with appropriate authority decide

which recommendations will be implemented
 Desired actions are verified as having been
implemented
 The effectiveness of internal audit activities is

verified, ensuring that IA's staffing, competence and
experience, position within the organization, access
to BOD or Audit Committee, and scope relative to the
organization's needs are appropriate
Periodic Monitoring/ Separate Evaluations  Separate evaluations of the internal control system
Internal Use Only

are adequate in scope and frequency and confirm
that appropriate internal control system elements
are evaluated
 Evaluations are conducted by individuals with

appropriate skills
 Scope, depth and frequency of evaluations are
adequate
 The evaluation process is appropriate and includes

evidence that the evaluator gains sufficient
understanding of the activities
 The methodology (including standard methodology
such as checklists and tools) is appropriate for
evaluating whether the system is logical and suitable;
planning effort for the evaluation process is
coordinated; and evaluation process is managed by
an executive with proper authority
 Level of documentation is adequate; policy manuals,
org charts and operating instructions are available;
the evaluation process is documented
Reporting Deficiencies  Process exists for capturing and reporting identified

deficiencies — both from external sources and from
ongoing monitoring or separate evaluations
 Reporting protocols are appropriate, i.e., deficiencies
are reported to the person directly responsible for the
activity and to a person at least one level higher
 Specific types of deficiencies are reported to senior
management and to the board
 Follow-up activities are appropriate
 The underlying event is corrected

 Causes of problems are investigated
 Follow-up action is taken to ensure correction
of problem
Internal Use Only

17. Two sets of activities constitute monitoring: (1) integrated activities that provide ongoing assurance
of controls, and (2) standalone assessment activities that provide management with separate and
distinct feedback on control operations.

Ongoing Monitoring — Financial
 Division chief executives sign off on the accuracy of their financial results.
 Executives are measured on GAAP compliance and internal controls compliance; this is a formal metric included
in executive measures and influencing compensation and rewards. GAAP failures and internal controls failures
negatively influence the executive's annual evaluation. GAAP compliance information is provided by corporate
controllership; control execution information is provided by internal audit and the controls evaluation core team.
 Control activities include a balance of transactional and monitoring controls throughout the organization.
 Regular (quarterly) feedback on operation of critical controls is provided (independent of testing of those
controls).
 Internal controls require appropriate evidence, including a number of approvals (usually electronic) on key
activities. Management's training and communication on this point is clear; evidence is required to be retained to
prove execution and increase certainty of financial reporting.
 Corporate controllership monitors key GAAP pronouncements and adjusts and communicates finance policies
as required.
Ongoing Monitoring — Internal and External Audit

 External audit recommendations are assessed by the chief accounting officer (CAO) and others as needed;
implementation is tracked by global controllership.
 Internal audit reports to the Audit Committee and, administratively, to the chief risk officer outside of the finance
organization.
 The internal audit plan is approved by both senior management and the Audit Committee, with corresponding
staffing to execute the plan.
 Internal audit recommendations are reported to the CFO, CAO and others as appropriate; the management of
each entity is required to respond with an action plan to IA points. The unit responsible for implementing the
recommendations executes quarterly tracking through implementation.
Ongoing Monitoring — Operational

 Forums exist — for example, the Corporate Leadership team meetings and the Corporate Staff Council — to
compare operating and financial information.
 Performance monitoring (via the forecast and analysis of variances) occurs quarterly (at a minimum) at each
division.
Internal Use Only

 Collection (days sales outstanding) is monitored as an indicator of customers' acceptance of billing amounts and
of possible billing errors.
Ongoing Monitoring — Compliance and Regulatory Matters

 The Compliance and Regulatory Matters (C&RM) team monitors multiple aspects of company operations using
methods such as monitoring the Business Ethics Help Line, conducting periodic ethics and compliance surveys
for longitudinal comparability, and performing periodic criminal risk assessments.
 The C&RM team integrates with other teams, such as internal audit, to leverage their assets for specific
monitoring requirements.
Separate Control-Activity Evaluations

 Evaluations are planned for all quarters, but the scope of activities may vary among quarters. Design of the
organization's controls is evaluated annually, and every control activity is assessed at least annually.
 Evaluation activities are planned and monitored by the Controls Evaluation Core Team.
 Control evaluations are executed by individuals who are not responsible for operating a control; they receive
independent training in how to conduct their assessments.
 Assessments are conducted using a standardized set of test plans, which may be modified to reflect local
conditions.
 Test plans are created to provide a substantive body of evidence that supports execution; sample-size guidance
ensures appropriate testing levels to provide management with comfort of execution (adjustment by
management is permissible).
 Assessment results are reviewed and confirmed by the core team and reported to the division internal control
lead via a portal; test results are documented in the portal.
 Confirmation activities (or "roll-forward" activities) are planned for the fourth quarter.
 Internal audit also evaluates controls as part of its standard audit activities for an entity.
 Locally identified control failures are assessed for significant deficiency or material weakness potential using a
set of guidelines reviewed (at the summary level) by the Internal Controls Steering Committee and the Audit
Committee.
 Control failures (that have no compensating controls) with the potential to create a significant deficiency or
material weakness are elevated to the chief accounting officer, CFO, and general counsel, and are summarized
for the Audit Committee.
 Control failures are tracked until confirmation is received that they have been resolved. The core team monitors
failure resolution to ensure reasonableness.
Internal Use Only

Appendix B: Quarterly and Annual
Management Representations
Management of this international manufacturing company uses the following line-management certification form
to:
 Communicate a tone at the top regarding management's expectations about the quality of financial reporting
 Establish organization-wide ownership of meaningful financial reporting risks and related key controls
 Routinely receive acknowledgement, through self-assessment by line managers, regarding the effective
operation of key controls
Background and Instructions

1. The CEO and CFO are required to evaluate disclosure controls and procedures in connection with the
filing of Forms 10-Q and 10-K with the U.S. Securities and Exchange Commission. Responses
contained in the attached questionnaire will be used in their evaluation of disclosure controls and
procedures in connection with the following report:

Form 10-Q for the quarterly period ended March 31, 20XX
2. Please note: Your responses to this questionnaire are intended to support and provide reasonable
assurance that certifications made by the CEO and CFO to the Securities and Exchange Commission,
the Audit Committee and our shareholders are correct and accurate. Certain of these certifications, if
incorrect, could result in severe penalties including criminal penalties. You should respond to this
questionnaire as if you were making these certifications yourself and as if penalties could apply to you
personally (in some cases they can).

3. This questionnaire is an integral part of the evaluation process. You are primarily responsible for
answering the following questions for the line of business and/or functional area(s) of the Company that
you supervise. Answers should be based upon the knowledge that a reasonable person might conclude
you should have as the manager of the area(s) that you supervise. Please note: If you are aware of a
reportable item that does not fall within your functional area of responsibility, you should still report it. Do
not assume that someone else has reported it on his or her questionnaire.
Internal Use Only
4. Please review each question and respond by marking either Yes, No or N/A. Unless otherwise
indicated, all questions require a response. Explanations should be provided for all "No" and "N/A"
responses for which the reason is not obvious, except for questions B.8, G.16 and H.7, which require
explanation if "Yes" or "N/A" answers are provided. The explanations are to be provided in the area
beginning on page 9. Attach any information or documentation that you feel is appropriate and relevant
to support your response(s).

5. Many of the questions address materiality. For purposes of this questionnaire, unless otherwise
indicated, use your judgment for what is considered material. A series of related transactions should be
combined when determining materiality. Any transaction or event that might cause a violation of a loan
covenant or which involves fraud should always be considered material regardless of the dollar amount.
Any question that involves the override, suspension or effective operation of a control procedure should
be considered material if it could be considered reasonably likely to result in a material effect now or in
the future.
6. You should report any situation that has occurred since the end of the most recent year-end or quarter
that was not reported on a previous questionnaire.

7. Your responses to the questions contained in the attached questionnaire should relate directly to the
plant site for which you are responsible.

8. This quarterly and annual management representation, including the acknowledgment and signatures
that follow, should be emailed to ____ by the following deadline:

April XX, 20XX
9. If you have questions regarding how to respond properly to particular questions contained in the
questionnaire, you should direct them to the corporate controller.

Acknowledgment and Signatures:
10. We recognize that we hold important roles in the disclosure controls and procedures of the company,
and that information we provide is used in the company's quarterly and annual filings with the U.S.
Securities and Exchange Commission. We confirm that the responses to the questions contained in this
memorandum, as well as any additional notes or attachments, properly reflect our representations:
Name: ________________________________
Title: ________________________________
Date: ________________________________
Internal Use Only

Name: ________________________________
Title: ________________________________
Date: ________________________________
Quarterly and Annual Management Representations

Yes No N/A
A. Significant Accounting Policies — Revenue Recognition
1. For all sales recognized during the period:
a. Was there
persuasive evidence
that a sales
arrangement existed
between our
customer and us
prior to the end of the
period?
b. Had the products

been delivered or
had the services
been rendered prior
to the end of the
period?
c. Was our sales

price fixed or
determinable prior to
the end of the
period?
d. Was collectibility
from our customer
reasonably assured
Internal Use Only

prior to the end of the
period?
2. Were all
significant sales
transactions of a
normal, recurring
nature?
3. Were the product

mix, nature of
customers, terms of
sale, credit policies
and related items
similar to those of
prior periods?
B. Significant Accounting Policies — Other Than Revenue Recognition
1. Have interplant
transactions been
accounted for in
designated general
ledger accounts?
2. Have the results

of joint ventures in
which the company
does not have a
controlling financial
interest been
included in the
general ledger using
the equity method of
accounting?
3. Have the general
Internal Use Only

ledger accounts been
translated (or re-
measured) from local
currency to the U.S.
dollar at rates of
exchange issued by
corporate finance on
a monthly basis?
4. Have all
expenditures related
to new product
development been
charged to expense
as incurred?
5. Has the cost basis

of inventories been
determined on a first-
in, first-out basis?
6. Has property,
plant, and equipment
been capitalized and
depreciated in
accordance with
companywide
guidelines
established by
corporate finance?
7. Were items not

meeting the criteria
for capitalization
expensed?
Internal Use Only

8. Have there
been any
events or
changes in
circumstance
s that
indicate the
carrying
amount of a
long-lived
asset may
not be
recoverable?
Triggering
events that
you should
consider
include:
 Signific
ant
decreas
e in the
market
price
 A
significa
nt
adverse
change
in legal
factors
or
busines
s
climate
Internal Use Only

 Accumu
lation of
significa
nt
excess
costs
beyond
original
expecta
tions for
assets
constru
cted or
acquire
d
 Continui
ng
operatin
g cash
flow
loss
associat
ed with
the
asset
use
 Expecta
tion of
sale/dis
posal
significa
ntly
before
the end
of the
Internal Use Only

establis
hed
useful
life
C. Judgments and Estimates — Allowances for Doubtful Accounts
1. Have accounts
receivable balances
that are more than 60
days past due been
reviewed at or near
the end of the period
for purposes of
forming judgments as
to the likelihood of
collectibility?
2. Has trend
information been
reviewed within the
last 12 months to
determine whether a
normal and
predictable pattern of
accounts receivable
write-offs exists?
3. Has an allowance for doubtful accounts been established in an amount equal to the sum of:
a. The amount of
specifically identified
accounts receivable
balances whose
collectibility is
doubtful; and
Internal Use Only

b. The best estimate
of the remaining
accounts receivable
balances whose
collectibility is
doubtful?
4. Have you
considered whether
any factors have
occurred since trend
information was last
reviewed that would
influence the "best
estimate" referred to
in question C.3.b?
5. Have provisions
and write-offs that
are related to credit
issues been charged
to bad debt expense?
6. Have provisions
and write-offs that
are related to pricing
(such as for rebates
or volume discounts),
or other matters of
disputes settled in
the customer's favor,
been charged as a
reduction to sales?
D. Judgments and Estimates — Reserves for Inventories
Internal Use Only

1. Have reserves
been established to
reduce the carrying
value of inventories
to its net realizable
value whenever the
quantity on hand
exceeds expected
demand?
2. In establishing the
reserves referred to
in question D.1, have
inventory usage
reports (such as "two
years no usage")
been reviewed in the
most recent fiscal
quarter (or more
frequently)?
3. Have reserves
been established to
reduce similar types
of inventory to its net
realizable value,
regardless of
demand, whenever
the aggregate
carrying value is
more than the
aggregate market
value of that
inventory?
4. Have you
Internal Use Only

considered whether
there have been any
decreases in the
market value of
inventory that would
trigger an evaluation
of the need for the
reserve referred to in
question D.3?
E. Judgments and Estimates — Warranty Accruals
1. Have warranty
accruals been
established for
specifically identified
warranty issues that
are probable to result
in future cost?
2. Do the specific
warranty accruals
referred to in
question E.1 reflect
the best estimate of
the future costs?
3. Have the specific

warranty accruals
referred to in
question E.1 been
reviewed at or near
the end of the
period?
4. Has a warranty
accrual been
Internal Use Only
established on a non-
specific basis for
estimated remaining
future costs that will
be incurred on
product that was sold
through the end of
the period?
non-specific warranty
accrual referred to in
question E.4, was
trend information
reviewed in the most
recent fiscal quarter
(or more frequently)?
non-specific warranty
accrual referred to in
question E.4, have
extended warranty
obligations been
given special
consideration?
7. Has care been

taken not to over-
provide for warranty
costs by inadvertently
doubling up on
accruals in both the
specific and non-
specific portions of
the warranty accrual?
Internal Use Only

F. Judgments and Estimates — Accruals for Loss Contingencies
1. Have all loss

contingencies been
accrued for when a
future loss is
probable and the
amount can be
reasonably
estimated? (A "loss
contingency" is an
existing condition,
situation or set of
circumstances
involving uncertainty
as to a possible loss
to the company that
will ultimately be
resolved when one or
more future events
occur or fail to occur.)
2. Have all accruals

for loss contingencies
been reviewed at or
near the end of the
period?
3. Have all known

loss contingencies
been communicated
to the corporate
controller?
G. Internal Accounting Control Systems
Internal Use Only

1. Have basic
internal accounting
controls been
established and
maintained, giving
careful thought to
segregation of duties,
to ensure the validity,
accuracy and
completeness of
recorded
transactions?
2. Have appropriate
cut-off procedures
been established and
maintained to ensure
proper recognition of
revenues and
expenses in
appropriate fiscal
quarters and to
properly reflect
assets, liabilities and
equity at the end of
each fiscal quarter?
3. Has detailed information been reconciled to the general ledger control accounts on a monthly basis for:
a. Cash?
b. Accounts
receivable?
c. Inventories?
d. Accounts
Internal Use Only

payable?
e. All other accounts

with significant
activity?
4. For accounts that do not have significant activity:
a. Was there a clear

understanding of the
details of the account
balances at the end
of each fiscal
quarter?
b. Was the detailed

information for such
accounts reconciled
to the general ledger
control accounts on a
periodic basis (at
least annually)?
5. Have interplant
accounts been
reconciled on a
monthly basis?
6. Have
reconciliations of
cash balances on
bank statements and
our internal
accounting records
been performed on a
timely basis after
receiving those
Internal Use Only

statements?
7. For all
reconciliations, were
all reconciling items
investigated in a
timely manner and of
the type and amount
that would be
considered normal
and recurring?
8. Have internal
financial records
been reviewed
analytically by
financial
management as a
means to highlight
potential failures of
basic accounting
controls that may
need to be
investigated and
resolved?
9. Are managers of the company provided with financial reports that:
a. Enable them to
monitor
performance?
b. Provide them the

ability to form
judgments about the
validity, accuracy and
completeness of
Internal Use Only
reported amounts?
10. Have controls

been established and
maintained to ensure
that assets and the
accounting records
are adequately
safeguarded to
prevent loss or theft?
11. Have approval

and responsibility
levels been
established for all
business transactions
to ensure that
transactions are
executed in
accordance with
management's
authorizations?
12. Are the approval

levels referred to in
question G.11 at
least as restrictive as
necessary to meet
corporate
requirements?
13. Has corrective

action been taken to
address all known
instances of
noncompliance with
Internal Use Only

internal accounting
control procedures,
whether intentional or
unintentional?
14. Have all

recommendations for
changes in internal
accounting control
procedures resulting
from corporate
internal audit or
Management's
Assessment of
Internal Control Over
Financial Reporting
activities been
implemented in
accordance with
established
timelines?
15. Have all

recommendations for
changes in internal
accounting control
procedures that
resulted from
external audit
activities been
implemented or, if
not, has an
implementation plan
been discussed and
agreed to with the
company's director,
Internal Use Only
internal audit?
16. Have there been

any significant
changes to the
system of internal
accounting controls?
17. If the answer to

question G.16 is
"Yes," have the
significant changes to
the system of internal
accounting controls
been discussed with
and agreed to by the
Company's corporate
controller?
H. Other Representations
1. Have all leases

been reviewed to
ensure they are
operating leases
rather than capital
leases?
2. Are all procedures

associated with
accounts payable
and accrued
expenses consistent
with the procedures
used for previous
quarters?
Internal Use Only

3. Are the methods
used to allocate
expenses between
and among quarterly
periods (on the basis
of revenue, benefits,
time or activity
association)
consistent with the
methods used for
previous quarters?
4. Are expense
classifications
consistent with prior
year-end
classifications?
5. Has complete and

accurate information
been provided to
corporate finance
when requested?
6. Have all financial

records and related
data been made
available to our
independent
registered public
accounting firm?
7. Based on your knowledge, are you aware of any of the following:
a. Weakness in
internal control that
could lead to material
Internal Use Only
losses or reporting
errors?
b. Fraud or
defalcation,
regardless of
materiality, involving
a Company manager
or an employee with
a significant role in
internal controls?
c. Material
transactions which
you have reason to
believe may not be
accounted for in
accordance with
accounting principles
generally accepted in
the United States?
d. Unresolved ethics
policy violation?
e. Violations of
security or other laws
or regulations that
could have materially
adverse
consequences?
f. Material instances
where business
system-generated
results have been
Internal Use Only

overridden?
g. Material
completed
transactions that
have not yet been
recorded on the
Company's books?
h. Incomplete or
pending transactions
that have been
recorded prematurely
on the Company's
books?
i. Changes in
material assumptions
that are used in the
application of any
accounting method
that have not
previously been
discussed and
cleared through
corporate finance?
j. New off-balance-
sheet relationships,
long-term contracts,
lease commitments,
employment
contracts or similar
arrangements
that obligate or
Internal Use Only
contingently obligate
the Company in a
material amount?
k. Material
transactions that are
unusual, non-
recurring or
otherwise outside the
Company's normal
course of business?
l. Material title
defects to any
Company-owned
assets?
m. Material
violations or
breaches in any
contractual
obligations of the
Company?
n. Issues raised by
regulators or tax
examiners that could
result in materially
adverse
consequences?
o. Instances where
the Company's
assets have been
pledged as
collateral?
Internal Use Only

p. Other item(s) not
otherwise covered in
this questionnaire
that could materially
affect the Company's
results of operations
or cash flows for the
period, or its carrying
value of assets or
liabilities or its
financial condition at
the end of the
period?
Explanations
11. Provide below explanations for all "No" and "N/A" responses, with the exception of questions B.8,
G.16 and H.7, which require explanation if "Yes" or "N/A" response is provided.
Question #
Question #
Question #
Question #
Question #
Question #
Question #
Internal Use Only

Question #
Question #
Question #
Question #
Question #
Appendix C: Quarterly and Annual

Disclosure Committee Review
Procedures Checklist
This international manufacturer has formed what it refers to as a Quarterly and Annual Disclosure Committee
(QADC). This committee uses the following checklist to ensure that it has reviewed and considered information
about risks and controls in areas of identified meaningful risk.
At the end of each quarter the QADC will:

Review and discuss the following:
 CEO/CFO evaluation of disclosure controls and procedures and comments relevant to evaluation document;
 Summary of responses to annual and quarterly management representations (see Appendix B);
 Summary of quarterly changes to design of internal control over financial reporting;
 Areas of significant process variation (at least once a year — if this review was not completed in the current
quarter, indicate when it was last completed);
 Review of the scope of management's evaluation (financial analytics and qualitative review) to determine the
scope of management's review of internal control over financial reporting; and
 Review of management assessment status reports (plan for the testing of the operating effectiveness of internal
controls over financial reporting, as well as other audits of the organization) and summary of control deficiencies
(SOCD) (results of tests of the operating effectiveness of internal controls over financial reporting).
Review a written or oral summary of the following:

Internal Use Only
 Pending or threatened litigation, claims and assessments;
 Summary of relevant ethics hotline communications and the business conduct and oversight committee
violation-reporting tracking;
 Internal audit/risk assessment status, including completed projects and status of findings/disclosures;
 Restructuring/reorganization activities;
 Communications/issues with outside auditors;
 Status of global policy review process; and
 Any other matters relevant to forming the conclusions noted below.
As a committee, form conclusions regarding the following:

 The effectiveness of disclosure controls and procedures as of the end of the period covered by each Form 10-Q
and Form 10-K (include the conclusion in the report to the CEO and CFO);
 The effectiveness of internal control over financial reporting at the end of the fiscal year, separately considering
design effectiveness and operating effectiveness (this procedure is applicable only in the final quarter of the year
— include the conclusion in the report to the CEO and CFO); and
 Whether any material changes were present in internal control over financial reporting or other disclosure
controls and procedures during the quarter most recently ended (include any such changes in the report to the
CEO and CFO).
Prepare the following written documentation:

 Agenda and conclusions for committee's report to CEO and CFO; and
 Documentation review notes to be distributed to preparers of documentation reviewed as part of the meeting.
Appendix D: Enterprise-Wide Risk Matrix

The following risk matrix contains excerpts from multiple places within a retail chain company's larger enterprise-
wide risk analysis. It is presented to demonstrate only a possible format for a formal risk analysis that might also
be used to assign monitoring responsibilities. It also demonstrates how the organization identifies and considers
changes to risks between periods.
Note that these excerpts are not intended to and do not present all of the risk considerations this company
considered in each area.
Internal Use Only

While not documented specifically on this matrix, the resulting risk assessments influence the nature and scope
of monitoring at various levels. Higher-risk areas receive more senior-management attention in monitoring and
are subject to more-robust and more-frequent review by internal audit and/or the Store Operations Group. Low-
risk areas are reassessed periodically as part of the risk assessment process, but the monitoring by senior
management and the internal audit department/sales is less intense than for higher-risk areas. Unless the risk
changes, monitoring in low-risk areas may include a greater reliance on indirect information and less frequent
Internal Use Only

Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Internal Use Only
Footnotes
7 To conserve space and to remain focused on the monitoring component, only the Risk Assessment and
Monitoring sections of ABC Company's COSO Usage Document are included in this Appendix. Risk
Assessment is included due to its direct effect on ABC Company's monitoring.
Internal Use Only

Fraud Risk Management Guide
This publication, Fraud Risk Management Guide (guide), is intended to be supportive of and consistent with the
2013 Framework and can serve as best practices guidance for organizations to follow in addressing the new
fraud risk assessment principle. This guide is designed to be familiar to COSO Framework users. It contains
principles and points of focus.1 This guide’s five principles are consistent with the five COSO Internal Control
Components2 and the 17 COSO principles.
COSO-Fraud Risk Management Guide-EY.pdf
Footnotes
1 Per the 2013 COSO Framework, points of focus are “important characteristics of principles.”
2 Per the 2013 COSO Framework, a component is “one of five elements of internal control. The internal
control components are the Control Environment, Risk Assessment, Control Activities, Information and
Communication, and Monitoring Activities.”
Executive Summary
Internal Use Only

June 2017
COSO ERM 2017 - Exec Summary ey.pdf
This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), which is dedicated to providing thought leadership through the development of comprehensive
frameworks and guidance on internal control, enterprise risk management, and fraud deterrence designed to
improve organizational performance and oversight and to reduce the extent of fraud in organizations. COSO is a
private sector initiative, jointly sponsored and funded by:
 American Accounting Association
 American Institute of Certified Public Accountants
 Financial Executives International
 Institute of Management Accountants
 The Institute of Internal Auditors
Foreword
In keeping with its overall mission, the COSO Board commissioned and published in 2004 Enterprise Risk
Management—Integrated Framework. Over the past decade, that publication has gained broad acceptance by
Internal Use Only

organizations in their efforts to manage risk. However, also through that period, the complexity of risk has
changed, new risks have emerged, and both boards and executives have enhanced their awareness and
oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004
publication addresses the evolution of enterprise risk management and the need for organizations to improve
their approach to managing risk to meet the demands of an evolving business environment.
The updated document, now titled Enterprise Risk Management—Integrating with Strategy and Performance,
highlights the importance of considering risk in both the strategy-setting process and in driving performance. The
first part of the updated publication offers a perspective on current and evolving concepts and applications of
enterprise risk management. The second part, the Framework, is organized into five easy-to-understand
components that accommodate different viewpoints and operating structures, and enhance strategies and
decision-making. In short, this update:
 Provides greater insight into the value of enterprise risk management when setting and carrying out
strategy.
 Enhances alignment between performance and enterprise risk management to improve the setting of
performance targets and understanding the impact of risk on performance.
 Accommodates expectations for governance and oversight.
 Recognizes the globalization of markets and operations and the need to apply a common, albeit tailored,
approach across geographies.
 Presents new ways to view risk to setting and achieving objectives in the context of greater business
complexity.
 Expands reporting to address expectations for greater stakeholder transparency.
 Accommodates evolving technologies and the proliferation of data and analytics in supporting decision-
making.
 Sets out core definitions, components, and principles for all levels of management involved in designing,
implementing, and conducting enterprise risk management practices.
Readers may also wish to consult a complementary publication, COSO’s Internal Control—Integrated
Framework. The two publications are distinct and have different focuses; neither supersedes the other.
However, they do connect. Internal Control—Integrated Framework encompasses internal control, which is
referenced in part in this updated publication, and therefore the earlier document remains viable and suitable for
designing, implementing, conducting, and assessing internal control, and for consequent reporting.
Internal Use Only

The COSO Board would like to thank PwC for its significant contributions in developing Enterprise Risk
Management—Integrating with Strategy and Performance. Their full consideration of input provided by many
stakeholders and their insight were instrumental in ensuring that the strengths of the original publication have
been preserved, and that text has been clarified or expanded where it was deemed helpful to do so. The COSO
Board and PwC together would also like to thank the Advisory Council and Observers for their contributions in
reviewing and providing feedback.

of the Treadway Commission
Board Members
Robert B. Hirth Jr.
COSO Chair
Richard F. Chambers
The Institute of Internal Auditors
Mitchell A. Danaher
Financial Executives International
Charles E. Landes
American Institute of Certified Public Accountants
Douglas F. Prawitt
Sandra Richtermeyer
Institute of Management Accountants
PwC—Author
Internal Use Only
Miles E.A. Everson
Engagement Leader and Global and Asia, Pacific, and Americas (APA) Advisory Leader
New York, USA
Dennis L. Chesley
Project Lead Partner and Global and APA Risk and Regulatory Leader
Washington DC, USA
Frank J. Martens
Project Lead Director and Global Risk Framework and Methodology Leader
British Columbia, Canada
Matthew Bagin
Director
Washington DC, USA
Hélène Katz
Director
New York, USA
Katie T. Sylvis
Director
Washington DC, USA
Sallie Jo Perraglia
Manager
New York, USA
Kathleen Crader Zelnik
Manager
Washington DC, USA
Maria Grimshaw
Internal Use Only

Senior Associate
New York, USA
The Changing Risk Landscape

Our understanding of the nature of risk, the art and science of choice, lies at the core of our modern economy.
Every choice we make in the pursuit of objectives has its risks. From day-to-day operational decisions to the
fundamental trade-offs in the boardroom, dealing with risk in these choices is a part of decision-making.
As we seek to optimize a range of possible outcomes, decisions are rarely binary, with a right and wrong
answer. That’s why enterprise risk management may be called both an art and a science. And when risk is
considered in the formulation of an organization’s strategy and business objectives, enterprise risk management
helps to optimize outcomes.
Our understanding of risk and our practice of enterprise risk management have improved greatly over the past
few decades. But the margin for error is shrinking. The World Economic Forum has commented on the
"increasing volatility, complexity and ambiguity of the world."fn 1 That’s a phenomenon we all recognize.
Organizations encounter challenges that impact reliability, relevancy, and trust. Stakeholders are more engaged
today, seeking greater transparency and accountability for managing the impact of risk while also critically
evaluating leadership’s ability to crystalize opportunities. Even success can bring with it additional downside
risk—the risk of not being able to fulfill unexpectedly high demand, or maintain expected business momentum,
for example.
Organizations need to be more adaptive to change. They need to think strategically about how to manage the
increasing volatility, complexity, and ambiguity of the world, particularly at the senior levels in the organization
and in the boardroom where the stakes are highest.
Enterprise Risk Management—Integrating with Strategy and Performance provides a Framework for boards and
management in entities of all sizes. It builds on the current level of risk management that exists in the normal
course of business. Further, it demonstrates how integrating enterprise risk management practices throughout
an entity helps to accelerate growth and enhance performance. It also contains principles that can be applied—
from strategic decision-making through to performance.
Below, we describe why it makes sense for management and boards to use the enterprise risk management
framework,fn 2 what organizations have achieved by applying enterprise risk management, and what further
benefits they can realize through its continued use. We conclude with a look into the future.
Internal Use Only

Management’s Guide to Enterprise Risk
Management
Management holds overall responsibility for managing risk to the entity, but it is important for management to go
further: to enhance the conversation with the board and stakeholders about using enterprise risk management to
gain a competitive advantage. That starts by deploying enterprise risk management capabilities as part of
selecting and refining a strategy.
Most notably, through this process, management will gain a better understanding of how the explicit
consideration of risk may impact the choice of strategy. Enterprise risk management enriches management
dialogue by adding perspective to the strengths and weaknesses of a strategy as conditions change, and to how
well a strategy fits with the organization’s mission and vision. It allows management to feel more confident that
they’ve examined alternative strategies and considered the input of those in their organization who will
implement the strategy selected.
Once strategy is set, enterprise risk management provides an effective way for management to fulfill its role,
knowing that the organization is attuned to risks that can impact strategy and is managing them well. Applying
enterprise risk management helps to create trust and instill confidence in stakeholders in the current
environment, which demands greater scrutiny than ever before about how risk is actively addressing and
managing these risks.
The Board’s Guide to Enterprise Risk Management

Every board has an oversight role, helping to support the creation of value in an entity and prevent its decline.
Traditionally, enterprise risk management has played a strong supporting role at the board level. Now, boards
are increasingly expected to provide oversight of enterprise risk management.
The Framework supplies important considerations for boards in defining and addressing their risk oversight
responsibilities. These considerations include governance and culture; strategy and objective-setting;
performance; information, communications and reporting; and the review and revision of practices to enhance
entity performance.
The board’s risk oversight role may include, but is not limited to:
 Reviewing, challenging, and concurring with management on:
 Proposed strategy and risk appetite.
 Alignment of strategy and business objectives with the entity’s stated mission, vision, and core values
Internal Use Only

 Significant business decisions including mergers acquisitions, capital allocations, funding, and
dividend-related decisions
 Response to significant fluctuations in entity performance or the portfolio view of risk.
 Responses to instances of deviation from core values.
 Approving management incentives and remuneration.
 Participating in investor and stakeholder relations.
Over the longer term, enterprise risk management can also enhance enterprise resilience—the ability to
anticipate and respond to change. It helps organizations identify factors that represent not just risk, but change,
and how that change could impact performance and necessitate a shift in strategy. By seeing change more
clearly, an organization can fashion its own plan; for example, should it defensively pull back or invest in a new
business? Enterprise risk management provides the right framework for boards to assess risk and embrace a
mindset of resilience.
Questions for management
Can all of management—not just the chief risk officer—articulate how risk is considered in the selection of strategy
or business decisions? Can they clearly articulate the entity’s risk appetite and how it might influence a specific
decision? The resulting conversation may shed light on what the mindset for risk taking is really like in the
organization.
Boards can also ask senior management to talk not only about risk processes but also about culture. How does
the culture enable or inhibit responsible risk taking? What lens does management use to monitor the risk culture,
and how has that changed? As things change—and things will change whether or not they’re on the entity’s
radar—how can the board be confident of an appropriate and timely response from management?
What Enterprise Risk Management Has Achieved

COSO published Enterprise Risk Management—Integrated Framework in 2004. The purpose of that publication
was to help entities better protect and enhance stakeholder value. Its underlying philosophy was that "value is
maximized when management sets strategy and objectives to strike an optimal balance between growth and
return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s
objectives."fn 3
Since its publication, the Framework has been used successfully around the world, across industries, and in
organizations of all types and sizes to identify risks, manage those risks within a defined risk appetite, and
Internal Use Only
support the achievement of objectives. Yet, while many have applied the Framework in practice, it has the
potential to be used more extensively. It would benefit from examining certain aspects with more depth and
clarity, and by providing greater insight into the links between strategy, risk, and performance. In response,
therefore, the updated Framework in this publication:
 More clearly connects enterprise risk management with a multitude of stakeholder expectations.
 Positions risk in the context of an organization’s performance, rather than as the subject of an isolated
exercise.
 Enables organizations to better anticipate risk so they can get ahead of it, with an understanding that
change creates opportunities, not simply the potential for crises.
This update also answers the call for a stronger emphasis on how enterprise risk management informs strategy
and its performance.
Clearing up a few misconceptions
We’ve heard a few misconceptions about the original Framework since it was introduced in 2004. To set the
record straight:
Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that
organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of
managing risk in creating, preserving, and realizing value.
Enterprise risk management is more than a risk listing. It requires more than taking an inventory of all the risks
within the organization. It is broader and includes practices that management puts in place to actively manage
risk.
Enterprise risk management addresses more than internal control. It also addresses other topics such as strategy-
setting, governance, communicating with stakeholders, and measuring performance. Its principles apply at all
levels of the organization and across all functions.
Enterprise risk management is not a checklist. It is a set of principles on which processes can be built or
integrated for a particular organization, and it is a system of monitoring, learning, and improving performance.
Enterprise risk management can be used by organizations of any size. If an organization has a mission, a
strategy, and objectives—and the need to make decisions that fully consider risk—then enterprise risk
management can be applied. It can and should be used by all kinds of organizations, from small businesses to
community-based social enterprises to government agencies to Fortune 500 companies.
Internal Use Only

Benefits of Effective Enterprise Risk Management
All organizations need to set strategy and periodically adjust it, always staying aware of both ever-changing
opportunities for creating value and the challenges that will occur in pursuit of that value. To do that, they need
the best possible framework for optimizing strategy and performance.
That’s where enterprise risk management comes into play. Organizations that integrate enterprise risk
management throughout the entity can realize many benefits, including, though not limited to:
 Increasing the range of opportunities: By considering all possibilities—both positive and negative aspects
of risk—management can identify new opportunities and unique challenges associated with current
opportunities.
 Identifying and managing risk entity-wide: Every entity faces myriad risks that can affect many parts of the
organization. Sometimes a risk can originate in one part of the entity but impact a different part.
Consequently, management identifies and manages these entity-wide risks to sustain and improve
performance.
 Increasing positive outcomes and advantage while reducing negative surprises: Enterprise risk
management allows entities to improve their ability to identify risks and establish appropriate responses,
reducing surprises and related costs or losses, while profiting from advantageous developments.
 Reducing performance variability: For some, the challenge is less with surprises and losses and more with
variability in performance. Performing ahead of schedule or beyond expectations may cause as much
concern as performing short of scheduling and expectations. Enterprise risk management allows
organizations to anticipate the risks that would affect performance and enable them to put in place the
actions needed to minimize disruption and maximize opportunity.
 Improving resource deployment: Every risk could be considered a request for resources. Obtaining robust
information on risk allows management, in the face of finite resources, to assess overall resource needs,
prioritize resource deployment and enhance resource allocation.
 Enhancing enterprise resilience: An entity’s medium- and long-term viability depends on its ability to
anticipate and respond to change, not only to survive but also to evolve and thrive. This is, in part, enabled
by effective enterprise risk management. It becomes increasingly important as the pace of change
accelerates and business complexity increases.
These benefits highlight the fact that risk should not be viewed solely as a potential constraint or challenge to
setting and carrying out a strategy. Rather, the change that underlies risk and the organizational responses to
risk give rise to strategic opportunities and key differentiating capabilities.
Internal Use Only

The Role of Risk in Strategy Selection
Strategy selection is about making choices and accepting trade-offs. So it makes sense to apply enterprise risk
management to strategy as that is the best approach for untangling the art and science of making well-informed
choices.
Risk is a consideration in many strategy-setting processes. But risk is often evaluated primarily in relation to its
potential effect on an already-determined strategy. In other words, the discussions focus on risks to the existing
strategy: We have a strategy in place, what could affect the relevance and viability of our strategy?
But there are other questions to ask about strategy, which organizations are getting better at asking: Have we
modeled customer demand accurately? Will our supply chain deliver on time and on budget? Will new
competitors emerge? Is our technology infrastructure up to the task? These are the kinds of questions that
executives grapple with every day, and responding to them is fundamental to carrying out a strategy.
However, the risk to the chosen strategy is only one aspect to consider. As this Framework emphasizes, there
are two additional aspects to enterprise risk management that can have far greater effect on an entity’s value:
the possibility of the strategy not aligning, and the implications from the strategy chosen.
The first of these, the possibility of the strategy not aligning with an organization’s mission, vision, and
core values, is central to decisions that underlie strategy selection. Every entity has a mission, vision, and core
values that define what it is trying to achieve and how it wants to conduct business. Some organizations are
skeptical about truly embracing their corporate credos. But mission, vision, and core values have been
demonstrated to matter—and they matter most when it comes to managing risk and remaining resilient during
periods of change.
A chosen strategy must support the organization’s mission and vision. A misaligned strategy increases the
possibility that the organization may not realize its mission and vision, or may compromise its values, even if a
strategy is successfully carried out. Therefore, enterprise risk management considers the possibility of strategy
not aligning with the mission and vision of the organization.
The other additional aspect is the implications from the strategy chosen. When management develops a
strategy and works through alternatives with the board, they make decisions on the trade-offs inherent in the
strategy. Each alternative strategy has its own risk profile—these are the implications arising from the strategy.
The board of directors and management need to determine if the strategy works in tandem with the
organization’s risk appetite, and how it will help drive the organization to set objectives and ultimately allocate
resources efficiently.
Here’s what’s important: Enterprise risk management is as much about understanding the implications from the
strategy and the possibility of strategy not aligning as it is about managing risks to set objectives. The figure
Internal Use Only

below illustrates these considerations in the context of mission, vision, core values, and as a driver of an entity’s
overall direction and performance.
Enterprise risk management, as it has typically been practiced, has helped many organizations identify, assess,
and manage risks to the strategy. But the most significant causes of value destruction are embedded in the
possibility of the strategy not supporting the entity’s mission and vision, and the implications from the strategy.
Enterprise risk management enhances strategy selection. Choosing a strategy calls for structured decision-
making that analyzes risk and aligns resources with the mission and vision of the organization.
A Focused Framework
Enterprise Risk Management—Integrating with Strategy and Performance clarifies the importance of enterprise
risk management in strategic planning and embedding it throughout an organization—because risk influences
and aligns strategy and performance across all departments and functions.
The Framework itself is a set of principles organized into five interrelated components:
1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of,
and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical
values, desired behaviors, and understanding of risk in the entity.
Internal Use Only

2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work
together in the strategic-planning process. A risk appetite is established and aligned with strategy;
business objectives put strategy into practice while serving as a basis for identifying, assessing, and
responding to risk.
3. Performance: Risks that may impact the achievement of strategy and business objectives need to
be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The
organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed.
The results of this process are reported to key risk stakeholders.
4. Review and Revision: By reviewing entity performance, an organization can consider how well the
enterprise risk management components are functioning over time and in light of substantial changes,
and what revisions are needed.
5. Information, Communication, and Reporting: Enterprise risk management requires a continual

process of obtaining and sharing necessary information, from both internal and external sources, which
flows up, down, and across the organization.
The five components in the updated Framework are supported by a set of principles.fn 4 These principles cover
everything from governance to monitoring. They’re manageable in size, and they describe practices that can be
applied in different ways for different organizations regardless of size, type, or sector. Adhering to these
principles can provide management and the board with a reasonable expectation that the organization
understands and strives to manage the risks associated with its strategy and business objectives.
Looking into the Future

There is no doubt that organizations will continue to face a future full of volatility, complexity, and ambiguity.
Enterprise risk management will be an important part of how an organization manages and prospers through
these times. Regardless of the type and size of an entity, strategies need to stay true to their mission. And all
entities need to exhibit traits that drive an effective response to change, including agile decision-making, the
Internal Use Only

ability to respond in a cohesive manner, and the adaptive capacity to pivot and reposition while maintaining high
levels of trust among stakeholders.
As we look into the future, there are several trends that will have an effect on enterprise risk management. Just
four of these are:
 Dealing with the proliferation of data: As more and more data becomes available and the speed at which
new data can be analyzed increases, enterprise risk management will need to adapt. The data will come
from both inside and outside the entity, and it will be structured in new ways. Advanced analytics and data
visualization tools will evolve and be very helpful in understanding risk and its impact—both positive and
negative.
 Leveraging artificial intelligence and automation: Many people feel that we have entered the era of
automated processes and artificial intelligence. Regardless of individual beliefs, it is important for
enterprise risk management practices to consider the impact of these and future technologies, and
leverage their capabilities. Previously unrecognizable relationships, trends and patterns can be uncovered,
providing a rich source of information critical to managing risk.
 Managing the cost of risk management: A frequent concern expressed by many business executives is the
cost of risk management, compliance processes, and control activities in comparison to the value gained.
As enterprise risk management practices evolve, it will become important that activities spanning risk,
compliance, control, and even governance be efficiently coordinated to provide maximum benefit to the
organization. This may represent one of the best opportunities for enterprise risk management to redefine
its importance to the organization.
 Building stronger organizations: As organizations become better at integrating enterprise risk management
with strategy and performance, an opportunity to strengthen resilience will present itself. By knowing the
risks that will have the greatest impact on the entity, organizations can use enterprise risk management to
help put in place capabilities that allow them to act early. This will open up new opportunities.
In summary, enterprise risk management will need to change and adapt to the future to consistently provide the
benefits outlined in the Framework. With the right focus, the benefits derived from enterprise risk management
will far outweigh the investments and provide organizations with confidence in their ability to handle the future.
Acknowledgments
A special thank you to the following companies and organizations for allowing the participation of Advisory
Council Members and Observers.
Internal Use Only

Advisory Council Members
Companies and Organizations
 Athene USA (Jane Karli)
 Edison International (David J. Heller)
 First Data Corporation (Lee Marks)
 Georgia-Pacific LLC (Paul Sobel)
 Invesco Ltd. (Suzanne Christensen)
 Microsoft (Jeff Pratt)
 US Department of Commerce (Karen Hardy)
 United Technologies Corporation (Margaret Boissoneau)
 Zurich Insurance Company (James Davenport)
Higher Education and Associations

 North Carolina State University (Mark Beasley)
 St. John’s University (Paul Walker)
 The Institute of Internal Auditors (Douglas J. Anderson)
Professional Service Firms

 Crowe Horwath LLP (William Watts)
 Deloitte & Touche LLP (Henry Ristuccia)
 Ernst & Young (Anthony J. Carmello)
 James Lam & Associates (James Lam)
 Grant Thornton LLP (Bailey Jordan)
 KPMG LLP Americas (Deon Minnaar)
 Mercury Business Advisors Inc. (Patrick Stroh)
 Protiviti Inc. (James DeLoach)
Former COSO Board Member

 COSO Chair, 2009–2013 (David Landsittel)
Internal Use Only

Observers
 Federal Deposit Insurance Corporation (Harrison Greene)
 Government Accountability Office (James Dalkin)
 Institute of Management Accountants (Jeff Thompson)
 Institut der Wirtschaftsprüfer (Horst Kreisel)
 International Federation of Accountants (Vincent Tophoff)
 ISACA (Jennifer Bayuk)
 Risk Management Society (Carol Fox)
Components and Principles

1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and
carries out governance responsibilities to support management in achieving strategy and business
objectives.
2. Establishes Operating Structures—The organization establishes operating structures in the

pursuit of strategy and business objectives.
3. Defines Desired Culture—The organization defines the desired behaviors that characterize the
entity’s desired culture.
4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment to

the entity’s core values.
5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to building

human capital in alignment with the strategy and business objectives.
6. Analyzes Business Context—The organization considers potential effects of business context on

risk profile.
7. Defines Risk Appetite—The organization defines risk appetite in the context of creating,
preserving, and realizing value.
8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential

impact on risk profile.
9. Formulates Business Objectives—The organization considers risk while establishing the

business objectives at various levels that align and support strategy.
Internal Use Only
10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and
business objectives.
11. Assesses Severity of Risk—The organization assesses the severity of risk.
12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.
13. Implements Risk Responses—The organization identifies and selects risk responses.
14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.
15. Assesses Substantial Change—The organization identifies and assesses changes that may
substantially affect strategy and business objectives.
16. Reviews Risk and Performance—The organization reviews entity performance and considers
risk.
17. Pursues Improvement in Enterprise Risk Management—The organization pursues

improvement of enterprise risk management.
18. Leverages Information Systems—The organization leverages the entity’s information and
technology systems to support enterprise risk management.
19. Communicates Risk Information—The organization uses communication channels to support

enterprise risk management.
20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and
performance at multiple levels and across the entity.
Footnotes
fn The Global Risks Report 2016, 11th edition, World Economic Forum (2016).
1
fn The Framework uses the term "board of directors" or "board," which encompasses the governing body,
2 including board, supervisory board, board of trustees, general partners, or owner.
fn Enterprise Risk Management—Integrated Framework, Executive Summary, COSO (2004).

3
Internal Use Only

fn A fuller description of these twenty principles is provided at the end of this document.
4
Enterprise Risk Management —

Integrating with Strategy and
Performance
June 2017
COSO ERM 2017 - Main (Vol 1) ey.pdf
Internal Use Only


Board Members
Robert B. Hirth Jr.
COSO Chair
Richard F. Chambers
Mitchell A. Danaher
Charles E. Landes
Douglas F. Prawitt
Sandra Richtermeyer
Internal Use Only

PwC—Author
Miles E.A. Everson
New York, USA
Dennis L. Chesley
Washington DC, USA
Frank J. Martens
Matthew Bagin
Director
Washington DC, USA
Hélène Katz
Director
New York, USA
Katie T. Sylvis
Director
Washington DC, USA
Sallie Jo Perraglia
Manager
New York, USA
Manager
Washington DC, USA
Internal Use Only

Maria Grimshaw
Senior Associate
New York, USA
Foreword
Management—Integrated Framework. Over the past decade, that publication has gained broad acceptance by
organizations in their efforts to manage risk. However, also through that period, the complexity of risk has
changed, new risks have emerged, and both boards and executives have enhanced their awareness and
oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004
publication addresses the evolution of enterprise risk management and the need for organizations to improve
their approach to managing risk to meet the demands of an evolving business environment. It is a concise
framework for applying enterprise risk management within any organization to increase management and
stakeholder confidence.
The updated document, now titled Enterprise Risk Management–Integrating with Strategy and Performance,
highlights the importance of considering risk in both the strategy-setting process and in driving performance. The
first part of the updated publication offers a perspective on current and evolving concepts and applications of
enterprise risk management. The second part, the Frame- work, is organized into five easy-to-understand
components that accommodate different viewpoints and operating structures, and enhance strategy and
decision-making. In short, this update:
 Provides greater insight into the value of enterprise risk management when setting and carrying out
strategy.
 Enhances alignment between performance and enterprise risk management to improve the setting of
performance targets and understanding the impact of risk on performance.
 Accommodates expectations for governance and oversight.
 Recognizes the globalization of markets and operations and the need to apply a common, albeit tailored,
approach across geographies.
 Presents new ways to view risk to setting and achieving objectives in the context of greater business
complexity.
 Expands reporting to address expectations for greater stakeholder transparency.
Internal Use Only

 Accommodates evolving technologies and the proliferation of data and analytics in supporting decision-
making.
 Sets out core definitions, components, and principles for all levels of management involved in designing,
implementing, and conducting enterprise risk management practices.
Readers may also wish to consult a complementary publication, COSO’s Internal Control—Integrated
Framework. The two publications are distinct and have different focuses; neither supersedes the other.
However, they do connect. Internal Control—Integrated Framework encompasses internal control, which is
referenced in part in this updated publication, and therefore the earlier document remains viable and suitable for
designing, implementing, conducting, and assessing internal control, and for consequent reporting.
Management–Integrating with Strategy and Performance. Their full consideration of input provided by many
stakeholders and their insight were instrumental in ensuring that the strengths of the original publication have
been preserved, and that text has been clarified or expanded where it was deemed helpful to do so. The COSO
Board and PwC together would also like to thank the Advisory Council and Observers for their contributions in
reviewing and providing feedback.
Applying the Framework: Putting It into

Context
1. Introduction
Integrating enterprise risk management practices throughout an organization improves decision-making in
governance, strategy, objective-setting, and day-to-day operations. It helps to enhance performance by more
closely linking strategy and business objectives to risk. The diligence required to integrate enterprise risk
management provides an entity with a clear path to creating, preserving, and realizing value.
Internal Use Only

A discussion of enterprise risk managementfn 1 begins with this underlying premise: every entity—whether for-
profit, not-for-profit, or governmental—exists to provide value for its stakeholders. This publication is built on a
related premise: all entities face risk in the pursuit of value. The concepts and principles of enterprise risk
management set out in this publication apply to all entities regardless of legal structure, size, industry, or
geography.
Risk affects an organization’s ability to achieve its strategy and business objectives. Therefore, one challenge for
management is determining the amount of riskfn 2 the organization is prepared and able to accept. Effective
enterprise risk management helps boards and management to optimize outcomes with the goal of enhancing
capabilities to create, preserve, and ultimately realize value.
Management has many choices in how it will apply enterprise risk management practices, and no one approach
is universally better than another. Yet, for any entity, one approach may provide increased benefits versus
another or have a greater alignment with the overall management philosophy of the organization. This
Framework sets out a basic conceptual structure of ideas, which an organization integrates into other practices
occurring within the entity. Readers who are looking for information beyond a framework, or for different
practices they can apply to integrate the enterprise risk management concepts into the entity, will find the
appendices in Volume II to this publication helpful.
Enterprise Risk Management Affects Value

The value of an entity is largely determined by the decisions that management makes—from overall strategy
decisions through to day-to-day decisions. Those decisions can determine whether value is created, preserved,
eroded, or realized.
 Value is created when the benefits derived from resources deployed exceed the cost of those resources.
For example, value is created when a new product is successfully designed and launched and its profit
margin is positive. These resources could be people, financial capital, technology, processes, and market
presence (brand).
 Value is preserved when the value of resources deployed in day-to-day operations sustain created
benefits. For example, value is preserved with the delivery of superior products, service, and production
capacity, which results in satisfied and loyal customers and stakeholders.
 Value is eroded when management implements a strategy that does not yield expected outcomes or fails
to execute day-to-day tasks. For example, value is eroded when substantial resources are consumed to
develop a new product that is subsequently abandoned.
 Value is realized when stakeholders derive benefits created by the entity. Benefits may be monetary or
non-monetary.
Internal Use Only

How value is created depends on the type of entity. For-profit entities create value by successfully implementing
a strategy that balances market opportunities against the risks of pursuing those opportunities. Not-for-profit and
governmental entities may create value by delivering goods and services that balance their opportunities to
serve the broader community against any associated risks. Regardless of the type of entity, integrating
enterprise risk management practices with other aspects of the business enhances trust and instills greater
confidence with stakeholders.
Mission, Vision, and Core Values

Mission, vision, and core valuesfn 3 define what an entity strives to be and how it wants to conduct business.
They communicate to stakeholders the purpose of the entity. For most entities, mission, vision, and core values
remain stable over time, and through setting strategy, they are typically reaffirmed. Yet, they also may evolve as
the expectations of stakeholders change. For example, a new executive management team may present
different ideas for the mission to create value to the entity.
 Mission: The entity’s core purpose, which establishes what it wants to accomplish and why it exists.
 Vision: The entity’s aspirations for its future state or what the organization aims to achieve over time.
 Core Values: The entity’s beliefs and ideals about what is good or bad, acceptable or unacceptable, which
influence the behavior of the organization.
In the Framework (Chapters 6 through 10), mission and vision are considered in the context of an organization
setting and carrying out its strategy and business objectives. Core values are considered in the context of the
culture the entity wishes to embrace.
Enterprise Risk Management Affects Strategy

"Strategy" refers to an organization’s plan to achieve its mission and vision, and to apply its core values. A well-
defined strategy drives the efficient allocation of resources and effective decision-making. It also provides a road
map for establishing business objectives throughout the entity.
Enterprise risk managementfn 4 does not create the entity’s strategy, but it influences its development. An
organization that integrates enterprise risk management practices into setting strategy provides management
with the risk information it needs to consider alternative strategies and, ultimately, to adopt a chosen strategy.
Enterprise Risk Management Is Linked to Business

Enterprise risk management practices integrate with all other aspects of the business, including governance,
performance management, and internal control practices.
Internal Use Only

Governance
Governance forms the broadest concept. Typically, this refers to the allocation of roles, authorities, and
responsibilities among stakeholders, the board, and management. Some aspects of governance fall outside
enterprise risk management (e.g., board member recruiting and evaluation; developing the entity’s mission,
vision, and core values).
Performance Management
Performance relates to actions, tasks, and functions to achieve, or exceed, an entity’s strategy and business
objectives. Performance management focuses on deploying resources efficiently. It is concerned with measuring
those actions, tasks, and functions against predetermined targets (both short-and long-term) and determining
whether those targets are being achieved. Because a variety of risks—both known and unknown—may affect an
entity’s performance, a variety of measures may be used:
 Financial measures, such as return on investments, revenue, or profitability.
 Operating measures, such as hours of operation, production volumes, or capacity percentages.
 Obligation measures, such as adherence to service-level agreements or regulatory compliance

requirements.
 Project measures, such as having a new product launch within a set period of time.
 Growth measures, such as expanding market share in an emerging market.
 Stakeholder measures, such as the delivery of education and basic employment skills to those needing
upgrades when they are out of work.
There is always risk associated with a predetermined performance target. For example, large-scale agriculture
producers will have a certain amount of risk relating to their ability to produce the volumes required to satisfy
customer demands and meet profitability targets. Similarly, airlines will have a certain amount of risk relating to
their ability to operate all flights on schedule. Yet, airline companies may foresee less risk that they can operate
90% or even 80% of their scheduled flights on time versus 100% of their scheduled flights. In both of these
examples, there is an amount of risk associated with managing to achieve the predetermined targets of
performance—production volume and flight operation.
An entity can enhance its overall performance by integrating enterprise risk management into day-to-day
operations and more closely linking business objectives to risk.
Internal Control
Enterprise risk management incorporates some concepts of internal control. "Internal control" is the process put
into effect by an entity to provide reasonable assurance that objectives will be achieved. Internal control helps
the organization to identify and analyze the risks to achieving those objectives and how to manage risks. It
Internal Use Only
allows management to stay focused on the entity’s operations and the pursuit of its performance targets while
complying with relevant laws and regulations. Note, however, that some concepts relating to enterprise risk
management are not considered within internal control (e.g., concepts of risk appetite, tolerance, strategy, and
objectives are set within enterprise risk management but viewed as preconditions of internal control).
To avoid redundancy, some concepts relating to internal control that are common to both this publication and
Internal Control—Integrated Framework have not been repeated here (e.g., fraud risk relating to financial
reporting objectives, control activities relating to compliance objectives, and ongoing and separate evaluations
relating to operations objectives). However, some common concepts relating to internal control are further
developed in the Frameworkfn 5 section (e.g., governance of enterprise risk management). Please review
Internal Control—Integrated Frameworkfn 6 as part of applying the Framework in this publication.
Benefits of Enterprise Risk Management

An organization needs to identify challenges that lie ahead and adapt to meet those challenges. It must engage
in decision-making with an awareness of both the opportunities for creating value and the risks that challenge
the organization in creating value. In short, it must integrate enterprise risk management practices with strategy-
setting and performance management practices, and in doing so it will realize benefits related to value.
Benefits of integrating enterprise risk management include the ability to:
 Increase the range of opportunities: By considering all reasonable possibilities—both positive and negative
aspects of risk—management can identify opportunities for the entity and unique challenges associated
with current and future opportunities. For example, when the managers of a locally based food company
considered potential risks likely to affect the business objective of sustainable revenue growth, they
determined that the company’s primary consumers were becoming increasingly health conscious and
changing their diet. This change indicated a potential decline in future demand for the company’s current
products. In response, management identified ways to develop new products and improve existing ones,
which allowed the company to maintain revenue from existing customers (preserving value) and to create
additional revenue by appealing to a broader consumer base (creating value).
 Increase positive outcomes and advantage while reducing negative surprises: Enterprise risk management
allows an organization to improve its ability to identify risks and establish appropriate responses,
increasing positive outcomes while reducing negative surprises and related costs or losses. For example, a
manufacturing company that provides just-in-time parts to customers for use in production risks penalties
for failing to deliver on time. In response to this risk, the company assessed its internal shipping processes
by reviewing time of day for deliveries, typical delivery routes, and unscheduled repairs on the delivery
fleet. It used the findings to set maintenance schedules for its fleet, schedule deliveries outside of rush
periods, and devise alternatives to key routes. Recognizing that not all traffic delays can be avoided, it also
developed protocols to warn clients of potential delays. In this case, performance was improved by
Internal Use Only
management influencing risk within its ability (production and scheduling) and adapting to risks beyond its
direct influence (traffic delays).
 Identify and manage entity-wide risks: Every entity faces myriad risks that can impact many parts of the
entity. Sometimes a risk can originate in one part of the entity but affect a different part. Management must
identify and manage these entity-wide risks to sustain and improve performance. For example, when a
bank realized that it faced a variety of risks in trading activities, management responded by developing a
system to analyze internal transaction and market information that was supported by relevant external
information. The system provided an aggregate view of risks across all trading activities, allowing drill-
down capability to departments, customers, and traders. It also allowed the bank to quantify the relative
risks. The system met the entity’s enterprise risk management requirements and allowed the bank to bring
together previously disparate data to respond more effectively to risks.
 Reduce performance variability: For some entities, the challenge is less about surprises and losses, and
more about performance variability. Performing ahead of schedule or beyond expectations may cause as
much concern as performing below expectations. For instance, within a public transportation system, riders
will be just as annoyed when a bus or train departs ten minutes early as when it is ten minutes late: both
can cause riders to miss connections. To manage such variability, transit schedulers build natural pauses
into the schedule. Drivers wait at designated stops until a set time, regardless of when they arrive. This
helps smooth out variability in travel times and improve overall performance and rider views of the transit
system. Enterprise risk management allows organizations to anticipate the risks that would affect
performance and enable them to take action to minimize disruption.
 Improve resource deployment: Obtaining robust information on risk allows management to assess overall
resource needs and helps to optimize resource allocation. For example, a downstream gas distribution
company recognized that its aging infrastructure increased the risk of a gas leak occurring. By looking at
trends in gas leak–related data, the organization was able to assess the risk across its distribution network.
Management subsequently developed a plan to replace worn-out infrastructure and repair those sections
that had remaining useful life. This approach allowed the company to maintain the integrity of the
infrastructure while allocating significant additional resources over a longer period of time.
Keep in mind that the benefits of integrating enterprise risk management practices with strategy-setting and
performance management practices will vary by entity. There is no one-size-fits-all approach available for all
entities. However, implementing enterprise risk management practices will generally help an organization
achieve its performance and profitability targets and prevent or reduce the loss of resources.
Internal Use Only

Enterprise Risk Management and the Capacity to
Adapt, Survive, and Prosper
Every entity sets out to achieve its strategy and business objectives, doing so in an environment of change.
Market globalization, technological breakthroughs, mergers and acquisitions, fluctuating capital markets,
competition, political instability, workforce capabilities, and regulation, among other things, make it difficult to
know all possible risks to the achievement of strategy and business objectives.
Because risk is always present and always changing, pursuing and achieving goals can be difficult. While it may
not be possible for organizations to manage all potential outcomes of a risk, they can improve how they adapt to
changing circumstances. This is sometimes referred to as organizational sustainability, resilience, and agility.
The Framework incorporates this concept in the broad context of creating, preserving, and realizing value.
Enterprise risk management focuses on managing risks to reduce the likelihood that an event will occur and on
managing the impact when one does occur. "Managing the impact" may require an organization to adapt as
circumstances dictate. In some extreme cases, this may include implementing a crisis management plan.
Example 1.1 illustrates such a plan in practice.
Example 1.1: Crisis Management Plan
A cruise ship operator is concerned about the potential of viral outbreaks occurring while its ships are at sea. A
cruise ship does not have the capability to quarantine passengers during an outbreak, but it can carry out
procedures to minimize the spread of germs. However, despite installing hand-sanitizing stations throughout the
ship, providing laundry facilities, and daily disinfecting handrails, washrooms, and other common areas, viral
outbreaks still can and do occur. The organization responds by implementing specific practices. First, routine on-
board cleaning and sanitizing are escalated. Once the ship is in port, all passengers are required to disembark to
allow specially trained staff to disinfect the entire ship. Afterwards, cleaning protocols are updated based on the
strain of virus found. The next departing cruise is delayed until all cleaning protocols are addressed. In most
instances, the delay is less than forty-eight hours. By having strong enterprise risk management practices in place
to immediately respond and adapt to each unique situation, the company is able to minimize the impact while
maintaining passenger confidence in the cruise line.
Sometimes an organization is not able to return to normal operations in the near term when an event occurs. In
these cases, the organization must adopt a longer-term solution. For instance, consider a cruise ship that is
disabled at sea by a fire. Unlike the scenario of a viral outbreak noted in Example 1.1, which affects only a few
passengers, the fire affects everyone. There may be an immediate need for medical assistance, food, water, and
shelter, or even a call to off-load all passengers. Because ships are seldom in the same place, common crisis
Internal Use Only
response planning may be less effective as each location and type of incident can present different challenges.
However, by scheduling its fleet location and staggering departure schedules, the company can maintain a
routing where ships are always within hours of a port or another cruise ship. This overlap allows the company to
rapidly redeploy ships and crews to assist in an emergency.
Management will be in a better position if it takes time to anticipate what may transpire—the probable, the
possible, and the unlikely. The capacity to adapt to change makes an organization more resilient and better able
to evolve in the face of marketplace and resource constraints. This capacity may also give management the
confidence to increase the amount of risk the organization is willing to accept and, ultimately, to accelerate
growth and create value.
Footnotes
fn Defined terms are linked to the Glossary of Key Terms when first used in the document.
1
fn In this publication, "risks" (plural) refers to one or more potential events that may affect the achievement
2 of objectives. "Risk" (singular) refers to all potential events collectively that may affect the achievement
of objectives.
fn Note that some entities use different terms, such as “credo,” “purpose,” “philosophy,” “fundamental
3 beliefs,” and “policies.” Regardless of the terminology used, the concepts underlying mission, vision,
and core values provide a structure for communicating throughout the entity.
fn Throughout this document, "enterprise risk management" refers to the culture, capabilities, and
4 practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in
creating, preserving, and realizing value. It does not refer to a function, group, or department within an
entity. Specific considerations on the operating model are discussed in Appendix B in Volume II.
fn "Framework" refers collectively to the five components introduced in Chapter 5 and covered individually
5 in Chapters 6 through 10.
fn Internal Control—Integrated Framework can be obtained through www.coso.org.

6
Internal Use Only

2. Understanding the Terms: Risk and
Defining Risk and Uncertainty

An entity’s strategy and business objectives may be affected by potential events. A lack of complete
predictability of an event occurring (or not) and its related impact creates uncertainty for an organization.
Uncertainty exists for any entityfn 7 that sets out to achieve future strategies and business objectives. In this
context, risk is defined as:
The possibility that events will occur and affect the achievement of strategy and business objectives.
The box on this page contains terms that expand on and support the definition of risk. The Framework
emphasizes that risk relates to the potential for events, often considered in terms of severity. In some instances,
the risk may relate to the anticipation of an expected event that does not occur.
 Event: An occurrence or set of occurrences.
 Uncertainty: The state of not knowing how or if potential events may manifest.
 Severity: A measurement of considerations such as the likelihood and impact of events or the time it takes
to recover from events.
In the context of risk, events are more than routine transactions; they include broader business matters such as
changes in the governance and operating structure, geopolitical and social influences, and contracting
negotiations, among other things. Some events that potentially affect strategy and business objectives are
readily discernable—a change in interest rates, a competitor launching a new product, or the retirement of a key
employee. Others are less evident, particularly when multiple small events combine to create a trend or
condition. For instance, it may be difficult to identify specific events related to global warming, yet that condition
is generally accepted as occurring. In some cases, organizations may not even know or be able to identify what
events may occur.
Organizations commonly focus on those risks that may result in a negative outcome, such as damage from a
fire, losing a key customer, or a new competitor emerging. However, events can also have positive outcomes,fn
8 such as better-than-forecast weather, stronger staff retention trends, or improved tax rates, which should also
be considered. As well, events that are beneficial to the achievement of one objective may at the same time
Internal Use Only

pose a challenge to the achievement of other objectives. For example, a product launch with higher-than-
forecast demand has a positive effect on financial performance. However, it may also increase risk to the supply
chain, which may result in unsatisfied customers if the company cannot supply the product.
Some risks have minimal impact on an entity, and others have a larger impact. Enterprise risk management
practices help the organization identify, prioritize, and focus on those risks that may prevent value from being
created, preserved, and realized, or that may erode existing value. But, just as important, it also helps the
organization pursue potential opportunities.
Defining Enterprise Risk Management

Enterprise risk management is defined here as:
The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely
on to manage risk in creating, preserving, and realizing value.
A more in-depth look at the definition of enterprise risk management emphasizes its focus on managing risk
through:
 Recognizing culture.
 Developing capabilities.
 Applying practices.
 Integrating with strategy-setting and performance.
 Managing risk to strategy and business objectives.
 Linking to value.
Recognizing Culture
Culture is developed and shaped by the people at all levels of an entity by what they say and do. It is people
who establish the entity’s mission, strategy, and business objectives, and put enterprise risk management
practices in place. Similarly, enterprise risk management affects people’s decisions and actions. Each person
has a unique point of reference, which influences how he or she identifies, assesses, and responds to risk.
Enterprise risk management helps people make decisions while understanding that culture plays an important
role in shaping those decisions.
Developing Capabilities
Internal Use Only

Organizations pursue various competitive advantages to create value for the entity. Enterprise risk management
adds to the skills needed to carry out the entity’s mission and vision and to anticipate the challenges that may
impede organizational success. An organization that has the capacity to adapt to change is more resilient and
better able to evolve in the face of marketplace and resource constraints and opportunities.
Applying Practices
Enterprise risk management is not static, nor is it an adjunct to a business. Rather, it is continually applied to the
entire scope of activities as well as special projects and new initiatives. It is part of management decisions at all
levels of the entity.
The practices used in enterprise risk management are applied from the highest levels of an entity and flow down
through divisions, business units, and functions. The practices are intended to help people within the entity
better understand its strategy, what business objectives have been set, what risks exist, what the acceptable
amount of risk is, how risk impacts performance, and how they are expected to manage risk. In turn, this
understanding supports decision-making at all levels and helps to reduce organizational bias.
Integrating with Strategy-Setting and Performance

An organization sets strategy that aligns with and supports its mission and vision. It also sets business
objectives that flow from the strategy, cascading to the entity’s business units, divisions, and functions. At the
highest level, enterprise risk management is integrated with strategy-setting, with management understanding
the overall risk profile for the entity and the implications of alternative strategies to that risk profile. Management
specifically considers any new opportunities that arise through innovation and emerging pursuits.
But enterprise risk management doesn’t stop there; it continues in the day-to-day tasks of the entity, and in so
doing may realize significant benefits. An organization that integrates enterprise risk management into daily
tasks is more likely to have lower costs compared with one that "layers on" enterprise risk management
procedures. In a highly competitive marketplace, such cost savings can be crucial to a business’s success. As
well, by building enterprise risk management into the core operations of the entity, management is likely to
identify new opportunities to grow the business.
Enterprise risk management integrates with other management processes as well. Specific actions are needed
for specific tasks, such as business planning, operations, and financial management. An organization
considering credit and currency risks, for example, may need to develop models and capture large amounts of
data necessary for analytics. By integrating enterprise risk management practices with an entity’s operating
activities, and understanding how risk potentially impacts the entity overall, not just in one area, enterprise risk
management can become more effective.
Internal Use Only

Managing Risk to Strategy and Business Objectives
Enterprise risk management is integral to achieving strategy and business objectives. Well-designed enterprise
risk management practices provide management and the board of directors with a reasonable expectation that
they can achieve the overall strategy and business objectives of the entity. Having a reasonable expectation
means that the amount of risk of achieving strategy and business objectives is appropriate for that entity,
recognizing that no one can predict risk with absolute precision.
But even with reasonable expectations in place, entities can experience unforeseen challenges, which is why
regularly reviewing enterprise risk management practices is important. Review—and consequent revision when
needed—helps maintain robust practices that increase management’s confidence in the entity’s ability to
successfully respond to the unexpected and achieve its strategy and business objectives.
Linking to Value
An organization must manage risk to strategy and business objectives in relation to its risk appetite—that is, the
types and amount of risk, on a broad level, it is willing to accept in its pursuit of value. The first expression of risk
appetite is an entity’s mission and vision. Different strategies will expose an entity to different risks or different
amounts of similar risks.
Risk appetite provides guidance on the practices an organization is encouraged to pursue or not pursue. It sets
the range of appropriate practices and guides risk-based decisions rather than specifying a limit.
Risk appetite is not static; it may change between products or business units and over time in line with changing
capabilities for managing risk. The types and amount of risk that an organization might consider acceptable can
change. For example, during good economic times, a successful and growing company may be more willing to
accept certain downside risk than when economic times are bad and business outlooks deteriorate. Risk
appetite must be flexible enough to adapt to changing business conditions as needed without waiting for periodic
management reviews and approvals.
While risk appetite is introduced here,fn 9 the Framework sets out numerous instances where it is applied as
part of enterprise risk management. Some of the more important applications of risk appetite are its:
 Use by the organization in making decisions that enhance value.
 Help in aligning the acceptable amount of risk with the organization’s capacity to manage risk and
opportunities.
 Relevance when setting strategy and business objectives, helping management consider whether
performance targets are aligned with acceptable amount of risk.
 Assistance in communicating risk profiles desired by the board.

Internal Use Only
 Relevance and alignment with risk capacity.
 Use in evaluating aggregated risk at a portfolio view.
Enterprise risk management helps management select a strategy that aligns anticipated value creation with the
entity’s risk appetite and its capabilities for managing risk more often and more consistently over time. Managing
risk within risk appetite enhances an organization’s ability to create, preserve, and realize value.
Footnotes
fn "Entity" is a broad term that can encompass a wide variety of legal structures including for-profit, not-for-
7 profit, and governmental entities.
fn This Framework distinguishes between positive outcomes and opportunities. Positive outcomes relate
8 to those instances where performance exceeds the original target. Opportunities relate to an action or
potential action that creates or alters goals or approaches for creating, preserving, and realizing value.
fn Risk appetite is discussed further in the Framework under Principle 7: Defines Risk Appetite.
9
3. Strategy, Business Objectives, and

Performance
Enterprise Risk Management and

Strategy
Enterprise risk management helps an organization better understand:
 How mission, vision, and core values form the initial expression of what types and amount of risk are
acceptable to consider when setting strategy.
 The possibility that strategy and business objectives may not align with the mission, vision, and core
values.
Internal Use Only
 The types and amount of risk the organization potentially exposes itself to by choosing a particular
strategy.
 The types and amount of risk inherent in carrying out its strategy and achieving business objectives and
the acceptability of this level of risk, and ultimately, value.
Figure 3.1 illustrates strategy in the context of mission, vision, and core values, and as a driver of an entity’s
overall direction and performance.
Figure 3.1: Strategy in Context
Possibility of Misaligned Strategy and

Business Objectives
Both mission and vision provide a view from up high of the acceptable types and amount of risk for the entity.
They help the organization to establish boundaries and focus on how decisions may affect strategy. An
organization that understands its mission and vision can set strategies that will yield the desired risk profile.
Consider the statements from a healthcare provider in Example 3.1.
Example 3.1: Cascading Mission, Vision, and Core Values
Mission: To improve the health of the people we serve by providing high-quality care, a comprehensive range of
services, and convenient and timely access with exceptional patient service and compassion.
Vision: Our hospital will be the healthcare provider of choice for physicians and patients, and be known for
providing unparalleled quality, delivering celebrated service, and being a terrific place to practice medicine.
Core Values: Our values serve as the foundation for everything we think, say, and do. We will treat our
physicians, patients, and our colleagues with respect, honesty, and compassion, while holding them accountable
Internal Use Only

for these values.
These statements guide the organization in determining the types and amount of risk it is likely to encounter and
accept. The organization would consider the risks associated with providing high-quality care (mission),
providing convenient and timely access (mission), and being a terrific place to practice medicine (vision).
Considering its high regard for quality, service, and breadth of skill, the organization is likely to seek a strategy
that has a lower-risk profile relating to quality of care and patient service. This may mean offering in-patient
and/or out-patient services, but not being a primary on-line presence. On the other hand, if the organization had
stated its mission in terms of innovation in patient care approaches or advanced delivery channels, it may have
adopted a strategy with a different risk profile.
Enterprise risk management can help an entity avoid misaligning a strategy. It can provide an organization with
insight to ensure that the strategy it chooses supports the entity’s broader mission and vision for management
and board consideration.
Evaluating the Chosen Strategy

Enterprise risk management does not create the entity’s strategy, but it informs the organization on risks
associated with alternative strategies considered and, ultimately, with the adopted strategy. The organization
needs to evaluate how the chosen strategy could affect the entity’s risk profile, specifically the types and amount
of risk to which the organization is potentially exposed.
When evaluating potential risks that may arise from strategy, management also considers any critical
assumptions that underlie the chosen strategy. These assumptions form an important part of the strategy and
may relate to any of the considerations that form part of the entity’s business context. Enterprise risk
management provides valuable insight into how sensitive changes to assumptions are: that is, whether they
would have little or great effect on achieving the strategy.
Example 3.2 considers the mission and vision of the healthcare provider discussed earlier, and how the entity
cascades these into its strategy statement. Using the statement shown in that example, the organization can
consider what risks may result from the strategy chosen. For instance, risks relating to medical innovation may
be more pronounced, risks to the ability to provide high-quality care may elevate in the wake of cost-
management initiatives, and risks relating to managing new partnerships may be an approach the organization
has not previously focused on. These and many other risks result from the choice of strategy. Yet, there remains
Internal Use Only

the question of whether the entity is likely to achieve its mission and vision with this strategy, or whether there is
an elevated risk to achieving the set goals.
Our Strategy:
 Maximize value for our patients by improving quality across a diverse spectrum of services.
 Curtail trends in increasing costs.
 Integrate operating efficiency and cost-management initiatives.
 Align physicians and clinical integration.
 Leverage clinical program innovation.
 Grow strategic partnerships.
 Manage patient service delivery, and reduce wait times where practical.
Risk to Implementing the Strategy and

Business Objectives
There is always risk to carrying out a strategy, which every organization must consider. Here, the focus is on
understanding the strategy set out and what risks there are to its relevance and viability. Sometimes the risks
become important enough that an organization may wish to revisit its strategy and consider revising it or
selecting one with a more suitable risk profile.
The risk to carrying out strategy may also be viewed through the lens of business objectives. An organization
can use a variety of techniques to assess risks using some kind of common measure. Wherever possible, the
organization should use similar units for measuring risk for each objective. Doing so will help to align the severity
of the risk with established performance measures.
Enterprise Risk Management and

Performance
Assessing risk to the strategy and business objectives requires an organization to understand the relationship
between risk and performance—referred to in this Framework as the "risk profile." An entity’s risk profile
Internal Use Only

provides a composite view of the risk at a particular level of the entity (e.g., overall entity level, business unit
level, functional level) or aspect of the business model (e.g., product, service, geography).
This composite view allows management to consider the type, severity, and interdependencies of risks, and how
they may affect performance. The organization should initially understand the potential risk profile when
evaluating alternative strategies. Once a strategy is chosen, the focus shifts to understanding the current risk
profile for that chosen strategy and related business objectives.
The relationship between risk and performance is rarely linear. Incremental changes in performance targets do
not always result in corresponding changes in risk (or vice versa). Consequently, a useful, dynamic
representation, sometimes depicted graphically, illustrates the aggregate amount of risk associated with different
levels of performance. Such a representation considers risk as a continuum of potential outcomes along which
the organization must balance the amount of risk to the entity and its desired performance.
There are several methods for depicting a risk profile. The Framework uses one approach, shown here, to
illustrate the relationship between various aspects of enterprise risk management. Doing so helps to enhance
the conversations of risk, risk appetite, tolerance, and the overall relationship to performance targets.
Figure 3.2: Risk Relative to Performance
Risk profiles that trend upwards, as shown in Figure 3.2, are typical of, but not limited to, business objectives
such as:
 Oil and gas exploration: As exploration efforts for new oil and gas reserves target increasingly remote and
inaccessible areas, oil and gas companies likely face greater amounts of risk in an effort to locate
resources.
 Recruitment of specialist resources: As entities pursue increasingly niche products or markets, the risks
associated with attracting and retaining expertise and experience in their workforce increases.
Internal Use Only
 Transportation and logistics: As the number of locations or volume of goods increases, the size of the
transportation fleet and complexity of operations grows, resulting in a higher amount of risk.
 Funding for capital works and improvements: In illiquid markets, or where consumer confidence is low, the
amount of risk associated with an entity’s ability to secure funding for capital works, projects, or initiatives
increases.
There is, however, no one universal risk profile shape or trend. Every entity’s risk profile will be different
depending on its unique strategy and business objectives. Organizations can use their risk profiles to better
understand the intrinsic relationship between risk, targeted performance, and actual performance.
Risk profiles help management to determine what amount of risk is acceptable and manageable in the pursuit of
strategy and business objectives. Risk profilesfn 10 may help management:
 Understand the level of performance in the context of the entity’s risk appetite (see Principle 7: Defines
Risk Appetite).
 Find the optimal level of performance given the organization’s ability to manage risk (see Principle 9:
Formulates Business Objectives).
 Determine the tolerance for variation in performance related to the target (see Principle 9: Formulates
Business Objectives).
 Assess the potential impact of risk on predetermined targets (see Principle 11: Assesses Severity of Risk
and Principle 14: Develops Portfolio View).
While the risk profile shown here implies needing a specific level of precision, and perhaps data to create, keep
in mind that it can also be developed using qualitative information.
Footnotes
fn Refer to Appendix D in Volume II for a more detailed discussion on risk profiles.

10
4. Integrating Enterprise Risk

Management
Internal Use Only
The Importance of Integration
An entity’s success is the result of countless decisions made every day by the organization that affect the
performance and, ultimately, the achievement of the strategy or business objectives. Most of those decisions
require selecting one approach from multiple alternatives. Many of the decisions will not be simply either "right"
or "wrong," but will include trade-offs: time versus quality; efficiency versus cost; risk versus reward.
When making such decisions, management and the board must continually navigate a dynamic business
context, which requires integrating enterprise risk management thinking into all aspects of the entity, at all times.
The Framework, therefore, views enterprise risk management in just that way. It is not simply a function or
department within an entity, something that can be "tacked on." Rather, culture, practices, and capabilities are,
together, integrated and applied throughout the entity.
Integrating enterprise risk management with business activities and processes results in better information that
supports improved decision-making and leads to enhanced performance. In addition it helps organizations to:
 Anticipate risks earlier or more explicitly, opening up more options for managing the risks and minimizing
the potential for deviations in performance, losses, incidents, or failures.
 Identify and pursue existing and new opportunities in accordance with the entity’s risk appetite and
strategy.
 Understand and respond to deviations in performance more quickly and consistently.
 Develop and report a more comprehensive and consistent portfolio view of risk, thereby allowing the
organization to better allocate finite resources.
 Improve collaboration, trust, and information sharing across the organization.
Integration enables the organization to make decisions that are better aligned with the speed and potential
disruption of individual risks and the pursuit of new opportunities. Risk-aggressive entities may need to obtain
risk-related information quickly and have streamlined decision-making processes in place in order to pursue fast-
moving opportunities. For example, consider an investment firm that has been presented with an opportunity to
bid on a new deal, but is required to respond within several hours. The firm’s risk management practices are well
integrated with the capabilities within the bidding process, allowing the organization to collect and review the
available information and make a decision in the time required.
Where risk management practices and capabilities are separate, collecting relevant information, identifying
stakeholders, and making decisions all take longer, and that can jeopardize an entity’s ability to meet urgent
deadlines. In short, the more risk aggressive the entity, the greater the value of integration.
Internal Use Only

Toward Full Integration
For most entities, integrating enterprise risk management is an ongoing endeavor. Factors that influence
integration are entity culture, size, complexity, and how long a risk-aware culture has been embraced.
An entity that is just beginning to develop enterprise risk management will have limited practices and capabilities
on which to rely. But as the entity matures, it implements more dedicated practices and capabilities that improve
decision-making (such as identifying, assessing, and responding to risks). Once organizations consistently
integrate risk considerations, they become less reliant on the formalized, stand-alone practices and
infrastructure. For example, in a fully integrated entity, personnel will identify deviations in performance and
understand the potential effect on the risk profile without relying on a stand-alone assessment program.
Time isn’t the only factor affecting an entity’s ability to fully integrate enterprise risk management. Size and type
matter, too (i.e., whether the entity is for profit, not-for-profit, heavily regulated, etc.). For example, a large
pharmaceuticals company may have a well-developed risk-aware culture, but may be required to retain some
stand-alone monitoring and reporting practices by its regulators. In comparison, smaller non-regulated entities
may focus more on developing risk awareness and integrating risk throughout performance reporting.
In a fully integrated entity, enterprise risk management practice will also affect the operating structure. At this
point, awareness and responsibility for risk are more evenly distributed across the operating structure, which is
often characterized by the understanding that "everyone is a risk manager." Silos of knowledge are broken down
to enable better decision-making across the entity.
The following lists provide examples of how organizations can foster full integration of enterprise risk
management throughout the culture, capabilities, and practices of the entity, with the result being better
decision-making.
Culture
Instilling more transparency and risk awareness into an entity’s culture requires actions such as:
 Implementing forums or other mechanisms for sharing information, making decisions, and identifying
opportunities.
 Encouraging people to escalate issues and concerns without fear of retribution.
 Clarifying and communicating roles and responsibilities for the achievement of strategy and business
objectives, including responsibilities for the management of risk.
 Aligning core values, behaviors, and decision-making with incentives and remuneration models.
 Developing and sharing a strong understanding of the business context and drivers of value creation.
Internal Use Only
Capabilities
Enterprise risk management capabilities are integrated into the entity when:
 Management is able to make decisions that are appropriate given its appetite, risk profile of the entity, and
the changes to the profile that occur over time.
 The organization routinely hires capable individuals with relevant experience who can exercise judgment
and oversight in accordance with their responsibilities.
 The organization has access to capable individuals, subject matter experts, or other technical resources to
support decision-making.
 When making necessary investments in technology or other infrastructure, management considers the
tools required to enable enterprise risk management responsibilities.
 Vendors, contractors, and other third parties are considered in discussions of risk and performance.
Practices
Enterprise risk management practices are integrated when:
 Setting strategy explicitly considers risk when evaluating options.
 Management actively addresses risk in pursuit of its performance targets.
 Activities are developed to regularly and consistently monitor performance results and changes in the risk
profile throughout the entity.
 Management is able to make decisions that are in line with the speed and scope of changes in the entity.
Example 4.1 describes integration in practice.
Example 4.1: Integration in Practice
The management of a large government department integrates enterprise risk management practices with the
monthly performance management meetings. At these meetings, they analyze performance and discuss new,
emerging, and changing risks that affect their ability to effectively serve the public. This promotes greater
transparency and increased responsiveness to the most important risks, sharing of ideas on how best to approach
the risk, and greater consistency on deploying risk responses across the operations of the department.
Internal Use Only

Addressing Integration in the Framework
Each component of enterprise risk management includes principles (set out in the following chapter), which
apply to creating, preserving, and realizing value in an organization regardless of size, type, or location. The
principles and their components do not represent isolated, stand-alone concepts. Each highlights the importance
of integrating enterprise risk management and the role of decision-making.
For each principle, the Framework outlines considerations to fully integrating culture, practices, and capabilities
into the entity. These considerations are not exhaustive, but they do demonstrate the range of inputs into
decision-making and the exercise of judgment by personnel, management, and the board.
5. Components and Principles
Components and Principles of Enterprise

Risk Management
The Framework consists of the five interrelated components of enterprise risk management. Figure 5.1
illustrates these components and their relationship with the entity’s mission, vision, and core values. The three
ribbons in the diagram of Strategy and Objective-Setting, Performance, and Review and Revision represent the
common processes that flow through the entity. The other two ribbons, Governance and Culture, and
Information, Communication, and Reporting, represent supporting aspects of enterprise risk management.
The figure further illustrates that when enterprise risk management is integrated across strategy development,
business objective formulation, and implementation and performance, it can enhance value. Enterprise risk
management is not static. It is integrated into the development of strategy, formulation of business objectives,
and the implementation of those objectives through day-to-day decision-making.
Figure 5.1: Risk Management Components
Internal Use Only

The five componentsfn 11 are:
 Governance and Culture: Governance and culture together form a basis for all other components of
enterprise risk management. Governance sets the entity’s tone, reinforcing the importance of enterprise
risk management, and establishing oversight responsibilities for it. Culture is reflected in decision-making.
 Strategy and Objective-Setting: Enterprise risk management is integrated into the entity’s strategic plan
through the process of setting strategy and business objectives. With an understanding of business
context, the organization can gain insight into internal and external factors and their effect on risk. An
organization sets its risk appetite in conjunction with strategy-setting. The business objectives allow
strategy to be put into practice and shape the entity’s day-to-day operations and priorities.
 Performance: An organization identifies and assesses risks that may affect an entity’s ability to achieve its
strategy and business objectives. As part of that pursuit, the organization identifies and assesses risks that
may affect the achievement of that strategy and business objectives. It prioritizes risks according to their
severity and considering the entity’s risk appetite. The organization then selects risk responses and
monitors performance for change. In this way, it develops a portfolio view of the amount of risk the entity
has assumed in the pursuit of its strategy and entity-level business objectives.
 Review and Revision: By reviewing enterprise risk management capabilities and practices, and the
entity’s performance relative to its targets, an organization can consider how well the enterprise risk
management capabilities and practices have increased value over time and will continue to drive value in
light of substantial changes.
 Information, Communication, and Reporting: Communication is the continual, iterative process of

obtaining information and sharing it throughout the entity. Management uses relevant information from both
internal and external sources to support enterprise risk management. The organization leverages
information systems to capture, process, and manage data and information. By using information that
applies to all components, the organization reports on risk, culture, and performance.
Internal Use Only

Within these five components are a series of principles, as illustrated in Figure 5.2. The principles represent the
fundamental concepts associated with each component. These principles are worded as things organizations
would do as part of the entity’s enterprise risk management practices. While these principles are universal and
form part of any effective enterprise risk management initiative, management must bring judgment to bear in
applying them. Each principle is covered in detail in the respective chapters on components.
Figure 5.2: Risk Management Principles
Assessing Enterprise Risk Management

An organization should have a means to reliably provide to the entity’s stakeholders with a reasonable
expectation that it is able to manage risk to an acceptable amount. It does this by assessing the enterprise risk
management practices that are in place. Such assessment is voluntary, unless required otherwise by legislation
or regulation.
The Framework provides criteria for conducting an assessment and determining whether the enterprise risk
management culture, capabilities, and practices collectively manage the risk of not achieving the entity’s strategy
and supporting business objectives. During an assessment, the organization considers whether:
 The components and principles relating to enterprise risk management are present and functioning.
 The components relating to enterprise risk management are operating together in an integrated manner.
 The controls necessary to put into effect relevant principles are present and functioning.fn 12
In these three considerations, being "present" means the components, principles, and controls exist in the
design and implementation of enterprise risk management to achieve strategy and business objectives. Being
"functioning" means they continue to operate to achieve strategy and business objectives. And "operating
together" refers to the interdependencies of components and how they function cohesively. Organizations may
place different emphasis on specific principles and apply them differently, depending on the benefits an
Internal Use Only
organization seeks to attain through enterprise risk management.fn 13 When these components, principles, and
supporting controls are present and functioning, the organization can reasonably expect that enterprise risk
management is helping the entity create, preserve, and realize value.
Different approaches are available for assessing enterprise risk management. When the assessment is
performed to communicate to external stakeholders, it would be conducted considering the principles set out in
the Framework. When assessing enterprise risk management for internal purposes, some organizations may
choose to use some form of maturity model in completing this evaluation, recognizing that the model must be
tailored to address the complexity of the business. Factors that add complexity may include, among other things,
the entity’s geography, industry, nature, extent and frequency of change within the entity, historical performance
and variation in performance, reliance on technology, and the extent of regulatory oversight.
During an assessment, management may also review the suitability of those capabilities and practices, keeping
in mind the entity’s complexity and the benefits the organization seeks to attain through enterprise risk
management.
Footnotes
fn Components are discussed in detail in Chapters 6 through 10.

11
fn Additional discussion on controls to effect principles is set out in Internal Control—Integrated

12 Framework.
fn Potential benefits relating to enterprise risk management are set out in Chapter 1: Introduction.
13
Framework
6. Governance and Culture

Principles Relating to Governance and Culture
Internal Use Only

Introduction
An entity’s board of directors plays an important role in governance and significantly influences enterprise risk
management. This Framework uses the term "board of directors" or "board" to encompass the governing body,
including board, supervisory board, board of trustees, general partners, or owner.
Where the board is independent from management and generally comprises members who are experienced,
skilled, and highly talented, it can offer an appropriate degree of industry, business, and technical input while
performing its oversight responsibilities. This input includes scrutinizing management’s activities when
necessary, presenting alternative views, challenging organizational biases, and acting in the face of wrongdoing.
Most important, in fulfilling its role of providing risk oversight, the board challenges management without
stepping into the role of management.
Another critical influence on enterprise risk management is culture. Whether the entity is a small family-owned
private company, a large, complex multinational, a government agency, or a not-for-profit organization, its
culture reflects the entity’s core values: the beliefs, attitudes, desired behaviors, and importance of
understanding risk. Culture supports the achievement of the entity’s mission and vision. An entity with a culture
that is risk-aware stresses the importance of managing risk and encourages transparent and timely flow of risk
Internal Use Only

information. It does this with no assignment of blame, but with an attitude of understanding, accountability, and
continual improvement.
Principle 1: Exercises Board Risk Oversight

The board of directors provides oversight of the strategy and carries out governance responsibilities to support
management in achieving strategy and business objectives.
Accountability and Responsibility

The board of directors has the primary responsibility for risk oversight in the entity, and in many countries it has
a fiduciary responsibility to the entity’s stakeholders, including conducting reviews of enterprise risk management
practices. Typically, the full board is responsible for risk oversight, leaving the day-to-day responsibilities of
managing risk to management. Some full boards retain ownership while others delegate board-level
responsibilities to a committee of the board, such as a risk committee. Regardless of the structure, it is common
to develop a statement that defines the board’s and management’s respective responsibilities.
Skills, Experience, and Business Knowledge

The board of directors is well positioned to offer expertise and provide oversight of enterprise risk management
through its collective skills, experience, and business knowledge. This includes, for instance, asking the
appropriate questions to challenge management when necessary about strategy, business objectives, and
performance targets. It also includes interacting with stakeholders and presenting alternative views and actions.
Risk oversight is possible only when the board understands the entity’s strategy and industry, and stays
informed on relevant issues. As the business context changes, so does risk to the strategy and business
objectives. Consequently, the required qualifications for board membership may change over time. Each board
must determine for itself, and review periodically, if it has the appropriate skills, expertise, and composition to
provide effective oversight. For example, entities exposed to cyber risk may need to have board members who
either have expertise in information technology or access to the required expertise through independent
advisors.
Example 6.1: Factors That Impede Board Independence
A board member’s independence may be impeded if he or she:
 Holds a substantial financial interest in the entity.
 Is currently or has recently been employed in an executive capacity by the organization.
 Has recently advised the board of directors in a material way.
Internal Use Only

Example 6.1: Factors That Impede Board Independence
 Has a material business relationship with the entity, such as being a supplier, customer, or outsourced
service provider.
 Has an existing contractual relationship with the organization.
 Has donated a significant financial amount to an entity.
 Has business or personal relationships with key stakeholders within an organization.
 Sits as a board member of other organizations that represent a potential conflict of interest.
 Has held the same board position for an extended period.
Independence
The board overall should be independent. Independence enhances directors’ ability to be objective and to
evaluate the performance and well-being of the entity without any conflict of interest or undue influence of
interested parties. The board demonstrates its independence through each board member displaying his or her
individual director’s ability to be objective (see Example 6.1).
An independent board serves as a check and balance on management, ensuring that the entity is being run in
the best interests of its stakeholders rather than of a select number of board members or management.
While independence is often a larger focus within publicly traded companies, similar considerations apply to
private entities, government bodies, and not-for-profit entities.
Suitability of Enterprise Risk Management

It is important that the board understand the complexity of the entity and how integrating enterprise risk
management capabilities and practices will enhance value. The board engages in conversations with
management to determine whether enterprise risk management is suitably designed to enhance value.
For example, some organizations may derive value from gaining an understanding of the risks to the strategy. In
this case, management would focus enterprise risk management on practices to achieve the strategy and
business objectives—perhaps ways to reduce surprises and losses, or to reduce performance variability. Others
may gain value from aligning mission, vision, and core values and the implications of the chosen strategy on its
risk profile. In this case, management would focus more on strategy-setting and increasing the range of
opportunities in support of that strategy.
Organizational Bias
Bias in decision-making has always existed and always will. It is not unusual to find within an entity evidence of
dominant personalities, overreliance on numbers, disregard of contrary information, disproportionate weighting
Internal Use Only
of recent events, and a tendency for risk avoidance or risk taking. So the question is not whether bias exists, but
rather how bias affecting decisions relating to enterprise risk management can be managed. The board is
expected to understand the potential organizational biases that exist and challenge management to overcome
them.
Principle 2: Establishes Operating Structures

The organization establishes operating structures in the pursuit of strategy and business objectives.
An operating structure describes how the entity organizes and carries out its day-to-day operations. Through the
operating structure, personnel are responsible for developing and implementing practices to manage risk and
stay aligned with the core values of the entity. In this way, an operating structure contributes to managing risk to
the strategy and business objectives.
The operating structure is typically aligned with the legal structure and management structure. The legal
structure influences how an entity operates and the management structure sets out the reporting lines, roles,
and responsibilities for ongoing management and operation of the business.
Different legal structures may be more or less suitable depending on the size of the entity and any relevant
regulatory, taxation, or shareholder structures. A small entity is likely to operate as a single legal entity. Large
entities may consist of several distinct legal entities, in which case decisions may become segregated if risk
information is not aggregated across legal structures.
Under the management structure, reporting usually transcends the legal structures of the entity. For example, a
company that has three separate legal divisions reports as one consolidated company.
Operating Structure and Reporting Lines

The organization establishes an operating structure and designs reporting lines to carry out the strategy and
business objectives. It is important for the organization to clearly define responsibilities when designing reporting
lines. The organization may also enter into relationships with external third parties that can influence reporting
lines (e.g., strategic business alliances, outsourcing, or joint business ventures).
Different operating structures may result in different perspectives of a risk profile, which may affect enterprise
risk management practices. For example, assessing risk within a decentralized operating structure may indicate
few risks, while the view within a centralized model may indicate a concentration of risk—perhaps relating to
certain customer types, foreign exchange, or tax exposure.
Factors to consider when establishing and evaluating operating structures may include the:
 Entity’s strategy and business objectives.

Internal Use Only
 Nature, size, and geographic distribution of the entity’s business.
 Risks related to the entity’s strategy and business objectives.
 The assignment of authority, accountability, and responsibility to all levels of the entity.
 Type of reporting lines (e.g., direct reporting/solid line versus secondary reporting) and communication
channels.
 Financial, tax, regulatory, and other reporting requirements.
The organization considers these and other factors when deciding what operating structure to adopt. For
example, the board of directors determines which management roles have at least a dotted line to the board to
allow for open communication of all important issues. Similarly, direct reporting and informational reporting lines
are defined at all levels of the entity.
Enterprise Risk Management Structures

Management plans, organizes, and carries out the entity’s strategy and business objectives in accordance with
the entity’s mission, vision, and core values. Consequently, management needs information on how risk
associated with the strategy occurs across the entity. One example of a commonly used method of gathering
such information is to delegate the responsibility to a committee.
Committee members are typically executives or senior leaders appointed or elected by management, and each
contributes individual skills, knowledge, and experience.
Entities with complex structures may have several committees, each with different but overlapping management
membership. This multi-committee structure is then aligned with the operating structure and reporting lines,
which allows management to make business decisions as needed, with a full understanding of the risks
embedded in those decisions.
Regardless of the particular management committee structure established, it is common to clearly state the
authority of the committee, the management members who are a part of the committee, the frequency of
meetings, and the specific responsibilities and operating principles. In some small entities, enterprise risk
management oversight may be less formal, with management being much more involved in day-to-day
decisions.
Authority and Responsibilities

In an entity that has a single board of directors, the board delegates to management the authority to design and
implement practices that support the achievement of strategy and business objectives. In turn, management
defines roles and responsibilities for the overall entity and its operating units. Management also defines roles,
responsibilities, and accountabilities of individuals, teams, divisions, and functions aligned to strategy and
Internal Use Only
In an entity with a dual-board structure, a supervisory board focuses on longer-term decisions and strategies
affecting the business. A management board is charged with overseeing day-to-day operations including the
oversight and delegation of authority among senior management. As with a single-board governance structure,
senior management defines roles and responsibilities for the overall entity and its operating units.
Key roles typically include the following:
 Individuals in a management role who have the authority and responsibility to make decisions and oversee
business practices to achieve strategy and business objectives. Within the management team, the chief
risk officerfn 14 is often responsible for providing expertise and coordinating risk considerations.
 Other personnel who understand both the entity’s standards of conduct and business objectives in relation
to their area of responsibility and the related enterprise risk management practices at their respective
levels of the entity.
Management delegates responsibility and tasks to enable personnel to make decisions. Periodically,
management may revisit its structures by reducing or adding layers of management, delegating more or less
responsibility and tasks to lower levels, or partnering with other entities.
Clearly defining authority is important, as it empowers people to act as needed in a given role but also puts limits
on authority. Risk-based decisions are enhanced when management:
 Delegates responsibility only to the extent required to achieve the entity’s strategy and business objectives
(e.g., the review and approval of new products involves the business and support functions, separate from
the sales team).
 Specifies transactions requiring review and approval (e.g., management may have the authority to approve
acquisitions).
 Considers new and emerging risks as part of decision-making (e.g., a new business partner is not taken on
without exercising due diligence).
Enterprise Risk Management within the Evolving Entity

As an entity changes, the capabilities and value it seeks from enterprise risk management may also change.
Enterprise risk management should be tailored to the capabilities of the entity, considering both what the
organization is seeking to attain and the way it manages risk. It is natural for the operating structure to change
as the nature of the business and its strategy evolves. Management, therefore, regularly evaluates the operating
structure and associated reporting lines.
In today’s world of evolving information technology, new operating structures are emerging. It may be that
standard operating structures soon become "virtual" in nature, relying far less on physical locations and more on
Internal Use Only

technological interconnections. This will require examining how risk will shift in response: At what point in
decision-making is risk considered? How does this affect the achievement of strategy and business objectives?
Management must be prepared to address these questions under a new operating structure and understand
how changes due to innovation will influence enterprise risk management practices.
Principle 3: Defines Desired Culture

The organization defines the desired behaviors that characterize the entity’s desired culture.
Culture and Desired Behaviors

An organization’s culture reflects its core values, behaviors, and decisions. Decisions are in turn a function of the
available information, judgment, capabilities, and experience. An entity’s culture influences how the organization
applies this Framework: how it identifies risk, what types of risk it accepts, and how it manages risk.
It is up to the board of directors and management to define the desired culture of the entity as a whole and of the
individuals within it. The core values drive the expected behaviors in day-to-day decision-making in order to
meet the expectations of stakeholders. Establishing a culture embraced by all personnel—where people do the
right thing at the right time—is critical to the organization being able to seize opportunities and manage risk to
achieve the strategy and business objectives.
Many factors shape entity culture. Internal factors include, among other things, the level of judgment and
autonomy provided to personnel, how entity employees interact with each other and their managers, the
standards and rules, the physical layout of the workplace, and the reward system in place. External factors
include regulatory requirements and expectations of customers, investors, and other elements.
All these factors influence where the entity positions itself on the culture spectrum, which ranges from risk
averse to risk aggressive (see Figure 6.1). The closer an entity is to the risk aggressive end of the spectrum, the
greater is its propensity for and acceptance of the differing types and greater amount of risk to achieve strategy
and business objectives (see Example 6.2).
Figure 6.1: Culture Spectrum
A well-defined culture does not imply a template approach to enterprise risk management. That is, managers of
some operating units may be prepared to take more risk, while others may be more conservative. For example,
an aggressive sales unit may focus its attention on making a sale without careful attention to regulatory
compliance outside the desired risk appetite, while the personnel in the contracting unit may focus on
Internal Use Only
maintaining full compliance well within the desired risk appetite. Working separately, these two units could
adversely affect the entity, but by having a shared understanding of acceptable risk decisions, they can respond
appropriately within the defined risk appetite to achieve the strategy and business objectives.
Applying Judgment
Judgment has a significant role in defining the desired culture and management of risk across the culture
spectrum. Judgment is often relied upon:
 When there is limited information or data available to support a decision.
 Where there are unprecedented changes in the strategy, business objectives, performance, or risk profile
of the organization.
 During times of disruption.
Example 6.2: Two Ends of the Culture Spectrum
A nuclear power plant will likely have a risk-averse culture in its day-to-day operations. Both management and
external stakeholders expect decisions regarding new technologies and systems to be made carefully and with
great attention to detail and safety in order to provide reasonable expectation of the plant’s reliability. It is not
desirable for nuclear power plants to invest heavily in innovative and unproven technologies critical to managing
the operations.
In contrast, a private equity manager is more likely a risk-aggressive entity. Management and external investors
will have high expectations of performance that require taking on potentially severe risks, while still falling within
the defined risk appetite of the entity.
Judgment is a function of personal experiences, risk appetite, capabilities and the level of information available,
and organizational bias. Management judgment is susceptible to bias whenever over- or under-confidence in the
organization’s abilities exist, for example, or anchoring assumptions and attributing correlations are based on
limited information. Behaviors within the entity may also lead to organizational bias that affects judgment. Group
dynamics in meetings, communication styles of management, and recognition and acknowledgment of
personnel may affect the ability of management to exercise good judgment.
The use of judgment influences the ability of an organization to navigate periods of crisis and resume normal
operations more efficiently. During periods of disruption, the ability for an organization to function in accordance
with existing policies or procedures may be hampered, requiring it to rely more on the judgment and behaviors of
management and the board. The actions taken by the organization to steer the entity out of a crisis depend on
the accountability, behaviors, and actions of personnel. Organizations with management teams who have
Internal Use Only

extensive experience, established capabilities, and well-defined risk appetite will likely exercise judgment with
greater clarity. Stakeholders are in turn likely to have greater confidence that the organization will recover
successfully when the judgment demonstrated is in line with the core values of the entity.
Judgment also affects the extent to which innovation and the identification of opportunities are fostered within an
entity. When the entity is characterized by very prescriptive practices and limited delegations of authority,
innovation may be stifled. An organization that places a stronger emphasis on risk-aware culture may rely more
on management’s judgment when making decisions that enhance values and in seeking new opportunities in
line with the risk appetite of the entity.
Effect of Culture
The culture of an organization affects how risk is identified, assessed, and responded to from the moment of
setting strategy through to execution and performance. Examples include:
 Scoping of strategy and business objective-setting: The culture of an organization may affect the types of
strategic alternatives being considered. For example, despite promising feasibility studies, a risk-averse
organization may choose not to expand mining and drilling operations into new geographies.
 Applying rigor to the risk identification and assessment processes: Depending where an organization sits
on the culture spectrum, the nature and types of risks and opportunities may differ. What are viewed as
potential risks by a risk-averse entity may be considered as opportunities worthy of pursuit by another. For
example, increasing demand for online ordering may be seen as a risk for a traditional retail manufacturer
but as an opportunity to increase sales by a retailer looking to grow sales and market share.
 Selecting risk responses and allocating finiite resources: A risk-averse entity may allocate risk responses
or additional resources in order to gain higher confidence of the achievement of a specific business
objective. The costs and benefits associated with incremental risk responses may be interpreted less
favorably by more risk-aggressive entities. For example, purchasing additional insurance may be favored
by risk-averse entities, but may be viewed as an inefficient use of financial resources by another.
 Reviewing performance: Trends in the risk profile or business context may be addressed differently by
entities on different points of the culture spectrum. A risk-averse entity may make changes more quickly to
risk responses as variations in performance are identified. Entities that are more risk aggressive may wait
longer before making changes or may make smaller changes. For example, airlines may adjust flight
schedules more quickly in response to adverse changes in weather conditions than train or bus
companies, which may be able to continue operating without disruption for longer.
Aligning Core Values, Decision-Making, and Behaviors
Internal Use Only

The ability for an organization to successfully achieve its strategy and business objectives is impeded when the
behaviors and decisions of the organization do not align with its core values. Misalignment can result in a loss of
confidence from stakeholders, inconsistent approaches, and lower than targeted performance.
When core values are not adhered to, it is generally for one of the following reasons:
 Tone at the top does not effectively convey expectations.
 The board does not provide oversight of management’s adherence to standards.
 Middle management and functional managers are not aligned with the entity’s mission, vision, and
strategy.
 Risk is an afterthought to strategy-setting and business planning.
 Performance targets create incentives or pressures that instill behavior contrary to core values.
 There is no clear escalation policy on important risk and performance matters.
 The investigation and resolution of excessive risk-taking is inadequate.
 Management or other personnel deliberately act in a way that does not comply with core values.
In a risk-aware culture, personnel know what the entity stands for and the boundaries within which they can
operate. They can openly discuss and debate which risks should be taken to achieve the entity’s strategy and
business objectives, with the result being employee and management behaviors that are more consistently
aligned with the entity’s risk appetite.
Shifting Culture
Culture does not stay constant over time (see Example 6.3). Changes within the organization and external
influences may cause an entity’s culture to shift. New leadership may have a different attitude and philosophy
about enterprise risk management. Additionally, an acquisition could alter an entity’s mission and vision and
affect decision-making. Mergers and acquisitions can also result in changes to the culture. These changes will
affect how the organization looks at risk and influence how decisions are made.
Example 6.3: When Deviations to Standards of Conduct Occur
A technology start-up is developing a new algorithm that improves the accuracy of tracking changes in customer
behaviors and purchasing preferences. In its infancy, the start-up had a very aggressive risk culture as it worked
through the initial phases of establishing commercial operations and identifying potential business partners,
customers, and market opportunities. As the organization matured it entered into more formal partnerships with
larger clients. The start-up eventually decided to become publicly listed to access a larger group of investors. With
this change, the company shifted to the left on the culture spectrum, which mirrored the company’s risk appetite
Internal Use Only

Example 6.3: When Deviations to Standards of Conduct Occur
and corresponding changes to the enterprise risk management practices and capabilities of the entity.
Principle 4: Demonstrates Commitment to Core

Values
The organization demonstrates a commitment to the entity’s core values.
Reflecting Core Values throughout the Organization

Understanding the entity’s core values is fundamental to enterprise risk management. Core values are reflected
in actions and decisions applied across the entity. Without a strong and supportive understanding of, and
commitment to, those values communicated from the top of the organization, risk awareness can be undermined
and risk-inspired decisions may be inconsistent with those values. The manner in which values are
communicated across the organization is often referred to as the "tone" of the organization.
A consistent tone establishes a common understanding of the core values, business drivers, and desired
behavior of personnel and business partners. Consistency helps pull the organization together in the pursuit of
the entity’s strategy and business objectives. But it is not always easy to maintain a consistent tone. For
instance, different markets may call for different approaches to motivation, evaluation, and customer service.
From time to time, these factors may put pressure on different levels of the entity, resulting in a change in tone.
(In larger entities, this view of tone is sometimes referred to as "tone in the middle.") However, the more the tone
can remain consistent throughout the entity, the more consistent the performance of enterprise risk management
responsibilities in the pursuit of the entity’s strategy and business objectives will be.
Aligning the culture and tone of the organization gives confidence to stakeholders that the entity is adhering to its
core values and the pursuit of its mission and vision. For example, in an entity where "safety first" is a core
value, management demonstrates its commitment by actively encouraging everyone at every level to identify
and escalate safety practices regardless of their role in the organization. External stakeholders such as safety
inspectors who observe the content and tone of training materials, internal communications, and reporting will
consequently have the confidence that the organization is embracing its culture and core values.
Embracing a Risk-Aware Culture

Management defines the characteristics needed to achieve the desired culture over time, with the board
providing oversight and focus. An organization can then embrace a risk-aware culture by:
Internal Use Only

 Maintaining strong leadership: The board and management places importance on creating the right risk
awareness and tone throughout the entity. Culture and, therefore, risk awareness cannot be changed from
second-line team or department functions alone; the organization’s leadership must be the real driver of
change.
 Employing a participative management style: Management encourages personnel to participate in

decision-making and to discuss risks to the strategy and business objectives.
 Enforcing accountability for all actions: Management documents policies of accountability and adheres to
them, demonstrating to personnel that lack of accountability is not tolerated and that practicing
accountability is appropriately rewarded.
 Aligning risk-aware behaviors and decision-making with performance: Remuneration and incentive
programs are aligned to the core values of the organization including expected behaviors, adherence to
codes of conduct, and promoting accountability for risk-aware decision-making and judgment.
 Embedding risk in decision-making: Management addresses risk consistently when making key business
decisions, which includes discussing and reviewing risk scenarios that can help everyone understand the
interrelationship and impacts of risks before finalizing decisions.
 Having open and honest discussions about risks facing the entity: Management does not view risk as
being negative, and understands that managing risk is critical to achieving the strategy and business
objectives.
 Encouraging risk awareness across the entity: Management continually sends messages to personnel that
managing risk is a part of their daily responsibilities, and that it is not only valued but also critical to the
entity’s success and survival.
Aligning individual behavior with culture is critical. The most powerful influence comes from management who
creates and sustains the organizational agenda. Explicitly, the organization develops policies, rules, and
standards of conduct. Implicitly, the organization should lead by example to reflect its core values and standards
of conduct. The key is management enforcing what it says is of value, recognizing that it is the implicit and subtle
processes that most effectively establish culture in line with its core values.
Enforcing Accountability
The board of directors ultimately holds the chief executive officerfn 15 accountable for managing the risk faced
by the entity by establishing enterprise risk management practices and capabilities to support the achievement
of the entity’s strategy and business objectives. The chief executive officer and other members of management,
together, are responsible for all aspects of accountability—from initial design to periodic assessment of the
Internal Use Only

culture and enterprise risk management capabilities. Accountability for enterprise risk management is
demonstrated in each structure used by the entity.
Management provides guidance to personnel so they understand the risks. Management also demonstrates
leadership by communicating the expectations of conduct for all aspects of enterprise risk management. Such
leadership from the top helps to establish and enforce accountability and a common purpose.
Accountability is evident in the following ways:
 Management and the board of directors clearly communicating the expectations (e.g., developing and
enforcing standards of conduct).
 Management ensuring that information on risk flows throughout the entity (e.g., communicating how
decisions are made and how risk is considered as part of decisions).
 Employees committing to collective business objectives (e.g., aligning individual targets and performance
with the entity’s business objectives).
 Management responding to deviations from standards and behaviors (e.g., terminating personnel or taking
other corrective actions for failing to adhere to organizational standards; initiating performance
evaluations).
Holding Itself Accountable

In some governance structures, performance targets cascade from the board of directors to the chief executive
officer, management, and other personnel, and performance is evaluated at each of these levels. The board of
directors evaluates the performance of the chief executive officer, who in turn evaluates the management team,
and so on. At each level, adherence to the core values and desired culture behaviors is evaluated, and rewards
are allocated or disciplinary action is applied as appropriate. The board may also conduct a self-evaluation to
assess its own strengths and identify opportunities to improve enterprise risk management.
In other governance structures, such as a dual-board structure, the supervisory board evaluates the
performance of the management board as a whole and of its individual members; the executive board evaluates
the senior management team that reports directly to the executive board.
Keeping Communication Open and Free from Retribution

It is management’s responsibility to cultivate open communication and transparency about risk and the risk-
taking expectations. Management demonstrates that risk is not a discussion to be left for the boardroom. It does
that by sending clear and consistent messages to employees that managing risk is a part of everyone’s daily
responsibilities, and that it is not only valued but also critical to the entity’s success and survival. Open
communication and risk transparency enables management and personnel to work together continually to share
risk information throughout the entity.
Internal Use Only
Information is shared and escalated to the relevant level within the entity. Transparency of information may
relate to:
 Changes in the understanding of assumptions underpinning the selection of a strategy or business

objectives.
 Ongoing adequacy of a risk response.
 Incidents, failures, errors, or unexpected losses.
 Variations in performance including overperformance, including those facilitated by third parties.
 Changes in the risk profile or portfolio view of risk of the entity.
 Deviations in expected behaviors compared to the core values of the organization.
In addition, management provides the board of directors with an appropriate level of risk information to gauge
whether current enterprise risk management practices are appropriate. The board of directors can provide risk
oversight only if it is given timely and complete information, and when the lines of communication are open to
discuss issues with management.
The entity that demonstrates open communication and transparency provides a variety of channels for both
management and personnel to report concerns about potentially inappropriate or excessive risk taking, business
conduct, or behavior without fear of retaliation or intimidation. The entity also prohibits any form of retaliation
against any individual who participates in good faith in any investigation of behavior that is not in line with the
standards of conduct and risk appetite. Personnel who engage in inappropriate or unlawful retaliation or
intimidation are subject to disciplinary action.
Responding to Deviations in Core Values and Behaviors

If establishing a culture in which management and personnel act according to desired behaviors is fundamental
to enterprise risk management, then why do things sometimes go wrong? Even in those entities that solidly
demonstrate a commitment to their core values, operational failures, scandals, and crises do sometimes occur—
damaging reputations and ultimately leaving an organization unable to achieve its strategy and business
objectives.
Wrongdoing occurs for three reasons: people make mistakes (out of confusion or ignorance), people have a
moment of weakness of will, or people choose to do harm. Knowing that any one of these three things can take
place, an organization must align core values and behaviors to help people avoid mistakes and to identify
potential wrongdoers, individuals, or groups whether individuals or groups. This requires appropriately assessing
and prioritizing risks and developing detailed risk responses.
Internal Use Only

The organization sends a clear message of what is acceptable and unacceptable behavior whenever deviations
become known. Deviations from standards of conduct must be addressed in a timely and consistent manner
(see Example 6.4).
Example 6.4: When Deviations to Core Values Occur
For a global pharmaceutical company, research and development (R&D) is often one of the biggest costs, as
products may take ten to twenty years to develop and bring to market and require significant financial investment.
During the research phase, it is common for many side effects of a product to be identified. But if R&D did not
disclose all potential side effects to management, thereby impeding management from making an informed
decision on moving from drug trials to production, and the drug is launched, there could be severe effects to the
entity if patients who use the drug experience adverse side effects. Moreover, R&D’s failure to disclose would
likely be a clear violation of the desired conduct of the company.
The response to a deviation will depend on its magnitude, which is determined by management considering any
relevant laws and standards of conduct. The response may range from an employee being issued a warning to
being put on probation to even being terminated. In all cases, the expectations of risk-aware behavior, judgment,
and decision-making must remain consistent. Consistency ensures that the entity’s culture is not undermined.
Principle 5: Attracts, Develops, and Retains Capable

Individuals
The organization is committed to building human capital in alignment with the strategy and business objectives.
Establishing and Evaluating Competence

Management, with board oversight, defines the human capital needed to carry out strategy and business
objectives. Understanding the needed competencies helps in establishing how various business processes
should be carried out and what skills should be applied. This begins with the board of directors relative to the
chief executive officer, and the chief executive officer relative to the management and personnel of each of the
divisions, operating units, and functions in the entity. That is, the board of directors evaluates the competence of
the chief executive officer and, in turn, management evaluates competence across the entity and addresses any
shortcomings or excesses as necessary.
The human resources function helps promote competence by assisting management in developing job
descriptions and roles and responsibilities, facilitating training, and evaluating individual performance for
managing risk. Management considers the following factors when developing competence requirements:
Internal Use Only
 Knowledge, skills, and experience with enterprise risk management.
 Nature and degree of judgment and limitations of authority to be applied to a specific position.
 The costs and benefits of different skill levels and experience.
Attracting, Developing, and Retaining Individuals

The ongoing commitment to competence is supported by and embedded in the human resource management
processes. Management at different levels establishes the structure and process to:
 Attract: Seek out the necessary number of candidates who fit the entity’s desired risk-aware culture,
desired behaviors, operating style, and organizational needs, and who have the competence for the
proposed roles.
 Train: Enable individuals to develop and maintain enterprise risk management competencies appropriate
for assigned roles and responsibilities, reinforce standards of conduct and desired levels of competence,
tailor training to specific needs, and consider a mix of delivery techniques, including classroom instruction,
self-study, and on-the-job training.
 Mentor: Provide guidance on the individual’s performance regarding standards of conduct and
competence, align the individual’s skills and expertise with the entity’s strategy and business objectives,
and help the individual to adapt to an evolving business context.
 Evaluate: Measure the performance of individuals in relation to achieving business objectives and
demonstrating enterprise risk management competence against agreed-upon standards.
 Retain: Provide incentives to motivate an individual and reinforce the desired level of performance and
conduct. This includes offering training and credentialing as appropriate.
Throughout this process, any behavior not consistent with standards of conduct, policies, performance
expectations, and enterprise risk management responsibilities is identified, assessed, and corrected in a timely
manner.
In addition, organizations must continually identify and evaluate those roles that are essential to achieving
strategy and business objectives. The decision of whether a role is essential is made by assessing the
consequences of having that role temporarily or permanently unfilled. The question needs to be asked: How will
strategy and business objectives be achieved if the position of, for example, the chief executive officer is left
unfilled?
Rewarding Performance
Performance is greatly influenced by the extent to which individuals are held accountable and how they are
rewarded. It is up to management and the board of directors to establish incentives and other rewards
Internal Use Only
appropriate for all levels of the entity, considering the achievement of both short-term and longer-term business
objectives. Establishing such incentives and rewards requires appropriately assessing and prioritizing risks and
developing detailed risk responses. Conversely, under a program of incentives, those individuals who do not
adhere to the entity’s standards of conduct are sanctioned and not promoted or otherwise rewarded.
Salary increases and bonuses are common incentives, but non-monetary rewards such as being given greater
responsibility, visibility, and recognition are also effective. Management consistently applies and regularly
reviews the entity’s measurement and reward structures in conjunction with its desired behavior. In doing so, the
performance of individuals and teams are reviewed in relation to defined measures, which include business
performance factors as well as demonstrated competence (see Example 6.5).
Example 6.5: Performance, Incentives, and Rewards
A family-owned furniture manufacturer is trying to win customer loyalty with its high-quality furniture. It engages its
workforce to reduce production defect rates, and it aligns its performance measures, incentives, and rewards with
both the operating units’ production goals and the expectation to comply with all safety and quality standards,
workplace safety laws, customer loyalty programs, and accurate product recall reporting. Once they aligned
business objectives with incentives and rewards, the company noted in the staff a greater sense of accountability
and more willingness to work together to address challenges, and ultimately there was a measurable decline in
product defects.
Addressing Pressure
Pressure in an organization comes from many sources. The targets that management establishes for achieving
strategy and business objectives by their nature create pressure. Pressure also may occur during the regular
cycles of specific tasks (e.g., negotiating a sales contract), and it may sometimes be self-imposed. Unexpected
change in business context, such as a sudden dip in the economy, can also add pressure.
Pressure can either motivate individuals to meet expectations or cause them to fear the consequences of not
achieving strategy and business objectives. In the latter case, individuals may circumvent processes or engage
in fraudulent activity. Organizations can positively influence pressure by rebalancing workloads or increasing
resource levels, as appropriate, and continue to communicate the importance of ethical behavior.
Excessive pressure is most commonly associated with:
 Unrealistic performance targets, particularly for short-term results.
 Conflicting business objectives of different stakeholders.
 Imbalance between rewards for short-term financial performance and those for long-term focused
stakeholders, such as corporate sustainability targets (see Example 6.6).
Internal Use Only
Example 6.6: The Price of Pressure
Possible negative reaction to pressure should be accounted for when considering compensation and incentives.
For example, investment managers take risks on behalf of their clients, and the performance of those investment
portfolios may significantly affect the entity’s remuneration. A fee based on fund performance may result in very
different behavior compared with a fee based on fund value. Aligning an individual’s compensation can help
reinforce the desired culture. Conversely, incentive structures that fail to adequately consider the risks associated
with creating pressure can create inappropriate behavior.
Pressure is also created by change: change in strategy, in operating structure, in acquisition or divestiture
activity, and in the business context, which is often external to the organization, such as market competitor
actions. Management and the board must be prepared to set and adjust, as appropriate, the pressure when
assigning responsibilities, designing performance measures, and evaluating performance. It is management’s
responsibility to guide those to whom they have delegated authority to make appropriate decisions in the course
of doing business.
Preparing for Succession

To prepare for succession, the board of directors and management must develop contingency plans for
assigning responsibilities important to enterprise risk management. In particular, succession plans for key
executives need to be defined, and succession candidates should be trained, coached, and mentored for
assuming the role. Typically, larger entities identify more than one person who could fill a critical role.
Footnotes
fn The chief risk officer is the individual who is delegated authority for enterprise risk management; other
14 names for this role may be "head of enterprise risk management," "head of risk," "director of enterprise
risk management," or "director of risk."
fn The Framework refers to "chief executive officer." Other terms describing this senior leadership position
15 that may be used include "chief executive," "president," "managing director," or "deputy."
7. Strategy and Objective-Setting

Internal Use Only
Principles Relating to Strategy and
Objective-Setting
Introduction
Every entity has a strategy for bringing its mission and vision to fruition, and to drive value. It can be a challenge
to assess whether the strategy will align with mission, vision, and core values, but it is a challenge that must be
taken on. By integrating enterprise risk management with strategy-setting, an organization gains insight into the
risk profile associated with strategy and the business objectives. Doing so guides the organization and helps to
sharpen the strategy and the tasks necessary to carry it out.
Principle 6: Analyzes Business Context

The organization considers potential effects of business context on risk profile.
Understanding Business Context

Internal Use Only
An organization considers business context when developing strategy to support its mission, vision, and core
values. "Business context" refers to the trends, relationships, and other factors that influence an organization’s
current and future strategy and business objectives. Business context may be:
 Dynamic, where new risks can emerge at any time disrupting the status quo (e.g., a new competitor
causes product sales to decrease or even make the product obsolete).
 Complex, with many interconnections and interdependencies (e.g., an entity has many operating units
around the world, each with its own unique political regimes, regulatory policies, and taxation laws).
 Unpredictable, where change happens quickly and in unanticipated ways (e.g., currency fluctuations and
political forces).
Considering External Environment and

Stakeholders
The external environment is part of the business context. It is anything, including external stakeholders, outside
the entity that can influence the entity’s ability to achieve its strategy and business objectives.
An example of an external stakeholder is a regulatory body that grants an entity a license to operate, but also
has the authority to fine the entity or force it to shut down temporarily or permanently. Another example is an
investor who provides the entity with capital but who can decide to take that investment elsewhere if it does not
agree with the entity’s strategic direction or its level of performance. An organization that identifies its external
environment and stakeholders and the extent of their influence on the business may be in a better position to
anticipate and adapt to change.
External stakeholders are not directly engaged in the entity’s operations, but they:
 Are affected by the entity (customers, suppliers, competitors, etc.).
 Directly influence the entity’s business environment (government, regulators, etc.).
 Influence the entity’s reputation, brand, and trust (communities, interest groups, etc.).
The external environment comprises several factors that can be categorized by the acronym PESTLE: political,
economic, social, technological, legal, and environmental (see Figure 7.1). Example 7.1 provides a scenario to
illustrate this concept.
Example 7.1: External Environment Influences
Two competing global technology companies are both seeking to increase revenues. The first company is
Internal Use Only

Example 7.1: External Environment Influences
considering launching an established product in developing countries, while the other company is developing a
new product that would expand its existing consumer base. As each company evaluates alternative strategies,
they consider different external environment categories. The first company is influenced by political, legal, and
economic factors as it navigates country-specific laws, government regulations, and supply chain considerations.
In contrast, the second company focuses on social and technological factors as it seeks to understand changing
customer needs. Even though both companies are in the same industry, they have different external environments
that influence their specific risk profiles and their chosen strategy.
Figure 7.1: External Environment Categories and Characteristicsfn 16
Considering Internal Environmentfn 17 and

Stakeholders
An entity’s internal environment is anything inside the entity that can affect its ability to achieve its strategy and
business objectives (Figure 7.2). Internal stakeholders are those people working within the entity who directly
influence the organization (board directors, management, and other personnel). As entities vary greatly in size
and structure, internal stakeholders may affect the organization differently as a whole than at the level of
division, operating unit, or function.
Figure 7.2: Internal Environment Categories and Characteristics
Internal Use Only

How Business Context Affects Risk Profile
The effect that business context has on an entity’s risk profile may be viewed in three stages: past, present, and
future performance. Looking back at past performance can provide an organization with valuable information to
use in shaping its risk profiles. Looking at current performance can show how current trends, relationships, and
other factors are affecting the risk profile. And by thinking what these factors will look like in the future, the
organization can consider how its risk profile might evolve in relation to where it is heading or wants to head.
Example 7.2 illustrates how an organization can consider business context within the components of enterprise
risk management.
Example 7.2: Considering Business Context in Each of the Framework Components
The management of a retail company integrates understanding of business context with other enterprise risk
management practices as follows:
 Governance and Culture: The organization develops an understanding of governance and associated
regulatory trends. The board incorporates this understanding of emerging expectations into its oversight of
enterprise risk management practices.
 Strategy and Objective-Setting: Management conducts a detailed analysis of social trends, retail trends,
and consumer confidence levels driving behavior of its core customer base and incorporates findings into its
strategic-setting cycle for long-term value and success.
 Performance: Management incorporates its understanding of environmental trends and how they may affect
the assessment of risks relating to the objective of reducing packing by 50% in line with its core values.
 Review and Revision: Management considers how changes in workforce practices, namely the emergence
of the mobile workforce, may also affect the entity’s culture and enterprise risk management practices,
including opportunities to enhance current practices.
 Information, Communication, and Reporting: Management considers that legislation concerning

information privacy may affect the way the entity captures, communicates, and reports on risk information.
Internal Use Only

Principle 7: Defines Risk Appetite
The organization defines risk appetite in the context of creating, preserving, and realizing value.
Applying Risk Appetite

Decisions made in selecting strategy and developing risk appetite are not linear, with one decision always
preceding the other. Nor is there a universal risk appetite that applies to all entities.
Many organizations develop strategy and risk appetite in parallel, refining each throughout strategy -setting.
Some boards will provide input and may challenge management on its choice of risk appetite, while others will
be expected to concur with management and approve the risk appetite set. Regardless of how the decisions are
made, the organization would have a preliminary understanding of its risk appetite based on the established
mission and vision and prior strategies. These are important inputs into any risk appetite, which is refined
whenever an organization reviews alternative strategies and selects a desired strategy.
Some entities consider risk appetite in qualitative terms while others prefer to use quantitative terms, often
focusing on balancing growth, return, and risk. Whatever the approach for describing risk appetite, it should
reflect the entity’s culture. Moreover, if the organization wants to change some aspect of the culture, defining a
strong risk appetite can help create and reinforce that desired culture.
The best approach for an entity is one that aligns with the analysis used to assess risk in general, whether that is
qualitative or quantitative. Developing the risk appetite statements is an exercise in seeking the optimal balance
between risk and opportunity.
Taken together, these considerations help frame the entity’s risk appetite and provide greater precision than a
single, higher-level statement. Figure 7.3 depicts the risk profile as a solid area (in blue), filling the space across
the performance axis from the individual risk profile bars (from the earlier illustration of Figure 3.2). A line
showing risk appetite has also been added.
On any depiction of risk profile, organizations may also plot risk capacity (as in Figure 7.3), which is the
maximum amount of risk an entity is able to absorb in the pursuit of strategy and business objectives. Risk
capacity must be considered when setting risk appetite, as generally an organization strives to hold risk appetite
withinits capacity. It is not typical for an organization to set risk appetite above its risk capacity, but in rare
situations an organization may choose to do so. This could happen, for instance, in the case of an organization
accepting the threat of insolvency, understanding that success can create considerable value. Where the
organization is managing risks above its risk appetite, management will typically be expected to either amend its
practices to operate within its risk appetite or formally accept this level of risk taking, Some organizations will
Internal Use Only
also seek board approval in such instances. (Additional discussion on risk profiles is presented in Appendix D in
Volume II.)
Figure 7.3 Risk Profile Showing Risk Appetite and Risk Capacity
Determining Risk Appetite

There is no standard or "right" risk appetite that applies to all entities. Management and the board of directors
choose a risk appetite with an informed understanding of the trade-offs involved. Risk appetite may encompass
a single depiction or several depictions that align and collectively specify the acceptable types and amount of
risk.
A variety of approaches are available to determine risk appetite, including facilitating discussions, reviewing past
and current performance targets, and modeling. In determining risk appetite, organizations may consider
stakeholders as noted in the discussion on business context. It is up to management to communicate the
agreed-upon risk appetite at various levels of detail throughout the entity. With the support of the board,
management also revisits and reinforces risk appetite over time in light of new and emerging considerations.
For some entities, using general terms such as "low appetite" or "high appetite" is sufficient. Others may view
such statements as too vague to effectively communicate and implement, and therefore they may look for more
quantitative measures. Often, as organizations become more experienced in enterprise risk management, their
description of risk appetite becomes more precise. In some instances, organizations may develop quantitative
measures that link to the risk appetite statement. Typically these measures would align with the strategy and
related business objective targets. For instance, an entity that focuses its enterprise risk management practices
on reducing performance variability may express risk appetite using financial results or the beta of its stock.
Internal Use Only

Risk appetite should be positioned and perceived as a dynamic approach for shaping the entity’s risk profile
rather than as an additional constraint on performance. For that reason, some entities will develop a series of
cascading expressions of risk appetite referencing "targets," "ranges," "ceilings," or "floors" (see Example 7.3).
Others will use specific quantitative terms as a way of increasing precision.
Example 7.3: Risk Appetite Expressions
Target: A credit union with a lower risk appetite for loan losses cascades this message into the business by setting
a loan loss target of 0.50% of the overall loan portfolio.
Range: A medical supply company operates within a low overall risk range. Its lowest risk appetite relates to
safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite for
its strategic, reporting, and operations objectives. This means reducing to a reasonably practicable amount the
risks originating from various medical systems, products, equipment, and the work environment, and meeting legal
obligations that take priority over other business objectives.
Ceiling: A university accepts a moderate risk appetite as it seeks to expand the scope of its offerings where
financially prudent and will explore opportunities to attract new students. The university will favor new programs
where it has or can readily attain the capabilities to deliver them. However, the university will not accept programs
that present severe risk to the university mission and vision, forming a ceiling on acceptable decisions.
Floor: A technology company has aggressive goals for growth in its sector and recognizes that such growth
requires significant capital investment. While it does not accept investing capital unwisely, management is of the
view that, as a minimum, 25% (i.e., the floor) of the operating budget should be allocated to the pursuit of
technology innovation.
An organization may consider any number of parameters to help frame its risk appetite and provide greater
precision. For example, the organization may consider:
 Strategic parameters, such as new products to pursue or avoid, the investment for capital expenditures,
and merger and acquisition activity.
 Financial parameters, such as the maximum acceptable variation in financial performance, return on
assets or risk-adjusted return on capital, target debt rating, and target debt/equity ratio.
 Operating parameters, such as environmental requirements, safety targets, quality targets, and customer
concentrations.
Management may also consider the entity’s risk profile, risk capacity, enterprise risk management capability and
maturity, among other things, when determining risk appetite.
Internal Use Only
 Risk profile provides information on the entity’s current amount of risk and how risk is distributed across the
entity, as well as on the different categories of risk for the entity. New organizations will not have an
existing risk profile to draw from, but they may be able to get valuable information from their industry and
competitors.
 Risk capacity is the maximum amount of risk the entity can absorb in pursuit of strategy and business
objectives. If risk appetite is very high, but its risk capacity is not large enough to withstand the potential
impact of the related risks, the entity could fail. On the other hand, if the entity’s risk capacity significantly
exceeds its risk appetite, the organization may lose opportunities to add value for its stakeholders.
 Enterprise risk management capability and maturity provide information on how well enterprise risk
management is functioning. A mature organization is often able to define enterprise risk management
capabilities that provide better insight into its existing risk appetite and factors influencing risk capacity. A
less mature organization with undefined enterprise risk management capabilities may not have the same
understanding, which can result in a broader risk appetite statement or one that will need to be redefined
sooner. Enterprise risk management capability and maturity also influence how the organization adheres to
and operates within its risk appetite.
Articulating Risk Appetite

Some organizations articulate risk appetite as a single point; others as a continuum (see Example 7.4). An
organization may articulate detailed risk appetite statements in the context of:
 Strategy and business objectives that align with the mission, vision, and core values.
 Business objectivefn 18 categories.
 Performance targets of the entity.
Some organizations will develop and articulate risk appetite using other approaches, such as risk categories.
These approaches are sometimes easier to manage and assess. However, they can also result in organizations
managing risk in silos rather than taking an integrated view of enterprise risk management.
Risk appetite is communicated by management, endorsed by the board, and disseminated throughout the entity.
Disseminating risk appetite is important, as the goal is for all decision-makers to understand the risk appetite
they must operate within, especially those who perform tasks to achieve business objectives (e.g., local sales
forces, country managers).
Most organizations will choose to communicate risk appetite broadly across the entity. Some may choose to
focus on senior roles that have direct responsibility for managing performance. This may occur, for instance,
where there is sensitivity to competitor activity, access to private or confidential information, or potential for risk
Internal Use Only
appetite to impede compliance with obligations. In some instances, organizations may also choose to
communicate risk appetite to external stakeholders, either in its entirety or in an abbreviated form.
Example 7.4: Risk Appetite Expression
A university has set its strategy focusing on its role as a preeminent teaching and research university that attracts
outstanding students and as a desired place of work for top faculty. The university’s risk appetite statements
acknowledge that risk is present in every activity. The critical question in establishing the risk appetite is how
willing the university is to accept risk related to each area. To answer that question, management uses a
continuum to express risk appetite for the university’s major business objectives (teaching, research, service,
student safety, and operational efficiency). They place various risks along the continuum as a basis for discussion
at the highest levels.
Example 7.5 illustrates how one organization cascades risk appetite through statements aligned with high-level
business objectives that, in turn, align with the overall entity strategy.
Example 7.5: Cascading Risk Appetite
Internal Use Only

Example 7.5: Cascading Risk Appetite
Using Risk Appetite

Internal Use Only
Risk appetite guides how an organization allocates resources, both through the entire entity and in individual
operating units. The goal is to align resource allocation with the entity’s mission, vision, and core values.
Therefore, when management allocates resources across operating units, it considers the entity’s risk appetite
and individual operating units’ plans for creating value. For instance, management may choose to allocate a
greater portion of resources to those business objectives with a lower risk appetite versus those business
objectives with a higher risk appetite. The organization seeks to align people, processes, and infrastructure to
successfully implement strategy and business objectives while remaining within its risk appetite.
Risk appetite is incorporated into decisions on how the organization operates. Management, with board
oversight, continually monitors risk appetite at all levels and accommodates change when needed. In this way,
management creates a culture that emphasizes the importance of risk appetite and holds those responsible for
implementing enterprise risk management within the risk appetite parameters.
But risk appetite is only part of the approach. To fully embed risk appetite into decision-making at various levels,
it does need to cascade through and align with other practices. Figure 7.4 depicts this important relationship and
the application of risk appetite, tolerance,fn 19 and indicators and triggersfn 20 as they cascade within an entity.
Figure 7.4 Risk Appetite, Tolerance, and Limits and Triggers
Principle 8: Evaluates Alternative

Strategies
Internal Use Only
The organization evaluates alternative strategies and potential impact on risk profile.
An organization must evaluate alternative strategies as part of strategy-setting and assess the risk and
opportunities of each option. Alternative strategies are assessed in the context of the organization’s resources
and capabilities to create, preserve, and realize value. A part of enterprise risk management includes evaluating
strategies from two different perspectives: (1) the possibility that the strategy does not align with the mission,
vision, and core values of the entity, and (2) the implications from the chosen strategy.
The Importance of Aligning Strategy

Strategy must support mission and vision and align with the entity’s core values and risk appetite. If it does not,
the entity may not achieve its mission and vision.
Further, a misaligned strategy increases risk to stakeholders because the value of the organization and its
reputation may be affected. For example, consider a telecommunications company that is considering a strategy
of limiting the areas in which its products and services are available in order to improve its financial performance.
But this strategy is at odds with its mission of being a provider of critical services and a leading corporate citizen
in the local community. While the anticipated improvement in financial results is intended to appeal to
shareholders and investors, it may be undermined by an adverse effect to its reputation with community groups
and regulators that insist that services be maintained.
Understanding the Implications from Chosen

Strategy
When evaluating alternative strategies, the organization seeks to identify and understand the potential risks and
opportunities of each strategy being considered. The identified risks collectively form a risk profile for each
option; that is, different strategies yield different risk profiles. Management and the board use these risk profiles
when deciding on the best strategy to adopt, given the entity’s risk appetite. In some instances, this evaluation
may need to consider multiple strategies to understand the potential dependency of one strategy on another.
Another consideration when evaluating alternative strategies is the supporting assumptions relating to business
context, resources, and capabilities. These assumptions are an important part of the strategy. They may relate
to any of the internal and external considerations that form part of the entity’s business context. Where
assumptions are unproven, there is often a higher risk of disruption than there would be if the organization had
greater certainty that there would not be disruptive events associated with a strategy. The level of confidence of
management and the board associated with each assumption will affect the risk profile of each of the strategies.
Internal Use Only

Further, a strategy typically has a higher risk profile when a significant number of assumptions are made or
where the assumptions are largely unproven.
Once a risk profile has been determined for the chosen strategy, management is better able to consider the
types and amount of risk it will face in carrying out that strategy. Specifically, knowing the risk profile allows
management to determine what resources will be required and allocated to support carrying out the strategy
while remaining within the risk appetite. Resource requirements include infrastructure, technical expertise, and
working capital.
The amount of effort expended and the level of precision required to evaluate alternative strategies will vary by
the significance and complexity of the decision, the resources and capabilities available, and the number of
strategies being evaluated. The more significant or complex the decision, the more detailed the evaluation will
be, perhaps using several approaches.
Popular approaches to evaluating alternative strategies are SWOT analysis,fn 21 modeling, valuation, revenue
forecast, competitor analysis, and scenario analysis. The evaluation is typically performed by management who
have an entity-wide view of risk and understand how strategy affects performance. That is, management
understands at the entity level how a chosen strategy will support performance across different divisions,
functions, and geographies.
When developing alternative strategies, management makes certain assumptions. These underlying
assumptions can be sensitive to change, and that propensity to change can greatly affect the risk profile. Once a
strategy has been chosen, and by understanding the propensity of assumptions to change, the organization is
able to develop requisite oversight mechanisms relating to changing assumptions.
Example 7.6 illustrates one organization’s approach for evaluating the possibility of alternative strategies not
aligning with mission and vision and implications from the alternative strategies on the entity’s risk profile. This
example also illustrates the need to understand competing priorities between customers, employees, and
shareholders.
Aligning Strategy with Risk Appetite

An organization should expect that the strategy it selects can be carried out within the entity’s risk appetite; that
is, strategy must align with risk appetite. If the risk associated with a specific strategy is inconsistent with the
entity’s risk appetite or risk capacity, it needs to be revised, an alternative strategy selected, or the risk appetite
revisited.
For instance, a sports equipment manufacturer had this strategy: "To grow business by expanding global
manufacturing locations." However, when it became clear that some global locations presented risk that
Internal Use Only

exceeded the manufacturer’s risk appetite, the strategy was updated: "To grow business by expanding to global
locations within established infrastructure requirements and governmental regulations."
The development of risk appetite should align with the development of strategy and business plans, otherwise it
may appear that goals and priorities are conflicting, or even creating tensions on the types and amounts of risk
reflected in decision-making.
Example 7.6: Considering Alternative Strategies
A global logistics service provider would like to expand Mission: To provide the highest-quality transportation
operations to meet global demand, and to do so it needs services to customers with safety being the foremost
a new distribution hub. During the strategy-setting consideration for operations while maintaining strong
process, several alternatives are assessed. financial returns for shareholders.
Vision: Enhance our brand to be the go-to

transportation provider for the globe.
 Alternative 1 is opening a distribution hub offshore in a developing country. This is the least expensive of the
locations being considered both in cost to build and labor to run, but would increase delivery time by an
average of 30%. Locating in this developing country also introduces geopolitical and economic risks.
 Alternative 2 is opening a distribution hub located onshore in a midsized city. This location is a bit more
expensive to build than alternative 1, but the labor supply is strong. However, winters are severe in the area,
which heightens the risk that weather-related events will disrupt transportation.
 Alternative 3 is an onshore location in a larger city. This location is the most expensive to build in and has
the most competitive labor market, which may result in increased operating costs. However, the climate is
temperate all year round.
The possibility of the strategy not aligning with the mission and vision, and the implications from the strategy on
the risk profile, are summarized below.
Internal Use Only

Example 7.6: Considering Alternative Strategies
Making Changes to Strategy

Typically, organizations hold periodic strategy-setting sessions to outline both short-term and long-term
strategies. A change in strategy is warranted if the organization determines that the current strategy fails to
create, realize, or preserve value; or a change in business context causes the entity to get too near the boundary
of risk it is willing to accept, or requires resources and capabilities that are not available to the organization.
Finally, developments in business context may result in the organization no longer having a reasonable
expectation that it can achieve the strategy (see Example 7.7).
Example 7.7: Making Changes to Strategy
A global camera manufacturer used to sell film cameras, but as digital cameras became more popular, the
company started to experience lower sales. In response, it has modified its strategy by adapting to a changing
consumer need and new technology. It now develops digital cameras and mitigates the risk that its products may
become obsolete. These changes to strategy are supported by changes to relevant business objectives and
performance targets.
Internal Use Only

Mitigating Bias
Bias always exists, but an organization should try to be unbiased—or to mitigate any bias—when it is evaluating
alternative strategies. The first step is to identify any bias that may exist during strategy-setting. Where such bias
exists, the organization should take steps to mitigate that bias. Bias may prevent an organization from selecting
the best strategy to both support the entity’s mission, vision, core values, and to reflect the entity’s risk appetite.
Principle 9: Formulates Business

Objectives
The organization considers risk while establishing the business objectives at various levels that align and support
strategy.
Establishing Business Objectives

The organization develops business objectives that are specific, measurable or observable, attainable, and
relevant. Business objectives provide the link to practices within the entity to support the achievement of the
strategy. For example, business objectives may relate to:
 Financial performance: Maintain profitable operations for all businesses.
 Customer aspirations: Establish customer care centers in convenient locations for customers to access.
 Operational excellence: Negotiate competitive labor contracts to attract and retain employees.
 Compliance obligations: Comply with applicable health and safety laws on all work sites.
 Efficiency gains: Operate in an energy-efficient environment.
 Innovation leadership: Lead innovation in the market with frequent new product launches.
Business objectives may cascade throughout the entity (divisions, operating units, functions) or be applied
selectively. Cascading objectives become more detailed as they are applied progressively from the top of the
entity down. For example, financial performance objectives are cascaded from divisional targets to individual
operating units. Alternatively, many business objectives will be specific to an operational dimension, geography,
product, or service.
Aligning Business Objectives

Internal Use Only
Individual objectives are aligned with strategy regardless of how the objective is structured and where it is
applied. The alignment of business objectives to strategy supports the entity in achieving its mission and vision.
Business objectives that do not align, or only partially align, to the strategy will not support the achievement of
the mission and vision and may introduce unnecessary risk to the risk profile of the entity. That is, the
organization may consume resources that would otherwise be more effectively deployed in carrying out other
Business objectives should also align with the entity’s risk appetite. If they do not, the organization may be
accepting either too much or too little risk. Therefore, when an organization evaluates a proposed business
objective, it must consider the potential risks that may occur and determine the effect on the risk profile. A
business objective that results in the organization exceeding the risk appetite may be modified or, perhaps,
discarded.
If an organization finds that it cannot establish business objectives that support the achievement of strategy
while remaining within its risk appetite or capabilities, a review of either the strategy or the risk profile is required.
Understanding the Implications from Chosen

Business Objectives
An organization has many options when deciding on business objectives. Consider, for example, an organization
that is presented with an opportunity to upgrade its core operating systems and redesign its existing IT
infrastructure. One option is to pursue a business objective of identifying a suitable vendor and enter into a third-
party arrangement to develop a customized IT system. Another option is for the organization to build its own
system internally by investing significantly in its IT capabilities and increasing the number of personnel. Both
objectives align with the overall strategy, and therefore management must evaluate both and determine the
appropriate course of action given the potential implications to the risk profile, resources, and capabilities of the
entity.
As is the case with setting strategy, the organization needs to have a reasonable expectation that a business
objective can be achieved given the risk appetite or resources available to the entity. The expectation is
informed by the entity’s capabilities and resources. Where that reasonable expectation does not exist, the
organization must choose to either exceed risk appetite, procure more resources, or change the business
objective. Depending on the significance of the business objective to the strategy, revising the strategy may also
be warranted (see Example 7.8).
Example 7.8: Determining the Implications of a Chosen Business Objective
As part of its five-year strategy, an agricultural producer is looking to cultivate organic produce as a competitive
Internal Use Only

Example 7.8: Determining the Implications of a Chosen Business Objective
differentiator. The company analyzes the cost of transitioning to an organic environment and determines that
significant investment will be required, which may threaten the financial performance objectives. Given the
importance of maintaining financial performance, the organization chooses to abandon the selected business
objectives.
Categorizing Business Objectives

Many organizations will group common business objectives into common categories. Some organizations will
categorize or group business objectives to align with specific aspects of the strategy, such as market share,
customer focus, or corporate responsibility. Organizations may also align business objectives with various
business groups of the entity, such as operations, human resources, or other defined functional areas.
Regardless of how they are categorized, they must align with business practices, products, geographies, or
other organizational dimensions. How an organization categorizes its business objectives is decided by
management.
In some cases, organizations must adhere to external requirements that set out the manner in which business
objectives are categorized for reporting purposes. For example, if an organization is required to report on its
environmental risk assessment as part of its operating license, it will specifically include those requirements
within it business objectives and in its reporting.
Organizations need to be careful not to confuse business objectives categories with risk categories. Risk
categories relate to the shared or common groupings of risks that potentially impact those business objectives.
Setting Performance Measures and Targets

The organization sets targets to monitor the performance of the entity and support the achievement of the
business objectives. For instance:
 An asset management company seeks to achieve a return on investment (ROI) of 5% annually on its
portfolio.
 A restaurant targets on-line home delivery orders to be delivered within forty minutes.
 A call center endeavors to minimize missed calls to 2% of overall calls received.
By setting targets, the organization is able to influence the risk profile of the entity. An aggressive target may
result in greater risk for that business objective. For example, an organization may set aggressive growth targets
Internal Use Only

that heighten the risks in pursuing added growth. Conversely, an organization may set a more conservative
growth target that will lower the risk of not achieving the target, but may also result in the target no longer
aligning with the achievement of the business objective.
As another example, consider again the asset management company from the list above that understands that
an ROI of 5% will enable the entity to achieve its financial objectives. If it strives for a return of 7%, it would incur
greater risk in performance. If it strives for 3%, which allows for a less aggressive risk profile, it will not achieve
its broader financial objectives. (Identifying and assessing the risks to the achievement of the business objective
and reviewing the appropriateness of the performance measures and targets are discussed in Chapter 8.)
Example 7.9 provides a more thorough example of business objectives considered at the entity, division,
operating unit, and function levels, along with supporting targets. The example illustrates how business
objectives increase in specificity as they cascade throughout the entity and at all levels.
Example 7.9: Sample Business Objectives by Level
Understanding Tolerance
Closely linked to risk appetite is tolerance— the acceptable variation in performance. It describes the range of
acceptable outcomes related to achieving a business objective within the risk appetite. It also provides an
approach for measuring whether risks to the achievement of strategy and business objectives are acceptable or
unacceptable.
Internal Use Only

Having an understanding of the tolerance for variation in performance enables management to enhance value to
the entity. For instance, the right boundary of acceptable variation should generally not exceed the point where
the risk profile intersects risk appetite. But where the right boundary is below risk appetite, management may be
able to shift its targets and still be within its overall risk appetite. The maximum point where the performance
target could be set is where the right boundary of tolerance intersects with risk appetite ("A" in Figure 7.5).
Figure 7.5 Risk Profile Showing Tolerance
Unlike risk appetite, which is broad, tolerance is tactical and focused. That is, it should be expressed in
measurable units (preferably in the same units as the business objectives), be applied to all business objectives,
and be implemented throughout the entity. In setting tolerance, the organization considers the relative
importance of each business objective and strategy. For instance, for those objectives viewed as being highly
important to achieving the entity’s strategy, or where a strategy is highly important to the entity’s mission and
vision, the organization may wish to set a lower range of tolerance. Tolerance focuses on objectives and
performance, not specific risks.
Operating within defined tolerance provides management with greater confidence that the entity remains within
its risk appetite and provides a higher degree of comfort that the entity will achieve its business objectives.
Performance Measures and Established Tolerances

Performance measures related to a business objective help confirm that actual performance is within an
established tolerance (see Example 7.10). Performance measures can be either quantitative or qualitative.
Tolerance also considers both exceeding and trailing variation, sometimes referred to as positive or negative
variation. Note that exceeding and trailing variation is not always set at equal distances from the target.
Internal Use Only

The amount of exceeding and trailing variation depends on several factors. An established organization, for
example, with a great deal of experience, may move exceeding and trailing variation closer to the target as it
gains experience at managing to a lower level of variation. The entity’s risk appetite is another factor: an entity
with a lower risk appetite may prefer to have less performance variation compared to an entity with a greater risk
appetite.
Example 7.10 Trailing Target Variation
A large beverage bottler sets a target of having no more than five lost-time incidents in a year and sets the
tolerance as zero to seven incidents. The exceeding variation between five and seven represents greater incidents
and potential for lost time and an increase in health and safety claims, which is a negative result for the entity. In
contrast, the trailing variation up to five represents a benefit: fewer incidents of lost time and fewer health and
safety claims. The organization also needs to consider the cost of striving for zero lost-time incidents.
It is common for organizations to assume that exceeding variation in performance is a benefit, and trailing
variation in performance is a risk. Exceeding a target does usually indicate efficiency or good performance, not
simply that an opportunity is being exploited. But trailing a target does not necessarily mean failure: it depends
on the organization’s target and how variation is defined (see Example 7.11).
Organizations should also understand the relationship between cost and tolerance so they can deal effectively
with associated risk. Typically, the narrower the tolerance, the greater amount of resources required to operate
within that level of performance. Consider airlines, for example, which track on-time arrivals and departures. An
airline may decide to stop serving several routes because its on-time performance does not fit within the airline’s
revised (decreased) tolerance. The airline would then need to weigh the cost implications of forgoing service
revenue to realize a decreased variation in its performance target.
Example 7.11: Tolerance Statements
Footnotes
Internal Use Only
fn External environment categories may also be considered as potential risk categories when identifying
16 and assessing risks.
fn Internal environment is explored in detail in the Governance and Culture component (Chapter 6).
17
fn Formulating business objectives is discussed in Principle 9. They are included here to better illustrate
18 how risk appetite cascades from strategy through business objectives.
fn Tolerance is discussed later in this chapter in Principle 9.

19
fn Limits and triggers are discussed in the Performance component.

20
fn SWOT is an acronym for strengths, weaknesses, opporunities, and threats. A SWOT analysis is a
21 structured planning method that evaluates those four elements.
8. Performance
Principles Relating to Performance
Internal Use Only

Introduction
Creating, preserving, realizing, and minimizing the erosion of an entity’s value is further enabled by identifying,
assessing, and responding to risk that may impact the achievement of the entity’s strategy and business
objectives. Risks originating at a transactional level may prove to be as disruptive as those identified at an entity
level. Risks may impact one operating unit or the entity as a whole. They may be highly correlated with factors
within the business context or with other risks. Further, risk responses may require significant investments in
infrastructure or may be accepted as part of doing business. Because risk emanates from a variety of sources, a
range of responses is required from across the entity and at all levels.
This component of the Framework focuses on practices that support the organization in making decisions and
achieving strategy and business objectives. To that end, organizations use their operating structure to develop a
practice that:
 Identifies new and emerging risks so that management can deploy risk responses in a timely manner.
 Assesses the severity of risk, with an understanding of how the risk may change depending on the level of
the entity.
 Prioritizes risks, allowing management to optimize the allocation of resources in response to those risks.
 Identifies and selects responses to risk.
Internal Use Only

 Develops a portfolio view to enhance the ability for the organization to articulate the amount of risk
assumed in the pursuit of strategy and entity-level business objectives.
Figure 8.1 illustrates that these practices are iterative, with the inputs in one step of the process typically being
the outputs of the previous step. The practices are performed across all levels and with responsibilities and
accountabilities for appropriate enterprise risk management aligned with severity of the risk.
Figure 8.1: Linking Risk Assessment Processes, Inputs,

Approaches, and Outputs
Internal Use Only

Principle 10: Identifies Risk
The organization identifies risk that impacts the performance of strategy and business objectives.
Identifying Risk
The organization identifies new, emerging, and changing risks to the achievement of the entity’s strategy and
business objectives. It undertakes risk identification activities to first establish an inventory of risks, and then to
confirm existing risks as being still applicable and relevant. As enterprise risk management practices are
progressively integrated, the knowledge and awareness of risks is kept up-to-date through normal day-to-day
operations. Some entities will supplement those activities from time to time in order to confirm the completeness
of the risk inventory. How often an organization does this will depend on how quickly risks change or new risks
emerge. Where risks are likely to take months or years to materialize, the frequency at which risk identification
occurs will be less than where risks are less predictable or will occur at a greater speed.
New, emerging, and changing risks include those that:
 Arise from a change in business objectives (e.g., the entity adopts a new strategy supported by business
objectives or amends an existing business objective).
 Arise from a change in business context (e.g., changes in consumer preferences for environmentally
friendly or organic products that have potentially adverse impacts on the sales of the company’s products).
 Pertain to a change in business context that may not have applied to the entity previously (e.g., a change
in regulations that results in new obligations to the entity).
 Were previously unknown (e.g., the discovery of a susceptibility for corrosion in raw materials used in the
company’s manufacturing operations).
 Were previously identified but have since been altered due to a change in the business context, risk
appetite, or supporting assumptions (e.g., a positive increase in the expected sales forecasts affecting
production capacity).
Emerging risks arise when business context changes, and they may alter the entity’s risk profile in the future.
Note that emerging risks may not be understood well enough to identify and initially assess accurately, and may
warrant re-identification more frequently. Additionally, organizations should communicate evolving information
about emerging risks.
Internal Use Only

Identifying new and emerging risks, or changes in existing risks, allows the organization to look to the future and
gives them time to assess the potential severity of the risks as well as to take advantage of these changes. In
turn, having time to assess the risk allows the organization to anticipate the risk response, or to review the
entity’s strategy and business objectives as necessary.
Some risks may remain unknown—risks for which there was no reasonable expectation that the organization
would consider during risk identification. These typically relate to changes in the business context. For example,
the future actions or intentions of competitors are often unknown, but they may represent new risks to the
performance of the entity.
Organizations want to identify those risks that are likely to disrupt operations and affect the reasonable
expectation of achieving strategy and business objectives. Such risks represent significant change in the risk
profile and may be either specific events or evolving circumstances. The following are some examples:
 Emerging technology: Advances in technology that may affect the relevance and longevity of existing
products and services.
 Expanding role of big data and data analytics: How organizations can effectively and efficiently access,
transform, and analyze large volumes of structured and unstructured data sources.
 Depleting natural resources: The diminishing availability and increasing cost of natural resources that
affect the supply, demand, and location for products and services.
 Rise of virtual entities: The growing prominence of virtual entities that influence the supply, demand, and
distribution channels of traditional market structures.
 Mobility of workforces: Mobile and remote workforces that introduce new activities to the day-to-day
operations of an entity.
 Labor shortages: The challenges of securing labor with the skills and levels of education required by
entities to support performance.
 Shifts in lifestyle, healthcare, and demographics: The changing habits and needs of current and future
customers as populations change.
 Political environment: Actions by a government that alter operations of an industry in a country.
Embedded in identifying risk is identifying opportunities.fn 22 That is, sometimes opportunities emerge from risk.
For example, changes in demographics and aging populations may be considered as both a risk to the current
strategy of an entity and an opportunity to renew the workforce to better pursue growth. Similarly, advances in
technology may represent a risk to distribution and service models for retailers as well as an opportunity to
Internal Use Only

change how retail customers obtain goods (e.g., through online service). Where opportunities are identified, they
are communicated through the organization to be considered as part of setting strategy and business objectives.
Using a Risk Inventory

A risk inventory is simply a listing of the risk the entity faces. Depending on the number of individual risks
identified, organizations may structure the risk inventory by category to provide standard definitions for different
risks. This allows similar risks to be grouped together, such as financial risks, customer risks, or compliance (or
more broadly, obligation) risks. Within each category, organizations may choose to further define risks into more
detailed sub-categories. The risk inventory can be updated to reflect changes identified by management.
Figure 8.2: Risk Impacts at Differing Levels
Figure 8.2 illustrates how risks that impact different levels of the entity form part of the risk inventory:
 Risk 1 potentially impacts the strategy directly.
 Risk 2 impacts the entity business objectives.
 Risk 3 impacts multiple business objectives that then aggregate and impact entity business objectives.
 Risk 4 impacts a single business objective and that also impacts entity business objectives.
Because the impact of risks cannot be limited to specific levels or functions, identification activities should
capture all risks, and regardless of where they are identified, all risks form part of the entity’s risk inventory. For
example, an entity that identifies risks at the strategy level relating to board governance and achieving diversity
targets must also consider these risks at a business objective level. Or an organization that identifies the risk of
Internal Use Only

missing a customer billing deadline at a business objective level should consider the impact of that risk at the
entity level.
To demonstrate that a comprehensive risk identification has been carried out, management will identify risks and
opportunities across all functions and levels—those risks that are common across more than one function, as
well as those that are unique to a particular product, service offering, jurisdiction, or other function.
Approaches to Identifying Risk

A variety of approaches are available for identifying risks. The organization can identify risks as part of day-to-
day activities such as budgeting, business planning, performance reviews, and meetings as considerations in
the approval processes for new products and designs and in response to customer complaints, incidents, or
financial losses. Identification activities integrated through the entity can be supplemented by additional targeted
activities such as simple questionnaires, facilitated workshops, and interviews. Some approaches may be
enabled by technology, such as data tracking and complex analytics.
Depending on the size, geographic footprint, and complexity of an entity, management may use more than one
technique. For example, an entity may collect internal data on historical incidents and losses and analyze it to
identify new, emerging, and changing risks. Additionally, the nature and type of the risk may determine the
appropriate technique. For example, management may use more sophisticated approaches to identify risks
associated with an acquisition. Some organizations may draw on information from other organizations in the
same industry or region to inform them of potential risks. Figure 8.3 and the list below provide information on
useful approaches for identifying different types of risks.
Figure 8.3: Approaches for Identifying Risks
 Cognitive computing allows organizations to collect and analyze large volumes of data to detect future
trends and meaningful insights in new and emerging risks as well as changes in existing risks more
efficiently than a human.
 Data tracking from past events can help predict future occurrences. While historical data typically is used in
risk assessment—based on actual experience with severity—it can also be used to understand
interdependencies and develop predictive and causal models. Databases developed and maintained by
third-party service providers that collect information on incidents and losses incurred by industry or region
Internal Use Only

may inform the organization of potential risks. These are often available on a subscription basis. In some
industries, consortiums have formed to share internal data.
 Interviews solicit the individual’s knowledge of past and potential events. For canvassing large groups of
people, questionnaires or surveys may be used.
 Key indicators are qualitative or quantitative measures that help to identify changes to existing risks. Risk
indicators should not be confused with performance measures, which are typically retrospective in nature.
 Process analysis involves developing a diagram of a process to better understand the interrelationships of
its inputs, tasks, outputs, and responsibilities. Once mapped, risks can be identified and considered
against relevant business objectives.
 Workshops bring together individuals from different functions and levels to draw on the group’s collective
knowledge and develop a list of risks as they relate to the entity’s strategy or business objectives.
Whatever approaches are selected, an organization considers how changes in assumptions underpinning the
strategy and business objectives may create new or emerging risks. For example, in one case management
assumed an exchange rate on par with the local currency for importing raw materials. The actual exchange rate,
however, declined by more than 10%, which created a new risk to meeting overall profitability targets.
Additionally, management considered the business context—the expected economic outlook for the entity,
changing customer preferences, and anticipated growth rates when conducting risk identification.
When identifying risks, the organization should aim to precisely describe the risk itself, rather than other
considerations of that risk, such as the root causes of the risk, the potential impacts of the risk, or the effect of
the risk being poorly implemented. Figure 8.4 compares descriptions of these other considerations, which are
less helpful, to precise risk descriptions, which are preferred.
Figure 8.4: Describing Risks with Precision
Internal Use Only

Precise risk identification:
 Allows the organization to more effectively manage the risk inventory and understand its relationship to the
business strategy, objectives, and performance.
 Allows the organization to more accurately assess the severity of the risk in the context of business
objectives.
 Helps the organization identify the typical root causes and impacts, and therefore select and deploy the
most appropriate risk responses.
 Allows the organization to understand interdependencies between risks and across business objectives.
 Supports the aggregation of risks to produce the portfolio view.
Accordingly, organizations are encouraged to describe risks by using a standard sentence structure. Here are
two possible approaches:
Internal Use Only

 The possibility of [describe potential occurrence or circumstance] and the associated impacts on [describe
specific business objectives set by the organization].
 Example: The possibility of a change in foreign exchange rates and the associated impacts on
revenue.
 The risk to [describe the category set by the organization] relating to [describe the possible occurrence or
circumstance] and [describe the related impact].
 Example: The risk to financial performance relating to a possible change in foreign exchange rates
and the impact on revenue.
Framing Risk
Prospect theory, which explores human decision-making, says that individuals are not risk neutral; rather, a
response to loss tends to be more extreme than a response to gain. And with this comes a tendency to
misinterpret probabilities and best solution reactions. As well, how a risk is framed—focusing on the upside (a
potential gain) or downside (a potential loss)—often will influence the response. With that in mind, consider the
importance of describing risk with a consistent sentence structure to reduce framing bias. Example 8.1 presents
an illustration of framing.
Example 8.1: Framing
An individual is confronted with two sets of choices:
1. A sure gain of $240, or a 25% chance to gain $1,000 and a 75% chance to gain nothing.
2. A sure loss of $750, or a 75% chance to lose $1,000 and a 25% chance to lose nothing.
In the first set, most people select "a sure gain of $240," because that is framed in the positive. In the second set,
most people select a "75% chance to lose $1,000," because in this case it is the loss that is more certain. Prospect
theory holds that people do not want to put at risk what they already have or think they can have, but they will
have higher risk tolerance when they think they can minimize losses.
Principle 11: Assesses Severity of Risk

The organization assesses the severity of risk.
Internal Use Only

Assessing Risk
Risks identified and included in an entity’s risk inventory are assessed in order to understand the severity of
each to the achievement of an entity’s strategy and business objectives. Risk assessments inform the selection
of risk responses. Given the severity of risks identified, management decides on the resources and capabilities
to deploy in order for the risk to remain within the entity’s risk appetite.
Assessing Severity at Different Levels of the Entity

The severity of a risk is assessed at multiple levels (across divisions, functions, and operating units) in line with
the business objectives it may impact. It may be that risks assessed as important at the operating unit level, for
example, may be less important at a division or entity level. At higher levels of the entity, risks are likely to have
a greater impact on reputation, brand, and trustworthiness.
Using standardized risk terminology and categories helps in the assessment of risks at all levels of the
organization. Common risks across business units, divisions, and functions can also be grouped. For example,
the risk of technology disruptions identified by multiple divisions may be grouped and assessed collectively.
Similarly, the risks measured at escalating levels within an entity may also be grouped. When common risks are
grouped, the severity rating may change. Risks that are of low severity individually may become more or less
severe when considered collectively across business units or divisions.
Figure 8.5 illustrates the risk inventory mapped to strategy and business objectives. In a "top-down" entity-level
risk assessment, risk 4 may be assessed to have a low level of severity. In a business unit–level assessment,
risk 4 may be considered more significant and therefore have a greater severity.
Figure 8.5: Assessing Risk at Different Levels
Internal Use Only

In order for risk assessment practices to be complete, a top-down assessment considers those risks identified
and assessed at lower levels. For example, an entity-level assessment would assess entity-level risks, but
should also consider those severe risks identified at the entity business objective level, such as risk 2, to
determine if, given their severity, they are an entity-level concern.
Figure 8.6 illustrates four common scenarios.
 In scenario 1, the organization recognizes that the risk could impact the business objective as well as the
entity-level business objective. For example, a safety error in a manufacturing process can, given its
magnitude, impact the entity as whole.
In scenario 2, a risk diminishes in severity at higher levels of the entity, indicating that it does not pose the
same potential impact to the entity as a whole. For example, a backlog in transactions may pose a risk to
the operating unit managing processing but may not have a significant impact on the business objective
overall, and at the entity level may have little to no impact. However, if the backlog grows, this risk could
elevate to scenario 3 or even scenario 1.
 In scenario 3, two risks individually have moderate severity assessments, but together they impact the
business objectives and entity more significantly, and therefore they are assessed as more severe. For
example, the inability to recruit employees for common support functions such as legal expertise
represents a low risk to each operating unit but starts to impact the entity more significantly at a business
objective level as the trend could have a detrimental impact on the ability to achieve a business objective
heavily dependent on legal expertise. Yet, at an entity level, that risk may not be as significant given the
importance of the business objective to the strategy.
Internal Use Only

 In scenario 4, certain risks impact the entire entity. For example, the risk of a takeover bid by competitors
impacts the strategy of the entity as a whole, but may not impact business-level objectives individually.
Figure 8.6: Assessing Severity at Different Levels
Selecting Severity Measures

Management selects measures to assess the severity of risk. Generally, these measures align to the size,
nature, and complexity of the entity and its risk appetite. Different thresholds may also be used at varying levels
of an entity for which a risk is being assessed. The thresholds used to assess the severity of a risk are tailored to
the level of assessment—by entity or operational unit. Acceptable amounts of risk to financial performance, for
example, may be greater at an entity level than an operating unit level.
Management determines the relative severity of various risks in order to select an appropriate risk response,
allocate resources, and support management decision-making and performance. Measures may include:fn 23
 Impact: Result or effect of a risk. There may be a range of possible impacts associated with a risk. The
impact of a risk may be positive or negative relative to the strategy or business objectives.
 Likelihood: The possibility of a risk occurring. This may be expressed in terms of a probability or frequency
occurring. Likelihood may be expressed in a variety of ways, as the following examples show:
Internal Use Only

 Qualitative: "The possibility of a risk relating to a potential occurrence or circumstance and the
associated impacts on a specific business objective [within the time horizon contemplated by the
business objective, e.g., twelve months] is remote."
 Quantitative: "The possibility of a risk relating to a potential occurrence or circumstance and the
business objective, e.g., twelve months] is 80%."
 Frequency: "The possibility of the risk relating to a potential occurrence or circumstance and the
business objective, e.g., twelve months] is once every twelve months."
As part of the assessment process, management considers potential combinations of likelihood and impact. For
example, there may be a low risk of operational incidents resulting in losses greater than 20% of the entity’s
revenue. At the same time, there may be a higher likelihood of operational incidents resulting in losses of less
than 1% of the entity’s revenue. Whenever management identifies when a risk would be disruptive or
necessitates a change in risk response, that risk is accounted for in the assessment activities.
The time horizon used to assess risks should be the same as that used for the related strategy and business
objectives. For instance, if the business objectives focus on a three-year time horizon, management would
consider risks within that time frame. Because the strategy and business objectives of many entities focus on
short- to medium-term time horizons, management often focuses on risks associated with those time frames.
However, when assessing risks of the mission, vision, or strategy, the time frame may be longer. Management
needs to be cognizant of the longer time frames and not ignore risks that might emerge or occur further out.
Additionally, risk emanates from multiple sources and results in different impacts. Root causes can have a
positive or negative impact on assessment of a risk. Figure 8.7 illustrates the variety of results that may occur
from a variety of sources.
Figure 8.7: Root Causes and Impacts of Risk
Internal Use Only

Severity measures should align with the strategy and business objectives. Example 8.2 illustrates how an
organization identifies the risks to its business objectives and applies appropriate measures. When different
impacts are identified for a business objective, management provides guidance on how to assess the severity of
the impact. Where multiple impacts result in different assessments of severity or require a different risk
response, management determines if additional risks need to be identified and assessed separately.
Assessment Approaches
Risk assessment approaches may be qualitative, quantitative, or a combination of both.
 Qualitative assessment approaches, such as interviews, workshops, surveys, and benchmarking, are often
used when it is neither practicable nor cost-effective to obtain sufficient data for quantification. Qualitative
assessments are more efficient to complete; however, there are limitations in the ability to identify
correlations or perform a cost-benefit analysis.
 Quantitative assessment approaches, such as modeling, decision trees, Monte Carlo simulations, etc.,
allow for increased granularity and precision, and support a cost-benefit analysis. Consequently,
quantitative approaches are typically used in more complex and sophisticated activities to supplement
qualitative techniques. Quantitative approaches include:
 Probabilistic models (e.g., value at risk, cash flow at risk, operational loss distributions) that associate
a range of events and the resulting impact with the likelihood of those events based on certain
assumptions. Understanding how each risk factor could vary and impact cash flow, for example,
allows management to better measure and manage the risk.
 Non-probabilistic models (e.g., sensitivity analysis, scenario analysis) use subjective assumptions to
estimate the impact of events without quantifying an associated likelihood on a business objective.
For example, scenario analysis allows management to understand the impact on a business
objective to increase profitability under different scenarios, such as a competitor releasing a new
product, a disruption in the supply chain, or an increase in product costs.
Depending on how complex and mature the entity is, management may rely on a degree of judgment and
expertise when conducting the modeling. Regardless of the approach used, any assumptions should be clearly
stated.
Example 8.2: Aligning Business Objectives, Risk, and Severity Measures
Internal Use Only

Example 8.2: Aligning Business Objectives, Risk, and Severity Measures
The anticipated severity of a risk may influence the type of approach used. In assessing risks that could have
extreme impacts, management may use scenario analysis, but when assessing the effects of multiple events,
management might find simulations more useful (e.g., stress testing). Conversely, high-frequency, low-impact
risks may be more suited to data tracking and cognitive computing. To reach consensus on the severity of risk,
organizations may employ the same approach they used as part of the risk identification.
Assessments may also be performed across the entity by different teams. In this case, the organization
establishes an approach to review any differences in the assessment results. For example, if one team rates
particular risks as "low," but another team rates them as "medium," management reviews the results to
determine if there are inconsistencies in approach, assumptions, and perspectives of business objectives or
risks.
Internal Use Only

Finally, part of risk assessment is seeking to understand the interdependencies that may exist between risks.
Interdependencies can occur where multiple risks impact one business objective or where one risk triggers
another. Risks can occur concurrently or sequentially. For example, for a technology innovator the delay in
launching new products results in a concurrent loss of market share and dilution of the entity’s brand value. How
management understands interdependencies will be reflected in the assessment of severity.
Inherent, Target, and Residual Risk

As part of the risk assessment, management considers inherent risk, target residual risk, and actual residual
risk.
 Inherent risk is the risk to an entity in the absence of any direct or focused actions by management to alter
its severity.
 Target residual risk is the amount of risk that an entity prefers to assume in the pursuit of its strategy and
business objectives, knowing that management will implement, or has implemented, direct or focused
actions to alter the severity of the risk.
 Actual residual risk is the risk remaining after management has taken action to alter its severity. Actual
residual risk should be equal to or less than the target residual risk. Where actual residual risk exceeds
target risk, additional actions should be identified that allow management to alter risk severity further.
Management may identify risks for which unnecessary responses have been deployed. Redundant risk
responses are those that do not result in a measurable change to the severity of the risk. Removing such
responses may allow management to allocate resources put toward that response elsewhere.
Depicting Assessment Results

Assessment results are often depicted using a "heat map" or other graphical representation to highlight the
relative severity of each of the risks to the achievement of a given strategy or business objective. Each risk
plotted on the heat map assumes a given level of performance for that strategy or business objective.
Assessed risks for a given business objective are plotted on the heat map using the severity measures selected
by the entity for a given level of performance. The various combinations of likelihood and impact (severity
measures), given the risk appetite, are color coded to reflect a particular level of severity. In Figure 8.8, the entity
has four risk severity ratings ranging from red to green. The color coding aligns to a particular severity outcome
and reflects the risk appetite of the entity. Risk-averse entities may code more squares in red compared to risk-
aggressive entities.
Figure 8.8: Business Objective Heat Map

Internal Use Only
Figure 8.9 illustrates the risk profile for a single business objective and a given level of performance. Should the
level of performance change, the corresponding changes in each of the risks are captured. This may result in
new risks, risks shifting in severity, or risks being removed.
Figure 8.9: Business Objective Risk Profile
It is the risk inventory that forms the basis from which an organization is able to construct a risk profile (as shown
in Figure 8.9). Each data point on the risk curve represents the combination and severity of risks for that
business objective (as illustrated in a disaggregated manner using the heat map in Figure 8.8). Management
may use the risk profile in its assessment to:
 Confirm that performance is within the tolerance.
 Confirm that risk is within risk appetite.
Internal Use Only

 Compare the severity of a risk at various points of the curve.
 Assess the disruption point in the curve, at which the amount of risk greatly exceeds the appetite of the
entity and may impact its performance or the achievement of its strategy and business objectives.
In addition, management considers how different risks may present different impacts to the same business
objective. For example, a hardware store franchise identifies the risk of poor sales due to not stocking a diverse
product range that will appeal to a broad group of customers. Management is also aware that changes in
marketing and advertising efforts can significantly affect sales. Focusing on the business objective of sales,
management is able to better understand the risks that have an impact on sales. Understanding the severity of
different risks to the same business objective, management can make risk-aware decisions about the diversity of
products in stock and the desired budget to spend on marketing and advertising costs in order to manage the
risk of low sales.
Identifying Triggers for Reassessment

The organization strives to identify triggers that will prompt a reassessment of severity when required. Triggers
are typically changes in the business context, but may also be changes in the risk appetite, and they serve as
early-warning indicators of changes to assumptions underpinning the severity assessment. A trigger may be an
increase in the number of customer complaints, an adverse change in an economic index, a drop in sales, or a
spike in employee turnover. Triggers may also come from a competitor (e.g., competitor’s product recalled for
defects).
The severity of the risks and the frequency at which severity may change will inform how often the assessment
may be triggered. For example, risks associated with changing commodity prices may need to be assessed
daily, but risks associated with changing demographics or market tastes for new products may need to be
assessed only annually.
Bias in Assessment
Management should identify and mitigate the effect of bias in carrying out risk assessment practices. For
example, confidence bias may support a pre-existing perception of a known risk. Additionally, how a risk is
framed can also affect how risks are interpreted and assessed. For example, for a given risk, there may be a
range of potential impacts, each with a separate likelihood. Thus, a risk with a low likelihood but high impact
could have the same outcome as a high likelihood, low impact; however, one risk may be acceptable to the
organization while the other is not. As such, the manner in which the risk is presented and framed to
management is critical to mitigate any bias.
Internal Use Only

Bias may result in the severity of a risk being under- or overestimated, and limit how effective the selected risk
response will be. Underestimating the severity may result in an inadequate response, leaving the entity exposed
and potentially outside of the entity’s risk appetite. Overestimating the severity of a risk may result in resources
being unnecessarily deployed in response, creating inefficiencies in the entity. Additionally, it may hamper the
performance of the entity or affect its ability to identify new opportunities.
Principle 12: Prioritizes Risks

The organization prioritizes risks as a basis for selecting responses to risks.
Establishing the Criteria

Organizations prioritize risks in order to inform decision-making on risk responses and optimize the allocation of
resources. Given the resources available to an entity, management must evaluate the trade-offs between
allocating resources to mitigate one risk compared to another. The prioritization of risks, given their severity, the
importance of the corresponding business objective, and the entity’s risk appetite helps management in its
decision-making.
Priorities are determined by applying agreed-upon criteria.fn 24 Examples of these criteria include:
 Adaptability: The capacity of an entity to adapt and respond to risks (e.g., responding to changing
demographics such as the age of the population and the impact on business objectives relating to product
innovation).
 Complexity: The scope and nature of a risk to the entity’s success. The interdependency of risks will
typically increase their complexity (e.g., risks of product obsolescence and low sales to a company’s
objective of being market leader in technology and customer satisfaction).
 Velocity: The speed at which a risk impacts an entity. The velocity may move the entity away from the
acceptable variation in performance. (e.g., the risk of disruptions due to strikes by port and customs
officers affecting the objective relating to efficient supply chain management).
 Persistence: How long a risk impacts an entity (e.g., the persistence of adverse media coverage and
impact on sales objectives following the identification of potential brake failures and subsequent global car
recalls).
 Recovery: The capacity of an entity to return to tolerance (e.g., continuing to function after a severe flood
or other natural disaster). Recovery excludes the time taken to return to tolerance, which is considered part
of persistence, not recovery.
Internal Use Only

Prioritization takes into account the severity of the risk compared to risk appetite. Greater priority may be given
to those risks likely to approach or exceed risk appetite.
Prioritizing Risk
Risks with similar assessments of severity may be prioritized differently. That is, two risks may both be assessed
as "medium," but management may give one more priority because it has greater velocity and persistence (see
Example 8.3), or because the risk response for one risk provides a higher risk-adjusted return than for other
risks of similar severity.
Example 8.3: Prioritizing Risk
For a large restaurant chain, responding to the risk that customer complaints remain unresolved and attract
adverse attention in social media is considered a greater priority than responding to the risk of protracted contract
negotiations with vendors and suppliers. Both risks are severe, but the speed and scope of on-line scrutiny may
have a greater impact on the performance and reputation of the restaurant chain, necessitating a quicker
response to negative feedback.
How a risk is prioritized typically informs the risk responses that management considers. The most effective
responses address both severity (impact and likelihood) and prioritization of a risk (velocity, complexity, etc.).
Risks of greater priority are more likely to be those that affect the entity as a whole or arise at the entity level. For
example, the risk that new competitors will introduce new products and services to the market may require
greater adaptability and a review of the entity’s strategy and business objectives in order for the entity to remain
viable and relevant.
Using Risk Appetite to Prioritize Risks

Management should also compare risk appetite when prioritizing risks. Risks that result in the entity approaching
the risk appetite for a specific business objective are typically given higher priority (see Example 8.4).
Additionally, performance levels that approach the outer bounds of tolerance may be given priority.
Example 8.4: Relationship of Risk Profile to Risk Appetite
A utility company’s mission is to be the most reliable electricity provider in its region. A recent increase in the
frequency and persistence of power outages indicates that the company is approaching its risk appetite and is less
likely to achieve its business objectives of providing reliable service. This situation triggers a heightened priority for
the risk. A change in the priority may result in reviewing the risk response, implementing additional responses, and
Internal Use Only

allocating more resources to reduce the likelihood of the risk breaching the organization’s risk appetite.
Through prioritizing risks, management also recognizes that there are risks the entity chooses to accept; that is,
some are already considered to be managed to an acceptable amount for the entity and for which no additional
risk response will be contemplated.
Prioritization at All Levels

Risk prioritization occurs at all levels of an entity, and different risks may be assigned different priorities at
different levels. For example, high-priority risks at the operating level may be evaluated as low-priority risks at
the entity level. The organization assigns a priority at the level at which the risk is owned and with those who are
accountable for managing it.
Organizations prioritize risks on an aggregate basis where a single risk owner is identified or a common risk
response is likely to be applied. This allows risks to be clearly identified and described using a standard risk
category, which enables common risks to be prioritized consistently across the entity. The result is a more
consistent and efficient risk response than would have occurred if each risk had been prioritized separately.
Risk owners are responsible for using the assigned priority to select and apply appropriate risk responses in the
context of business objectives and performance targets. In many cases, the risk response owner and risk owner
may be two different people, or may be at different levels within the entity. Risk owners must have sufficient
authority to prioritize risks based on their responsibilities and accountability for managing the risk effectively.
Bias in Prioritization
Management must strive to prioritize risks and manage competing business objectives relating to the allocation
of resources free from bias. Competing business objectives may include securing additional resources,
achieving specific performance measures, qualifying for personal incentives and rewards, or obtaining other
specific outcomes.
Principle 13: Implements Risk

Responses
The organization identifies and selects risk responses.
Internal Use Only

Choosing Risk Responses
For all risks identified, management selects and deploys a risk response. Management considers the severity
and prioritization of the risk as well as the business context and associated business objectives. Finally, the risk
response also accounts for the performance targets of the organization. Risk responses fall within the following
categories:
 Accept: No action is taken to change the severity of the risk. This response is appropriate when the risk to
strategy and business objectives is already within risk appetite. Risk that is outside the entity’s risk appetite
and that management seeks to accept will generally require approval from the board or other oversight
bodies.
 Avoid: Action is taken to remove the risk, which may mean ceasing a product line, declining to expand to a
new geographical market, or selling a division. Choosing avoidance suggests that the organization was not
able to identify a response that would reduce the risk to an acceptable level of severity.
 Pursue: Action is taken that accepts increased risk to achieve improved performance. This may involve
adopting more aggressive growth strategies, expanding operations, or developing new products and
services. When choosing to pursue risk, management understands the nature and extent of any changes
required to achieve desired performance while not exceeding the boundaries of acceptable tolerance.
 Reduce: Action is taken to reduce the severity of the risk. This involves any of myriad everyday business
decisions that reduces risk to an amount of severity aligned with the target residual risk profile and risk
appetite.
 Share: Action is taken to reduce the severity of the risk by transferring or otherwise sharing a portion of the
risk. Common techniques include outsourcing to specialist service providers, purchasing insurance
products, and engaging in hedging transactions. As with the reduce response, sharing risk lowers residual
risk in alignment with risk appetite.
These categories of risk responses require that the risk be managed within the business context, business
objectives, performance targets, and organization’s risk appetite. In some instances, management may need to
consider another course of action, including the following:
 Review business objective: The organization chooses to review and potentially revise the business
objective given the severity of identified risks and tolerance. This may occur when the other categories of
risk responses do not represent desired courses of action for the entity.
Internal Use Only

 Review strategy: The organization chooses to review and potentially revise the strategy given the severity
of identified risks and risk appetite of the entity. As with a review of business objectives, this may occur
when other categories of risk responses do not represent desired courses of action for the entity.
Organizations may also choose to exceed the risk appetite if the effect of staying within the appetite is perceived
to be greater than the potential exposure from exceeding it. For example, management may accept the risk
associated with the expedited approval of a new product in favor of the opportunity and competitive advantage of
bringing those products to market more quickly. Where an entity repeatedly accepts risks that approach or
exceed appetite as part of its usual operations, a review and recalibration of the risk appetite may be warranted.
Selecting and Deploying Risk Responses

Management selects and deploys risk responses while considering the following factors:
 Business context: Risk responses are selected or tailored to the industry, geographic footprint, regulatory
environment, operating structure, or other factors.
 Costs and benefits: Anticipated costs and benefits are generally commensurate with the severity and
prioritization of the risk.
 Obligations and expectations: Risk response addresses generally accepted industry standards,
stakeholder expectations, and alignment with the mission and vision of the entity.
 Prioritization of risk: The priority assigned to the risk informs the allocation of resources. Risk responses
that have large implementation costs (e.g., system upgrades, increases in personnel) for lower-priority
risks need to be carefully considered and may not be appropriate given the assessed priority.
 Risk appetite: Risk response either brings risk within risk appetite of the entity or maintains its current
status. Management identifies the response that brings residual risk to within the appetite. This may be, for
example, a combination of purchasing insurance and implementing internal responses to reduce the risk to
a range of tolerance.
 Risk severity: Risk response should reflect the size, scope, and nature of the risk and its impact on the
entity. For example, in a transaction or production environment, where risks are driven by changes in
volume, the proposed response is scaled to accommodate increased activity.
Often, any one of several risk responses will bring the residual risk in line with the tolerance, and sometimes a
combination of responses provides the optimum result. Conversely, sometimes one response will affect multiple
risks, in which case management may decide that additional actions to address a particular risk are not needed.
Internal Use Only

The risk response may change the risk profile (see Example 8.5). Once management selects a risk response,
control activitiesfn 25 are necessary to ensure that those risk responses are carried out as intended.
Management must recognize that risk is managed but not eliminated. Some residual risk will always exist, not
only because resources are limited, but because of future uncertainty and limitations inherent in all tasks.
Example 8.5: Changing Risk Profiles
A midsized fruit farmer considers purchasing weather-related insurance for floods or storms that would offset any
decline in production below a certain minimum volume. The resulting risk profile for production levels would
account for the potential performance outcomes covered by insurance.
Considering Costs and Benefits of Risk Responses

Management must consider the potential costs and benefits of different risk responses. Generally, anticipated
costs and benefits are commensurate with the severity and prioritization of the risk. For example, a high-priority
risk with a greater severity may warrant increased resource costs, given the anticipated benefits of the response.
Cost and benefit measurements for selecting and deploying risk responses are made with varying levels of
precision. Costs comprise direct costs, indirect costs (where practicably measurable), and for some entities,
opportunity costs associated with the use of resources. Measuring benefits may be more subjective, as they are
usually difficult to quantify. In many cases, however, the benefit of a risk response can be evaluated in the
context of the achievement of strategy and business objectives. In some instances, given the importance of a
strategy or business objective, there may not be an optimal risk response from the perspective of costs and
benefits. In such instances, the organization can either select a response or choose to revisit the entity’s strategy
and business objectives.
An insurance company implements risk responses to address new regulatory requirements across the insurance
industry. These responses will require the company to make additional investments in its technology
infrastructure, change in its current processes, and add to its staff to assist with the implementation to achieve its
objectives relating to regulatory compliance.
Management is also responsible for risk responses that address any regulatory obligations, which again may not
be optimal from the perspective of costs and benefits, but comply with legal or other obligations (see Example
8.6). In selecting the appropriate response, management must consider the expectations of stakeholders such
as shareholders, regulators, and customers.
Internal Use Only
Additional Considerations
Selecting one risk response may introduce new risks that have not been previously identified or may have
unintended consequences. For example, for the fruit farmer in Example 8.5, the risk of floods damaging the
crops was reduced by purchasing insurance; however, the farmer may now be at risk of low cash flow.
For newly identified risks, management should assess the severity and related priority, and determine the
effectiveness of the proposed risk response. On the other hand, selecting a risk response may present new
opportunities not previously considered. Management may identify innovative responses, which, while fitting with
the response categories described earlier, may be entirely new to the entity or even an industry. Such
opportunities may surface when existing risk response options reach the limit of effectiveness, and when further
refinements will likely provide only marginal changes to the severity of a risk. Management channels any new
opportunities back to strategy-setting.
Principle 14: Develops Portfolio View

The organization develops and evaluates a portfolio view of risk.
Understanding a Portfolio View

Enterprise risk management allows the organization to consider potential implications to the risk profile from an
entity-wide, or portfolio, perspective. Management first considers risk as it relates to each division, operating
unit, or function. Each manager develops a composite assessment of risks that reflects the unit’s residual risk
profile relative to its business objectives and tolerance.
A portfolio view allows management and the board to consider the type, severity, and interdependencies of risks
and how they may affect performance. Using the portfolio view, the organization identifies risks that are severe
at the entity level. These may include risks that arise at the entity level as well as transactional, processing-type
risks that could disrupt the entity as a whole.
With a portfolio view, management is well positioned to determine whether the entity’s residual risk profile aligns
with the overall risk appetite. The same risk across different units may be acceptable for the operating units, but
taken together may give a different picture. Collectively, the risk may exceed the risk appetite of the entity as a
whole, in which case additional or different risk responses are needed. Conversely, a risk may not be acceptable
in one unit, but be well within the range in another. For example, some operating units have higher risk than
others, yet the overall risk remains within the entity’s risk appetite. And in cases where the portfolio view shows
Internal Use Only

that risks are significantly less than the entity’s risk appetite, management may decide to motivate individual
operating unit managers to accept greater risk in targeted areas, striving to enhance the entity’s value.
Developing a Portfolio View

A portfolio view of risk can be developed in a variety of ways. One method is to focus on major risk categories
across operating units, or on risk for the entity as a whole, using metrics such as risk-adjusted capital or capital
at risk. This method is particularly useful when assessing risk against business objectives stated in terms of
earnings, growth, and other performance measures, sometimes relative to allocated or available capital. The
information derived can prove useful in reallocating capital across operating units and modifying strategic
direction (other qualitative methods can also be used to develop this portfolio view).
A portfolio view also may be depicted graphically indicating the types and amount of risk assumed compared to
the risk appetite of the entity for each organizational function, strategy, and business objective. The portfolio
view in Figure 8.10 illustrates the alignment of risks to business objectives and the relationship between different
objectives.
In developing a view of risk, there are four levels in order of ascending level of integration (from minimal to
maximum):
 Minimal Integration—Risk View: At the risk-centric view, the entity identifies and assesses discreet risks.
The predominant focus is on the underlying risk event rather than the objective; for example, the risk of a
breach impacting compliance of the entity with local regulations.
 Limited Integration—Risk Category View: This view uses information captured in the risk inventory view
and organizes risks using categories or another classification scheme. Risk categories often reflect the
entity’s operating structure and inform roles and responsibilities. A compliance department, for example,
will have responsibilities for helping the organization manage its compliance-related risks.
 Partial Integration—Risk Profile View: Adopting a more integrated view, an organization focuses on
business objectives and the risks that align with those objectives (e.g., all objectives potentially impacted
by compliance-related risks). Further, dependencies that may exist between business objectives are
identified and considered. For example, an objective of enhancing operational excellence may be a
prerequisite for strengthening the balance sheet and growing market share. This view relies on information
used to create the risk-centric or risk-category view.
 Full Integration—Portfolio View: At this level, the focus shifts to the overall entity strategy and business
objectives. Greater integration supports identifying, assessing, responding to, and reviewing risk at the
appropriate levels for decision-making. Boards and management focus greater attention on the
achievement of strategy while responsibility and management of business objectives and individual risks
Internal Use Only

within the risk inventory cascade throughout the entity. Using the same example, the board reviews and
challenges management on how the entity is enhancing its operational excellence including the
management of compliance-related risks.
In developing the portfolio view, organizations may observe risks that:
 Increase in severity as they are progressively consolidated to higher levels within the entity.
 Decrease in severity as they are progressively consolidated.
 Offset other risks by acting as natural hedges.
 Demonstrate a positive or negative correlation to changes occurring in the severity of other risks.
Figure 8.10 Portfolio View of Risk
Using Figure 8.10 as an example, an organization develops its portfolio view and observes the following
characteristics:
 Severity of technology disruptions increases as risks are progressively aggregated, recognizing the
reliance that multiple businesses have on common operating systems and technology.
Internal Use Only
 Risk of counterparty defaults decrease in severity as the entity does not have a single creditor considered
large enough to impact the entity as a whole.
 Risk of low sales from multiple operating units may act as a natural hedge where low sales in one
operating unit are offset by strong sales in another.
 Risk of currency fluctuations may also act as a natural hedge where currency changes in one country
offset changes in another.
 Strong positive correlation between risk of product recalls and the risk of compliance breaches increases
the priority of risk responses to both risks.
 Strong positive correlation between the business objectives requires investing in best-in-class technology
solutions and minimizes losses and inefficiencies that are taken into account when selecting associated
risk responses.
Developing a portfolio view of the risks to the entity enables risk-based decision-making and helps set
performance targets and manage changes in either the performance or the risk profile. Important considerations
in setting targets and responding to change include understanding which risks are likely to increase or decrease,
whether new risks are introduced, and whether existing ones become less relevant. By using a portfolio view to
understand the relationship between risk and performance, the organization can assess the results of the
strategy and business objectives in accordance with the entity’s risk appetite.
Analyzing the Portfolio View

To evaluate the portfolio view of risk, the organization will want to use both qualitative and quantitative
techniques. Quantitative techniques include regression modeling and other means of statistical analysis to
understand the sensitivity of the portfolio to changes and shocks. Qualitative techniques include scenario
analysis and benchmarking.
By stressing the portfolio, management can review:
 Assumptions underpinning the assessment of the severity of risk.
 Behaviors of individual risks under stressed conditions.
 Interdependencies of risks within the portfolio view.
 Effectiveness of existing risk responses.
Undertaking stress testing, scenario analysis, or other analytical exercises helps an organization to avoid or
better respond to big surprises and losses. The organization uses different techniques to assess the effect of
changes in the business context or other variables on a business objective or strategy. For example, an
Internal Use Only
organization may choose to analyze the effect of a change in interest rates on the portfolio view. Alternatively,
the organization may seek to understand the impact of multiple variables occurring concurrently, such as
changing interest rates combined with a spike in commodity prices that affect the entity’s profitability. Finally, the
organization may choose to evaluate the impact of a large-scale event, such as an operational incident or third-
party failure. By analyzing the effect of hypothetical changes on the portfolio view, the organization identifies
potential new, emerging, or changing risks and evaluates the adequacy of existing risk responses.
Stress testing helps an organization understand how the shape or height of the risk curve may respond to
potential changes. For example:
 Validation of events that could become disruptive and cause the risk curve to exceed risk appetite (e.g.,
the magnitude of a potential funding gap that impacts the viability of the business, which would be
represented by the intersect of the risk curve with the risk appetite of the entity.
 The extent to which the risk curve may shift up or down in response to a change (e.g., confirming to what
extent changing economic health indicators such as unemployment levels and gross domestic product
represent a sufficient deterioration in the business context and causing the risk curve to shift up).
 Risk responses that can cause sections of the curve to become flatter (e.g., diversifying products entering
into new financial hedging strategies or purchasing additional insurance).
 The ease at which the organization can move along the curve. The speed and agility of the organization to
make decisions and travel along the risk curve to a new desired intersection of risk and performance (e.g.,
the ability and speed of adjusting production volumes in response to changes in sales).
These practices help to assess the adaptive capacity of the entity. They also invite management to challenge the
assumptions underpinning the selection of the entity’s strategy and assessment of the risk profile. As such,
analysis of the portfolio view can also form part of an organization’s evaluation in selecting a strategy or
establishing business objectives. Figure 8.11 illustrates a portfolio view of risk.
Figure 8.11: Risk Profile Showing Risk as a Portfolio View
Internal Use Only

Footnotes
fn This Framework distinguishes between positive events and opportunities. Positive events are those
22 instances where performance exceeds the original target. Opportunities are actions or potential actions
that create or alter goals or approaches for creating, preserving, and realizing value.
fn Additional measures, including persistence, velocity, and complexity, are discussed in Principle 14.
23
fn The criteria may also be used as a consideration when assessing the severity of a risk as discussed in
24 Principle 11.
fn Control activities are discussed in Internal Control—Integrated Framework.

25
9. Review and Revision
Internal Use Only

Principles Relating to Review and
Revision
Introduction
An entity’s strategy or business objectives and enterprise risk management practices and capabilities may
change over time as the entity adapts to shifting business context. In addition, the business context in which the
entity operates can also change, resulting in current practices no longer applying or sufficient to support the
achievement of current or updated business objectives. As necessary, the organization revises its practices or
supplements it capabilities.
Principle 15: Assesses Substantial

Change
The organization identifies and assesses changes that may substantially affect strategy and business objectives.
Integrating Reviews into Business Practices
Internal Use Only

Organizations typically anticipate many changes within setting of strategy and business objectives and
performance, but they need to also be aware of the potential for larger, substantial changes that may occur and
have a more pronounced effect. Substantial change may lead to new or changed risks, and affect key
assumptions underpinning strategy. Practices for identifying such changes should be built into business activities
and performed continually. Many management practices can identify substantial changes in the ordinary course
of running the business. For example, reviewing the plan for integrating a newly acquired joint business venture
may identify the need for future enhancements of information technology.
Substantial changes such as acquiring an entity or implementing a new system could potentially change the
entity’s portfolio view of risk or affect how enterprise risk management functions. In the case of an acquisition,
integrating the acquired company’s operations could affect the existing culture and risk ownership. Implementing
a new system could present new exposures related to information security, which could influence how data is
captured and managed.
Organizations consider how change can affect enterprise risk management and the achievement of strategy and
business objectives. This requires identifying internal and external environmental changes related to the
business context as well as changes in culture. Some examples of substantial change in both the internal and
external environment are highlighted below.
Internal Environment
 Rapid growth: When operations expand quickly, existing structures, business activities, information
systems, or resources may be affected. Information systems may not be able to effectively meet risk
information requirements because of the increased volume of transactions. Risk oversight roles and
responsibilities may need to be redefined in light of organizational and geographical changes due to an
acquisition. Resources may be strained to the point where existing risk responses and actions break down.
For instance, supervisors may not successfully adapt to higher activity levels that require adding
manufacturing shifts or increasing personnel.
 Innovation: Whenever innovation is introduced, risk responses and management actions will likely need to
be modified. For instance, introducing sales capabilities through mobile devices may require access
controls specific to that technology. Training may be needed for users. Innovation technology may also
enhance enterprise risk management. For example, a new system of using mobile devices that captures
previously unavailable sales information gives management the ability to monitor performance, forecast
potential sales, and make real-time inventory decisions.
 Substantial changes in leadership and personnel: A change in management may affect enterprise risk
management. A newcomer to management may not understand the entity’s culture and may have a
different philosophy, or may focus solely on performance to the exclusion of risk appetite or tolerance.
Internal Use Only

External Environment
 Changing regulatory or economic environment: Changes to regulations or in the economy can result in
increased competitive pressures, changes in operating requirements, and different risks. If a large-scale
failure in operations, reporting, and compliance occurs in one entity, regulators may introduce broad
regulations that affect all entities within an industry. For instance, if toxic material is released in a populated
or environmentally sensitive area, new industry-wide transportation restrictions may be introduced that
affect an entity’s shipping logistics. If a publicly traded company is seen to have poor transparency,
enhanced regulatory reporting requirements may be introduced for all public companies. The revelation of
patients being treated poorly in one care facility may prompt additional requirements for all care facilities.
And a more competitive environment may drive individuals to make decisions that are not aligned with the
entity’s risk appetite and increase the risk exposures to the entity. Each of these changes may require an
organization to closely examine the design and application of its enterprise risk management.
Identifying substantial changes, evaluating their effects, and responding to the changes are iterative processes
that can affect several components of enterprise risk management. It can be useful to conduct a "post mortem"
after a risk event to review how well the organization responded and to consider what lessons learned could be
applied to future events.
Principle 16: Reviews Risk and

Performance
The organization reviews entity performance and considers risk.
Integrating Reviews into Business Practices

Much of the focus on enterprise risk management is on managing risk—either reducing the type and amount of
risk to acceptable levels or appropriately pursing new opportunities as they emerge.
Over time, an entity may not conduct its practices as efficiently as intended, thereby causing risk to manifest and
affect performance. From time to time, the organization may wish to consider its enterprise risk management
capabilities and practices. Observations may relate to incorrect assumptions, implemented practices, entity
capabilities, or cultural factors. Sometimes, however, performance is affected because of the inherent nature of
risk, which an organization cannot predict with complete accuracy. By reviewing performance, organizations
seek answers to questions such as:
Internal Use Only

 Has the entity performed as expected and achieved its target? The organization identifies variances
that have occurred and considers what may have contributed to them. This may involve using measures
relating to objectives or other key metrics. For example, consider an entity that has committed to opening
five new office locations every year to support its longer-term growth strategy to build a presence across
the country. The organization has determined that it could continue to achieve its strategy with only three
offices opening, and would be taking on more risk than desired if it opened seven or more offices. The
organization therefore monitors performance and determines whether the entity has opened the expected
number of offices, and how those new offices are performing. If the growth is below plan, the organization
may need to revisit the strategy.
 What risks are occurring that may be affecting performance? Reviewing performance confirms
whether risks were previously identified, or whether new, emerging risks have occurred. The organization
also reviews whether the actual risk levels are within the boundaries established for tolerance. For
example, reviewing performance helps confirm that the risk of delays due to additional permit requirements
for construction did occur and affected the number of new offices opened, and whether the number of
offices to be opened is still within the range of acceptable performance.
 Was the entity taking enough risk to attain its target? Where an entity has failed to meet its target, the
organization needs to determine if the failure is due to risks that are impacting the achievement of the
target or insufficient risk being taken to support the achievement of the target. Using the same example,
suppose the entity opens only three offices. In this case, management observes that the planning and
logistics teams are operating below capacity and that other resources set aside to support the opening of
new offices have remained unused. Insufficient risk was taken by the entity despite having allocated
resources.
 Was the estimate of the amount of risk accurate? When risk has not been assessed accurately, the
organization asks why. To answer that question, the organization must challenge the understanding of the
business context and the assumptions underpinning the initial assessment. It must also determine whether
new information has become available that would help refine the assessment. For example, suppose the
example entity opens five offices and observes that the estimated amount of risk was too low compared to
the types and amountof risk that have occurred (e.g., more problems, delays, and unexpected events than
initially assessed).
If an organization determines that performance does not fall within its acceptable variation, or that the target
performance results in a different risk profile than what was expected, it may need to:
 Review business objectives: An organization may choose to change or abandon a business objective if the
performance of the entity is not achieved within acceptable variation.
Internal Use Only

 Review strategy: Should the performance of the entity result in a substantial deviation from the expected
risk profile, the organization may choose to revise its strategy. In this case, it may choose to reconsider
alternative strategies that were previously evaluated, or identify new strategies.
 Review culture: An organization may wish to review its culture and determine whether it is embracing the
actions in a risk-aware manner. Is the organization comfortable taking enough risk to succeed, or is it
prone to taking too much risk and incurring adverse outcomes?
 Revise target performance: An organization may choose to revise the target performance level to reflect a
better understanding of the reasonableness of potential performance outcomes and the corresponding
severity of risks to the business objective.
 Reassess severity of risk results: An organization may re-do the risk assessment for relevant risks, and
results may alter based on changes in the business context, the availability of new data or information that
enables a more accurate assessment, or challenges to the assumptions underpinning the initial
assessment.
 Review how risks are prioritized: An organization may decide to either raise or lower the priority of
identified risks to support reallocating resources. The change reflects a revised assessment of the
prioritization criteria previously applied.
 Revise risk responses: An organization may consider altering or adding responses to bring risk in line with
the target performance and risk profile. For risks that are reduced in severity, an organization may redeploy
resources to other risks or business objectives. For risks that increase in severity, the organization may
bolster responses with additional processes, people, infrastructure, or other resources. As part of reviewing
risk responses, the organization may also consider monitoring activities developed and implemented as
part of internal control.fn 26
 Revise risk appetite: Corrective actions are typically undertaken to maintain or restore the alignment of the
risk profile with the entity’s risk appetite, but can extend to revising it. However, this action requires review
and approval by the board or other risk oversight body.
The extent of any corrective actions must align with the magnitude of the deviation in performance, the
importance of the business objective, and the costs and benefits associated with altering risk responses.
Consider, for example, a small retailer that stocks a significant portion of its inventory from local producers. The
retailer monitors the financial results of its shop on a weekly basis and realizes locally produced goods are not
sufficiently profitable to meet its financial goals. It therefore decides to revise its business objective of sourcing
locally and begins to import less expensive goods to improve its financial performance. The retailer also
recognizes that this change may affect other risks, such as logistics, currency fluctuations, and time to market.
Internal Use Only

Where reviewing performance repeatedly identifies new risks that were not identified through the organization’s
risk identification practices, or where the actual risk is inconsistent with severity ratings, management determines
whether a review of enterprise risk management practices is warranted. A more detailed discussion on reviewing
the risk assessment practices can be found in Principle 17.
Considering Entity Capabilities

Part of reviewing performance is considering the organization’s capabilities and their effect on performance. If
performance targets are not being met, is it because there are insufficient capabilities? If targets are being
exceeded, is it because corrective action is required? The organization must answer these questions.
Corrective action may include reallocating resources, revising business objectives, or exploring alternative
strategies (see Example 9.1).
Example 9.1: Considering Entity Capabilities
For a local government, the economy is largely supported by tourism. City officials understand the minimum,
targeted, and maximum levels of tourism required to support their financial objectives. Specifically, they have
determined how much income can be generated through tourism based on metrics such as hotel reservations and
occupancy rates. They found that an occupancy rate of 50% (its target) provides the city with enough revenue to
support its annual operating budget and fund other programs. However, an occupancy rate greater than 85%
increases risks relating to the usage of the public transportation system, demands for peace officer presence, and
stresses on natural resources. The city tracks patterns in its tourism industry to make more risk-aware decisions
on the aggressiveness of its future marketing campaigns and actively managing risk influenced by tourism.
The entity’s capacity for resources also informs decisions for corrective actions. For business objectives that
affect the entity as a whole, the organization may choose to revise the objective instead of incurring the costs of
deploying additional risk responses. Whenever significant deviations from the tolerance occur, or where
performance represents a disruption to the achievement of the entity’s strategy, the organization may revise its
strategy.
Principle 17: Pursues Improvement in

The organization pursues improvement of enterprise risk management.
Internal Use Only

Pursuing Improvement
Even those entities with suitable enterprise risk management can become more efficient. By embedding
continual evaluations into business practices, organizations can systematically identify potential improvements to
their enterprise risk management practices. Separate evaluations may also be helpful.fn 27 Pursuing improved
enterprise risk management should occur throughout the entity (see Example 9.2).
Example 9.2: Continual Improvement
A government agency learns that it has stronger practices in place for establishing and implementing governance
capabilities and for instilling the desired culture. Conversely, the organization’s practices for establishing and
implementing information and communications capabilities present opportunities for improvement. While
management monitors mprovement opportunities for all enterprise risk management components, it concentrates
on developing its information and communications practices.
Management pursues continual improvement throughout the entity (functions, operating units, divisions) to
improve the efficiency and usefulness of enterprise risk management at all levels. Opportunities to revisit and
improve efficiency and usefulness may occur in any of the following areas:
 New technology: New technology may offer an opportunity to improve efficiency. For example, an entity
that uses customer satisfaction data finds it voluminous to process. To improve efficiency it implements a
new data-mining technology that pinpoints key data points quickly and accurately.
 Historical shortcomings: Reviewing performance can identify historical shortcomings or the causes of past
failures, and that information can be used to improve enterprise risk management. For example,
management in an entity observes that there have been shortcomings noted over time related to risk
assessment. Although management compensates for these, the organization decides to improve its risk
assessment practices to reduce the number of shortcomings and enhance enterprise risk management.
 Organizational change: By pursuing continual improvement, an organization can identify the need for
organizational changes such as a change in the governance structure. For example, an enterprise risk
management function reports to the chief financial officer, but when the entity redevelops its strategy
group, it decides to realign the responsibility for enterprise risk management to that reorganized group.
 Risk appetite: Reviewing performance provides clarity on factors that affect the entity’s risk appetite. It also
gives management an opportunity to refine its risk appetite. For example, management may monitor the
performance of a new product over a year and assess the volatility of the market. If management
Internal Use Only

determines that the market is performing well and is less volatile than originally thought, the organization
can respond by increasing its risk appetite for similar future initiatives.
 Risk categories: An organization that continually pursues improvement can identify patterns as the
business changes, which can lead the entity to revise its risk categories. For example, one entity’s risk
categories does not include cyber risk, but now that the entity has decided to offer several on-line products
and services, it is revising the categories to include cyber risk so it can accurately map its strategy.
 Communications: Reviewing performance can identify outdated or poorly functioning communication

processes. For example, in reviewing performance an organization discovers that emails are not
successfully communicating its initiatives. In response, the organization decides to highlight initiatives
through a blog and instant message feed to appeal to its changing workforce.
 Peer comparison: Reviewing industry peers can help an organization determine if it is operating outside of
industry performance boundaries. For example, a global package delivery provider discovered during a
peer review that its operations in Asia were performing significantly below its major competitor.
Consequently, it is planning to review and, if necessary, revise its strategy to increase its competitiveness
and, hence, its performance in Asia.
 Rate of change: Management considers the rate that the business context evolves or changes. For
example, an entity in an industry where technology is quickly changing or where organizational change
happens often may have more frequent opportunities to improve the efficiency and usefulness of
enterprise risk management, but an entity operating in an industry with a slower rate of change in
technology will likely have fewer opportunities.
Footnotes
fn Additional information on monitoring activities is discussed in Internal Control–Integrated Framework.

26
fn Readers may also wish to review the discussion on monitoring activities in Internal Control–Integrated
27 Framework.
10. Information, Communication, and

Reporting
Internal Use Only
Principles Relating to Information,
Communication, and Reporting
Introduction
Advances in technology and business have resulted in exponential growth in volume of, and attention on, data.
Organizations today are challenged by the enormous quantity of data and the speed at which it all must be
processed, organized, and stored. With so much data available, organizations may be feeling weighed down by
"information overload." In this environment, it is important that organizations provide the right information, in the
right form, at the right level of detail, to the right people, at the right time.
Organizations transform data into information about stakeholders, products, markets, and competitor actions.
Through their communication channels, they can provide timely, relevant information to targeted audiences.
Organizations can also structure data and information into consistent categories. In this way, they can identify
risks that could affect the entity’s strategy and business objectives.
Principle 18: Leverages Information and

Technology
Internal Use Only
The organization leverages the entity’s information and technology systems to support enterprise risk
management.
Putting Relevant Information to Use

Organizations leverage relevant information when they apply enterprise risk management practices. "Relevant
information" is simply information that helps organizations be more agile in their decision-making, giving them a
competitive advantage. Organizations use information to anticipate situations that may get in the way of
achieving strategy and business objectives. Risk information is more than a repository of historical risk data. It
needs to support an understanding and development of a complete current and evolving risk profile.
Organizations consider what information is available to management, what information systems and technology
are in use for capturing that information (which may be more than is needed), and what the costs are of
obtaining that information. Management and other personnel can then identify how information supports the
enterprise risk management practices, which may include any of the following:
 For governance and culture-related practices, the organization may need information on the standards of
conduct and individual performance in relation to those standards. For instance, professional service firms
have specific standards of conduct to help maintain independent relationships with clients. Annual staff
training reinforces those standards, and management gathers information by testing the staff’s knowledge
to determine whether they understand what is expected of them.
 For strategy and objective-setting related practices, the organization may need information on stakeholder
expectations of risk appetite. Stakeholders such as investors and customers may express their
expectations through analyst calls, blog postings, contract terms and conditions, etc. All of these provide
relevant information on the types and amount of risk an entity may be willing to accept and strategy it
pursues.
 For performance-related practices, organizations may need information on their competitors to assess
changes in the amount of risk. For example, a large residential real estate company may assess the risk of
losing market share to smaller boutique firms. The information they need is their competitors’ commission
pricing models and on-line marketing plans. If their competitors’ commission rates are low and aggressive,
and their on-line presence is widespread, the large company may review its ability to achieve its sales
targets.
 For review and revision-related practices, organizations may need information on emerging trends in
enterprise risk management. Organizations can collect such information from attending enterprise risk
management conferences and following industry-specific blogs.
Internal Use Only
Today data is generated so fast that it is often a challenge for management to process and refine it into usable
information. Information systems can help entities meet this challenge. However, the focus should not be on
creating a new and separate information system or even separate streams for enterprise risk management. It is
usually more efficient for an organization to leverage its existing information systems to capture what it needs to
understand risk, to make risk-aware decisions, and to fulfill reporting requirements.
To be useful, information must be available to decision-makers when it is needed. It is also essential that the
information be of high quality. If the underlying data is inaccurate or incomplete, management may not be able to
make sound judgments, estimates, or decisions.fn 28 To maintain high-quality information, organizations
implement data management systems and establish information management policies with clear lines of
responsibility and accountability.
Evolving Information
Data transformed into information may come from both structured and unstructured sources. Structured data
generally refers to information that is highly organized and readily searchable (e.g., database files, public
indexes, or spreadsheets). In contrast, unstructured data does not follow a predefined data pattern, nor is it
organized (e.g., email messages, photos, videos, word processing documents). Several research studies have
estimated that today unstructured data outweighs structured data by more than 80%.
Data analytics have historically relied on pre-defined patterns when converting data to information. Now,
advances in cognitive computing, such as artificial intelligence,fn 29 data mining, and machine learning can
collect, convert, and analyze large volumes of unstructured data into information that helps organizations to
make better business decisions. These advances, combined with human analysis, allow management greater
insight. Example 10.1 illustrates the application of unstructured information.
Example 10.1: Using Unstructured Information in Decision-making
A consumer retailer uses artificial intelligence to attain better information on improving the customer experience. In
this way, management is able to gather insights about consumers through social media, such as purchasing
behavior, including historical patterns and preferences. The insights can be used to reduce the risk of over- or
understocking inventory, as they provide management with a better view of the right inventory levels. This
improved inventory management reduces operational and resource costs and enhances the customer experience.
In short, advances in data analytics can help organizations avoid "information overload" and use the huge
amount of data now available to its advantage. They may be able to detect correlations in business performance
that are not readily apparent with a more traditional approach to data analysis. Or they may be able to identify
likely trends in performance earlier. They may even be able to more thoroughly evaluate key assumptions
Internal Use Only
embedded into a strategy, which in turn provides added insight in decisions on alternative strategies, business
objectives, and setting of performance targets. Having more information pertinent to decision-making also
reduces reliance on individual experience and judgment in making those decisions.
Data Sources
Data that is transformed into information becomes knowledge (e.g., analysis of comments posted on social
media identifies potential risks to the entity’s brand). Therefore, data requirements should be based on
information requirements. Example 10.2 illustrates how a company determines that it requires data in order to
provide compliance information to an external stakeholder.
Example 10.2: Determining Information Requirements
A pharmaceutical company’s strategy is to expand its market share by developing a new drug targeted to a
specific population. To receive approval for its new product, the organization must provide the regulators with
information that meets specific compliance requirements, such as conclusions regarding the safety of the drug.
These conclusions rely on various data such as demographics of the testing population, number of side effects,
duration of studies, and type of application. Data is captured from internal patient feedback and through monitoring
social media conversations.
Data can be collected from a variety of sources and in a variety of forms. Figure 10.1 lists examples of structured
and unstructured data.
Figure 10.1: Internal Data Sources
Internal Use Only

Categorizing Risk Information
Organizations can classify the information they capture by using common risk categories.fn 30 These categories
may be organized by functional areas, such as internal audit, information management, or operational risk
management. They may also be based on the size, scale, and complexity of the entity.
Using a common set of categories helps organizations aggregate risk information to determine if there are any
potential impacts from concentrations of risk across the entity. Such a structure of categories also helps them
assess risks that could affect the entity’s strategy and business objectives. It also serves as the basis for
developing consistent enterprise risk responses and reporting.
Managing Data
Data must be well managed to provide the right information to support risk-aware decisions. That requires
capturing and preserving the quality of the data while allowing different technologies to exchange and use it.
Internal Use Only

Effective data management considers three key elements: data and information governance, processes and
controls, and architecture.
 Data and information governance help to deliver standardized, high-quality data to end users in a timely,
verifiable, and secure manner. They also help to standardize data architecture, authorize standards, assign
accountability, and maintain quality. As well, they define clear roles and responsibilities for data owners
and risk information owners.
 Processes and controls help an entity reinforce the reliability of data and allow for corrections to be made
as needed. For example, organizations may have a process to identify instances and patterns of both low-
and high-quality data, and whether that data is relevant to meeting requirements. Or they may be able to
identify data consistency, redundancy, availability, and accuracy. But managing data requires more than
using processes and controls to ensure its quality. It also involves preventing issues of quality from
occurring in the first place.
 Data management architecture refers to the fundamental design of the technology. It is composed of
models, policies, rules, or standards that dictate which data is collected and how it is stored, arranged,
integrated, and put to use in systems and in the organization. Organizations implement standards and
provide rules for structuring information so that the data can be reliably read, sorted, indexed, retrieved,
and shared with both internal and external stakeholders, ultimately protecting its long-term value.
Using Technology to Support Information

Technology is often associated with information systems. Yet, technology often involves more than processing
and reporting of data; it also can help the organization to carry out activities. Robotics used in manufacturing,
smart appliances that manage energy use in residential and commercial buildings, and wearable technology are
all examples of how technology can help an organization manage specific risks. Example 10.3 illustrates how
technology is helping to both manage the risk and capture information that aids in decision-making.
Example 10.3: Information Systems
A healthcare organization has been challenged to find ways to reduce the incidents of seniors missing doses of
prescription medicines. Missing prescribed dosages can reduce the benefits of the drugs and increase health risks
to the patient. In response, the company has distributed wearable technology to patients that identifies cases of
them missing a dose and tracks the general health of each patient. This information is reported to the healthcare
provider.
Internal Use Only

However, technology can also introduce new risks to an entity, which can be critical to achieving strategy and
business objectives. The decision on what technology to implement depends on many factors, including
organizational goals, marketplace needs, competitive requirements, and the associated costs and benefits. An
organization uses these factors to balance the benefits of obtaining and managing information against the costs
of selecting or developing supporting technologies.
Changing Requirements
Management leverages and designs its technology to meet a broad range of requirements, including those due
to internal and external changes. As entities respond to changes in the business context in which they operate
and adapt their strategy and business objectives, they must also review their technologies. For instance, shifting
customer expectations may require organizations to change their technology to allow for more timely information
gathering and more active reviewing of comments on social media.
Principle 19: Communicates Risk

Information
The organization uses communication channels to support enterprise risk management.
Communicating with Stakeholders

Various channels are available to the organization for communicating risk data and information to internal and
external stakeholders. These channels enable organizations to provide relevant information for use in decision-
making.
Internally, management communicates the entity’s strategy and business objectives clearly throughout the
organization so that all personnel at all levels understand their individual roles. Specifically, communication
channels enable management to convey:
 The importance, relevance, and value of enterprise risk management.
 The characteristics, desired behaviors, and core values that define the culture of the entity.
 The strategy and business objectives of the entity.
 The risk appetite and tolerance.
 The overarching expectations of management and personnel in relation to enterprise risk and performance
management.
Internal Use Only

 The expectations of the organization on any important matters relating to enterprise risk management,
including instances of weakness, deterioration, or non-adherence.
Management also communicates information about the entity’s strategy and business objectives to shareholders
and other external parties. Enterprise risk management is a key topic in these communications so that external
stakeholders not only understand the performance against strategy but the actions consciously taken to achieve
it. External communication may include holding quarterly analyst meetings to discuss performance.
An entity with open communication channels can also be on the receiving end of information from external
stakeholders. For example, customers and suppliers can provide input on the design or quality of products or
services, enabling the organization to address evolving customer demands or preferences. Or inquiries from
environmental groups about sustainability approaches could provide an organization with insight into leading
approaches or identify potential risks to its reputation. This information may come through email
communications, public forums, blogs, hotlines, or other channels.
Communicating with the Board

Effective communication between the board of directors and management is critical for organizations to achieve
the strategy and business objectives and to seize opportunities within the business environment. Communicating
about risk starts by defining risk responsibilities clearly: who needs to know what and when they need to act.
Organizations should examine their governance structure to ensure that responsibilities are clearly allocated and
defined at the board and management levels and that the structure supports the desired risk dialogue. The
board’s responsibility is to provide oversight and ensure the appropriate measures are in place so that
management can identify, assess, prioritize, and respond to risk (see Example 10.4).
Example 10.4: Communicating with the Board
A company aiming to improve risk communication chose to revise its governance structure by elevating its chief
risk officer position to ensure risk was integrated into all discussions of business strategy. Risk issues are now
discussed by the full board. The company found that bringing risk out of a board committee and embedding
enterprise risk management responsibilities into the management team better integrated risk and strategy
discussions and increased clarity about risk.
To communicate effectively, the board of directors and management must have a shared understanding of risk
and its relationship to strategy and business objectives. In addition, directors need to develop a deep
understanding of the business, value drivers, cost drivers, and strategy and associated risks. Many board
Internal Use Only

members use on-site visits as a communication channel to engage with management and personnel to
understand operations and management.
Board and management continually discuss risk appetite. As part of its oversight role, the board ensures that
communications regarding risk appetite remain open. It may do this by holding formal quarterly board meetings,
and by calling extraordinary meetings to address specific events, such as cyber terrorism, CEO succession, or
mergers. The board and management can use the risk appetite statement as a touchstone, allowing them to
identify those risks that are on or off strategy, monitor the entity’s risk profile, and track the effectiveness of
enterprise risk management programs. Given the strong link to strategy, the risk appetite statement should be
reviewed as strategy and business objectives evolve.
Management provides any information that helps the board fulfill its oversight responsibilities concerning risk.
There is no single correct method for communicating with the board, but the following list offers some common
approaches:
 Address risks as determined by the entity’s strategy and business objectives.
 Capture and align information at a level that is consistent with directors’ risk oversight responsibilities and
with the level of information determined necessary by the board.
 Ensure reports present the entity’s risk profile as aligned with its risk appetite statement, and link reported
risk information to policies for exposure and tolerances.
 Capture instances where current performance levels are approaching the tolerance of acceptable variation
in performance and the plans in place to manage performance.
 Provide a longitudinal perspective of risk exposures including historical data, explanations of trends, and
forward-looking information explained in relation to current positions.
 Update at a frequency consistent with the pace of risk evolution and severity of risk.
 Use standardized templates to support consistent presentation and structure of risk information over time.
Management should not underplay the importance of qualitative open communications with the board. A
dynamic and constructive risk dialogue must exist between management and the board, including a willingness
to challenge any assumptions underlying the strategy and business objectives. Boards can foster an
environment in which management feels comfortable bringing risk information to the board even if they do not
yet have a defined response for that risk either planned or in place. Management may be uncomfortable
discussing emerging risks with the board at a time when the severity of these risks is often unclear. By being
open to conversations where there is not yet a final resolution, the board can encourage management to provide
more timely and insightful dialogue, rather than waiting for these risks to evolve within the entity.
Internal Use Only

Methods of Communicating
For information to be received as intended, it must be communicated clearly. To be sure communication
methods are working, organizations should periodically evaluate them. This can be done through existing
processes such as stating expectations for enterprise risk management in employee performance goals and
subsequent periodic performance evaluations.
Communication methods vary widely, from holding face-to-face meetings, to posting messages on the entity’s
intranet, to announcing a new product at an industry convention, to broadcasting to shareholders globally
through social media and newswires.
Communication methods can take the form of:
 Electronic messages (e.g., emails, social media, text messages, instant messaging).
 External/third-party materials (e.g., industry, trade, and professional journals, media reports, peer company
websites, key internal and external indexes).
 Informal/verbal communications (e.g., one-on-one discussions, meetings).
 Public events (e.g., roadshows, town hall meetings, industry/technical conferences).
 Training and seminars (e.g., live or on-line training, webcast and other video forms, workshops).
 Written internal documents (e.g., briefing documents, dashboards, performance evaluations, presentations,
questionnaires and surveys, policies and procedures, FAQs).
In addition to the list above, separate lines of communication are needed when normal channels are inoperative
or insufficient for communicating matters requiring heightened attention. Many organizations provide a means to
communicate anonymously to the board of directors or a board delegate—such as a whistle-blower hotline.
Many organizations also establish escalation protocols and policies to facilitate communication when there are
exceptions in standards of conduct or inappropriate behaviors occurring.
Principle 20: Reports on Risk, Culture,

and Performance
The organization reports on risk, culture, and performance at multiple levels and across the entity.
Identifying Report Users and Their Roles

Internal Use Only
Reporting supports personnel at all levels to understand the relationships between risk, culture, and
performance and to improve decision-making in strategy- and objective-setting, governance, and day-to-day
operations. Reporting requirements depend on the needs of the report user. Report users may include:
 Management and the board of directors with responsibility for governance and oversight of the entity.
 Risk owners accountable for the effective management of identified risks.
 Assurance providers who seek insight into performance of the entity and effectiveness of risk responses.
 External stakeholders (regulators, rating agencies, community groups, and others).
 Other parties that require reporting of risk in order to fulfill their roles and responsibilities.
It is also important to understand the governance and operating structures of respective report users. Each
report user will require different levels of detail of risk and performance information in order to fulfill their
responsibilities in the entity. Reporting must also make clear the interrelationships between users, and the
related effect across the entity.
Risk information presented at different levels cascades down into the entity and flows up to support higher levels
of reporting. For example, reports to the board support decisions on risk appetite and company strategy. Reports
to senior management present a more granular level and support decisions on strategic-setting and budgeting,
as well as decisions at the divisional and/or functional level. The next layer of reporting is even more granular
and supports divisional and functional leaders in planning, budgeting, and day-to-day operations. This level of
reporting should align with senior management reporting and board reporting. At higher levels, risk reporting
encapsulates the portfolio view.
Risk reporting may be done by any team within the operating structure. Teams prepare reports, disclosing
information in accordance with their risk management responsibilities. For example, teams may prepare risk
information as part of financial and budgeting planning submissions to support requests for additional resources
to maintain or prevent the risk profile from deteriorating.
Reporting Attributes
Reporting combines quantitative and qualitative risk information, and the presentation can range from being
fairly simple to more complex depending on the size, type, and complexity of the entity. Risk information
supports management in decision-making, although management must still exercise judgment in the pursuit of
business objectives as well as the business context.
In reporting, history can relay meaningful, useful information, but an emphasis on being forward-looking is of
more benefit. Knowing the end-to-end processes taken to fulfill an entity’s mission and vision, as well as the
business environment in which the entity operates, can help management connect historical information to
Internal Use Only
potential early-warning information. Early-warning analytics of key trends, emerging risks, and shifts in
performance may require both internal and external information.
Types of Reporting
Risk reporting may include any or all of the following:
 Portfolio view of risk outlines the severity of the risks at the entity level that may impact the achievement of
strategy and business objectives. The reporting of the portfolio view highlights the greatest risks to the
entity, interdependencies between specific risks, and opportunities. The portfolio view of risk is typically
found in management and board reporting.
 Profile view of risk, similar to the portfolio view, outlines the severity of risks, but focuses on different levels
within the entity. For example, the risk profile of a division or operating unit may feature in designated risk
reporting for management or those areas of the entity.
 Analysis of root causes enables users to understand assumptions and changes underpinning the portfolio
and profile views of risk.
 Sensitivity analysis measures the sensitivity of changes in key assumptions embedded in strategy and the
potential effect on strategy and business objectives.
 Analysis of new, emerging, and changing risks provides the forward-looking view to anticipate changes to
the risk inventory, effects on resource requirements and allocation, and the anticipated performance of the
entity.
 Key performance indicators and measures outline the tolerance of the entity and potential risk to a strategy
or business objective.
 Trend analysis demonstrates movements and changes in the portfolio view of risk, risk profile, and
performance of the entity.
 Disclosure of incidents, breaches, and losses provides insight into effectiveness of risk responses.
 Tracking enterprise risk management plans and initiatives provides a summary of the plan and initiatives in
establishing or maintaining enterprise risk management practices. Investment in resources, and the
urgency by which initiatives are completed, may also reflect the commitment to enterprise risk
management and culture by organizational leaders in responding to risks.
Risk reporting is supplemented by commentary and analysis by subject matter experts. For example,
compliance, legal, and technology experts often provide commentary and analysis on the severity of risk,
Internal Use Only

effectiveness of risk responses, drivers for changes in trend analysis, and industry developments and
opportunities the entity may have.
Reporting Risk to the Board

At the board level, there is likely to be both formal reporting and informal information sharing. For example, the
board may have informal discussions about the possibility of strategy and implications of alternative strategies
while using risk profiles and other analyses to support the discussions.
Formal reporting plays a more integral role when the board exercises other responsibilities including considering
the risks to executing strategy, reviewing risk appetite, or overseeing enterprise risk management practices
deployed by management.
There are a number of ways management may report to a board, but it is critical that the focus of reporting be
the link between strategy, business objectives, risk, and performance. Reporting to the board is the highest level
of reporting and will include the portfolio view. Reporting to the board should foster discussions of the
performance of the entity in meeting its strategy and business objectives and impact of potential risk in meeting
those objectives.
Reporting on Culture
An entity’s culture is grounded in behavior and attitudes, and measuring it is often a very complex task.
Reporting on culture may be embodied in:
 Analytics of cultural trends.
 Benchmarking to other entities or standards.
 Compensation schemes and the potential influence on decision-making.
 "Lessons learned" analyses.
 Reviews of behavioural trends.
 Surveys of risk attitudes and risk awareness.
Key Indicators
Key indicators are used to predict a risk manifesting. They are usually quantitative, but can be qualitative. Key
indicators are reported to the levels of the entity that are in the best position to manage the onset of a risk where
necessary. They should be reported in tandem with key performance indicators to demonstrate the
Internal Use Only

interrelationship between risk and performance. Key indicators support a proactive approach to performance
management (see Example 10.5).
Example 10.5: Using Key Indicators
A government agency wants to retain competent individuals. The business objective that supports retaining
competent individuals has as a target maintaining turnover rates at less than 5% per year. A key indicator would
be a percentage of personnel eligible to retire within five years. Anything higher than 5% indicates that risk to the
target is potentially manifesting. A key performance indicator is the actual turnover rate. Key performance
indicators are based on historical performance, and while understanding historical performance can establish
baselines, the rate trending upwards would not necessarily identify a risk manifesting.
Key indicators and key performance indicators can be reflected in a single measure. For example, in a
manufacturing company, production volumes and the thresholds around them can be viewed through a risk lens.
Production volumes above the target can be seen as potential risks to quality, and production volumes below the
target can suggest potential risk such as supplier delays, labor shortages, or equipment downtime.
Key indicators are reported along with corresponding targets and acceptable variations. Knowing where an entity
lies on the culture spectrum, whether risk averse or risk aggressive, will help determine the key indicators and
key performance indicators that are tracked as well as the acceptable variation in performance.
Reporting Frequency and Quality

Management works closely with those who will use reports to identify what information is required, how often
they need the reports, and their preferences in how reports are presented. Management is responsible for
implementing appropriate controls so that reporting is accurate, clear, and complete.
The frequency of reporting should be commensurate with the severity and priority of the risk. Reporting should
enable management to determine the types and amount of risk assumed by the organization, its ongoing
appropriateness, and the suitability of existing risk responses. For example, changes in stock prices, or
competitor pricing in the hospitality or airline industries, may be reported on daily, commensurate with the
potential changes in risk. In contrast, reporting on the risks emanating from an organization’s progress toward
long-term strategic projects and initiatives may be monthly or quarterly.
Footnotes
fn Further discussion on information quality is available in Internal Control–Integrated Framework,
Internal Use Only

28 specifically Principle 13.
fn Artificial intelligence can be defined as theory and development of computer systems that perform tasks
29 that normally require human intelligence such as speech recognition, decision-making, visual
perception, and other factors.
fn Some organizations refer to these common risk categories as a "risk taxonomy."

30
Glossary of Key Terms
 Business Context: The trends, events, relationships and other factors that may influence, clarify, or
change an entity’s current and future strategy and business objectives.
 Business Objectives: Those measurable steps the organization takes to achieve its strategy.
 Core Values: The entity’s beliefs and ideals about what is good or bad, acceptable or unacceptable, which
influence the behavior of the organization.
 Culture: The attitudes, behaviors, and understanding about risk, both positive and negative, that influence
the decisions of management and personnel and reflect the mission, vision, and core values of the
organization.
 Data: Raw facts that can be collected together to be analyzed, used, or referenced.
 Enterprise Risk Management: The culture, capabilities, and practices, integrated with strategy-setting
and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
 Entity: Any form of for-profit, not-for-profit, or governmental body. An entity may be publicly listed, privately
owned, owned through a cooperative structure, or any other legal structure.
 External Environment: Anything outside of the entity that influences the ability to achieve strategy and
 External Stakeholders: Any parties not directly engaged in the entity’s operations but who are affected by
the entity, directly influence the entity’s business environment, or influence the entity’s reputation, brand,
and trust.
Internal Use Only

 Event: An occurrence or set of occurrences.
 Framework: The five components consisting of (1) Governance and Culture; (2) Strategy and Objective-
Setting; (3) Strategy and Objective Performance; (4) Review and Revision; and (5) Information,
Communication, and Reporting.
 Impact: The result or effect of a risk. There may be a range of possible impacts associated with a risk. The
impact of a risk may be positive or negative relative to the entity’s strategy or business objectives.
 Information: Processed, organized, and structured data concerning a particular fact or circumstance.
 Internal Control: A process, effected by an entity’s board of directors, management, and other personnel,
reporting, and compliance. (For more discussion, see Internal Control—Integrated Framework.)
 Internal Environment: Anything inside of the entity that influences the ability to achieve strategy and
 Internal Stakeholders: Parties working within the entity such as employees, management, and the board.
 Likelihood: The possibility that a given event will occur.
 Mission: The entity’s core purpose, which establishes what it wants to accomplish and why it exists.
 Operating Structure: The way the entity organizes and carries out its day-to-day operations.
 Opportunity: An action or potential action that creates or alters goals or approaches for creating,
 Organization: The term used to collectively describe the board of directors, management, and other
personnel of an entity.
 Organizational Sustainability: The ability of an entity to withstand the impact of large-scale events.
 Performance Management: The measurement of efforts to achieve or exceed the strategy and business
objectives.
 Portfolio View: A composite view of risk the entity faces, which positions management and the board to
consider the types, severity, and interdependencies of risks and how they may affect the entity’s
performance relative to its strategy and business objectives.
 Practices: The methods and approaches deployed within an entity relating to managing risk.
 Reasonable Expectation: The amount of risk of achieving strategy and business objectives that is
appropriate for an entity, recognizing that no one can predict risk with precision.
Internal Use Only

 Risk: The possibility that events will occur and affect the achievement of strategy and business objectives.
NOTE: "Risks" (plural) refers to one or more potential events that may affect the achievement of
objectives. "Risk" (singular) refers to all potential events collectively that may affect the achievement of
objectives.
 Risk Appetite: The types and amount of risk, on a broad level, an organization is willing to accept in
pursuit of value.
 Risk Capacity: The maximum amount of risk that an entity is able to absorb in the pursuit of strategy and
 Risk Inventory: All risks that could impact an entity.
 Risk Profile: A composite view of the risk assumed at a particular level of the entity, or aspect of the
business that positions management to consider the types, severity, and interdependencies of risks, and
how they may affect performance relative to the strategy and business objectives.
 Severity: A measurement of considerations such as the likelihood and impact of events or the time it takes
to recover from events.
 Stakeholders: Parties that have a genuine or vested interest in the entity.
 Strategy: The organization’s plan to achieve its mission and vision and apply its core values.
 Tolerance: The boundaries of acceptable variation in performance related to achieving business

objectives.
 Uncertainty: The state of not knowing how or if potential events may manifest.
 Vision: The entity’s aspirations for its future state or what the organization aims to achieve over time.
Appendices
Internal Use Only

June 2017
COSO ERM 2017 - Appendices (Vol 2) ey.pdf

Internal Use Only
Board Members
Robert B. Hirth Jr.
COSO Chair
Richard F. Chambers
Mitchell A. Danaher
Charles E. Landes
Douglas F. Prawitt
Sandra Richtermeyer
PwC—Author
Miles E.A. Everson
New York, USA
Dennis L. Chesley
Washington DC, USA
Frank J. Martens
Matthew Bagin
Director
Internal Use Only
Washington DC, USA
Hélène Katz
Director
New York, USA
Katie T. Sylvis
Director
Washington DC, USA
Sallie Jo Perraglia
Manager
New York, USA
Manager
Washington DC, USA
Maria Grimshaw
Senior Associate
New York, USA
Acknowledgments
The COSO Board and PwC gratefully acknowledge the many individuals who gave their time and energy by
participating in and contributing to various aspects of the project. The COSO Board and PwC also recognizes
the considerable efforts of the COSO organizations and their members who responded to surveys, participated
in workshops and meetings, and provided comments and feedback throughout the development of this
framework.
Advisory Council
Douglas J. Anderson
The Institute of Internal AuditorsManaging Director of CAE Solutions
Mark Beasley
North Carolina State UniversityDeloitte Professor of Enterprise Risk Management and Director, ERM Initiative
Internal Use Only
Margaret Boissoneau
United Technologies CorporationPMO Liaison
Anthony J. Carmello
Ernst & YoungPartner, Advisory Services
Suzanne Christensen
Invesco Ltd.Head of Enterprise Risk
James Davenport
Zurich Insurance CompanyGlobal Head of Risk and Control
James DeLoach
Protiviti Inc. Managing Director
Karen Hardy
US Department of Commerce Deputy Director for Risk Management
David J. Heller
Edison InternationalVP Enterprise Risk Management & General Auditor
Bailey Jordan
Grant Thornton LLP Partner, Advisory Services
Jane Karli
Athene USADirector of Investment Operations
James Lam
James Lam & Associates President
David Landsittel
Former COSO Chair
Lee Marks
First Data Corporation Enterprise Risk Management
Deon Minnaar
KPMG LLP AmericasAmericas Lead Partner for ERM/GRC
Jeff Pratt
Internal Use Only
MicrosoftGeneral Manager, ERM
Henry Ristuccia
Deloitte & Touche LLP Partner, Global Leader - GRC
Paul Sobel
Georgia-Pacific LLCVice President/Chief Audit Executive
Patrick Stroh
Mercury Business Advisors Inc. President
Paul Walker
St. John’s University, Tobin College of BusinessJames J. Schiro / Zurich Chair in Enterprise Risk Management
William Watts
Crowe Horwath LLPPartner in Charge, Business Risk Services
Observers
Jennifer BayukCitiManaging DirectorRepresenting International Systems Audit & Controls Association, ISACA
James Dalkin
Government Accountability OfficeDirector in the Financial Management and Assurance Team
Carol Fox
RIMS, the Risk Management SocietyDirector, Strategic and Enterprise Risk
Harrison Greene
Federal Deposit Insurance CorporationAssistant Chief Accountant
Horst Kreisel
Institut der Wirtschaftsprüfer Director of Project Management
Jeff Thompson
Institute of Management Accountants President and CEO
Vincent Tophoff
International Federation of AccountantsSenior Technical Manager
Additional PwC Partners, Principals, and Staff

Internal Use Only
Julie Bogas
Partner USA
Lillian Borsa
Principal USA
Angela Calapa
Director USA
Juan Carlos Simon
Partner Mexico
Rick Crethar
Partner Australia
Symon Dawson
Partner UK
David Fisher
Principal USA
Tobias Flath
Senior Manager Germany
Peter Frank
Principal USA
Dimitriy Goloborodskiy
Partner USA
Rob Gormly
Principal USA
Carmen Le Grange
Partner South Africa
Christof Menzies
Partner Germany
Gonzalo Nunez
Internal Use Only
Partner Mexico
Jason Pett
Partner USA
Marcel Prinsenberg
Managing Director Netherlands
Jerri Ribeiro
Partner Brazil
Jonathan Riva
Partner Canada
Nicole Salimbeni
Partner Australia
David Sapin
Principal USA
Manuel Seiferth
Manager Germany
Dietmar Serbee
Principal USA
Laurie Schive
Director USA
Stephen Soske
Partner USA
Christina Stecker
Partner Germany
Olivier Sueur
Director Netherlands
Kuntal Sur
Partner India
Internal Use Only
Alywin Teh
Partner Singapore
Steven van Agt
Director Netherlands
Kosta Weber
Managing Director Netherlands
Andrew Wilson
Partner Australia
Stephen Zawoyski
Partner USA
PwC also wishes to thank Geoffrey Albutt, Catherine Jordan, Mark Tan, Armando Urunuela, and Karen Vitale for
their contributions to the development of the Framework.
A. Project Background and Approach for

Revising the Framework
Project Background
In October 2014, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) announced
that it would be reviewing and updating the 2004 Enterprise Risk Management– Integrated Framework (original
Framework). The original Framework is widely accepted and used by management and boards to enhance an
organization’s ability to manage uncertainty and to consider how much risk to accept as they strive to increase
stakeholder value.
Since 2004, the complexity of risk has changed, significant new risks have emerged, and boards have enhanced
their awareness and oversight of risk management while asking for improved risk reporting. Updates to the
Framework reflect current and evolving concepts and applications so that organizations worldwide can attain
better value from enterprise risk management. Specifically, it now provides greater insight into strategy and the
role of enterprise risk management in the setting and execution of strategy, enhances the alignment between
Internal Use Only
organizational performance and enterprise risk management, and accommodates expectations for governance
and oversight.
PwC served as the author and project leader for updating the publication, preparing related documents and
reporting to the COSO Board of Directors. The PwC Project Team includes senior resource people, many who
were involved in previous COSO projects and who bring in-depth understanding of the original Framework, and
others who provide current market perspectives to this revision. To capture views of a broad range of
professionals in the marketplace, the COSO Board formed an Advisory Council representing industry, academia,
government agencies, and not-for-profit organizations and invited Observers to attend Advisory Council
meetings.
Approach for Revising the Framework

The PwC Project Team carefully considered the merits of feedback and opinions received throughout the
project. They reviewed and embraced input that helped in the development of a relevant, logical, and internally
consistent document in all phases of the project. These phases include:
 Assess and Envision: Through literature reviews, global surveys, and public round tables and forums, this
phase identified current challenges for organizations implementing enterprise risk management. The PwC
Project Team analyzed information, reviewed various sources of input, and identified critical issues and
concerns. COSO launched a global survey, available to the general public, for providing input on the
original Framework, soliciting almost 900 responses.
 Build and Design: The PwC Project Team drafted Enterprise Risk Management–Aligning Risk with
Strategy and Performance,fn 1 which was reviewed by the COSO Advisory Council and Observers as well
as other key users to gather reactions and suggestions. The PwC Project Team conducted numerous one-
on-one and group meetings to capture feedback on the alternative directions being considered in drafting
the Framework. These meetings, conducted across North America, Europe, Asia, and Australia, included
board members, chief risk officers, chief financial officers, chief audit executives, and other senior
members of management.
 Public Exposure: With the assistance and oversight of the COSO Board, PwC prepared exposure drafts
and an on-line questionnaire to facilitate a review by the general public. The PwC Project Team conducted
a variety of meetings and presented at conferences to capture added input. Appendix B presents a
summary of the public comments and the Project Team’s response.
 Finalization: The PwC Project Team reviewed and analyzed all comments received and refined the various
documents with needed modifications. The COSO Board considered whether Enterprise Risk
Management—Integrating with Strategy and Performance was sound, logical, and useful to management
Internal Use Only

of entities of all types and sizes, and the PwC Project Team finalized the document for the COSO Board
for acceptance.
Footnotes
fn This working title was used throughout the public exposure phase, and then the document was retitled
1 Enterprise Risk Management–Integrating with Strategy and Performance.
B. Summary of Public Comments
As noted in Appendix A, a draft of the Framework was issued for public comment from June 15 through
September 30, 2016. There was significant interest in the exposure draft, indicated by almost 10,000
downloadsfn 2 of the Framework across industries and from entities of all types. Much of the interest was
international: 46% of downloads occurred from outside North America.
There were forty-eight public comment letters received and more than 200 responses to the on-line survey to the
exposure draft. The public comment letters generated more than 1,600 comments and the on-line survey
resulted in over 400 free-form responses on many aspects of the updated document. All comments were
considered in further revisions to the Framework.
In addition to the feedback generated from COSO, the PwC Project Team solicited feedback from the public
through over forty meetings, conferences, and seminars during the public exposure period. In addition, they
developed a series of videos, articles on key topics (e.g., managing risk and performance to support strategy),
and social media posts, which generated over 2.8 million impressions and over 3,000 direct interactions from the
public.
This appendix summarizes the more significant comments and resulting modifications to the Framework arising
from the public exposure period. Many respondents supported COSO’s efforts to update the Framework to
emphasize the importance of considering risk in both strategic planning and overall performance, add five
components of enterprise risk management, and stress how integrating enterprise risk management into the
business can improve decision-making.
However, there were divergent views on certain updates to the Framework, including the definitions of risk and
enterprise risk management, the link to decision-making, the practicality of risk profiles, and the relationship of
internal control to enterprise risk management.
Internal Use Only

Some respondents sought fundamental changes to the Framework, whereas others recognized that the
Framework remains relevant and useful today for boards and management of entities regardless of type or size,
and requested that only specific areas be updated, as discussed in more detail below.
Structuring the Document: Components

and Principles
Overall, respondents supported updating the original title of the Framework, Enterprise Risk Management–
Aligning Risk with Strategy and Performance. They acknowledged the benefits of a components and principles
structure to provide clarity to integrating enterprise risk management into strategic planning and day-to-day
decision-making. Some suggested the five components of the Framework could be better aligned with a
common business model of develop, implement, review, and revise. Further, some noted that the use of the
word "execution" in the Risk in Execution component did not translate well across geographies. A few
respondents expressed concern about the number of principles, saying twenty-three was not practical for
managing an entity, and suggested having fewer. Lastly, others suggested changes to align or reconcile the
Framework principles to other frameworks and standards.
Given the overall support of integrating enterprise risk management with strategy-setting through performance,
the title was revised to Enterprise Risk Management–Integrating with Strategy and Performance. The
Framework retains the five components but renames and reorders them to better align to a typical business
model: Governance and Culture; Strategy and Objective-Setting; Performance; Review and Revision; and
Information, Communication, and Reporting.
As for the principles, some have been consolidated. Specifically, two principles within the Governance and
Culture component were combined into one to focus on core values. As well, within the Strategy and Objective-
Setting component, the principles Considers Risk while Establishing Business Objectives and Defines
Acceptable Variation in Performance were merged into one, Formulates Business Objectives, which focuses on
establishing objectives and using tolerance to understand how risk impacts the achievement of those objectives.
Lastly, within the Information, Communication, and Reporting component, the principles Use Relevant
Information and Leverages Information Systems were merged into one to focus on information and technology
supporting enterprise risk management practices.
Some respondents also expressed concern about the length of the document and complexity of the language.
Specifically, they requested greater use of plain language to make certain technical terms accessible to a wider
audience.
These concerns were addressed by consolidating principles as discussed above. Additionally, the Framework
was revised to reduce sentence length to improve readability. Specifically, the Flesch–Kincaid readability tool
Internal Use Only
was used to identify areas for improvement as well as to confirm the readability for similar standards and
frameworks. Given the complexity of certain topics, the overall Framework remains a comprehensive document
in length to sufficiently develop and clarify concepts.
Defining Enterprise Risk Management

and Risk
Respondents provided various suggestions to amend the definitions of risk and enterprise risk management,
including aligning the definitions with other frameworks and standards. Suggestions for defining risk varied from
including impact only, separating risk into adverse events (threats) and opportunities, and focusing on
uncertainty.
Some respondents expressed preference for the 2004 definition of enterprise risk management, in particular the
use of risk appetite, roles and responsibilities, and a focus on processes, as opposed to practices. Others
preferred the exposure draft definition and requested incorporating decision-making into it. There were also
requests to condense the definition by removing "creating, preserving, realizing value" and providing a clear
separation between risk management and enterprise risk management.
After careful review and analysis of definitions from other standards and frameworks, it was decided the
exposure draft’s definitions would be kept. The COSO Board believes those definitions best reflect COSO’s
present view of risk and enterprise risk management and align with other COSO frameworks and thought
leadership.
Integrating Enterprise Risk Management

and Impact on Decision-Making
A number of respondents expressed support for integrating enterprise risk management with core business
activities, as opposed to having a more process-based approach. Some viewed enterprise risk management as
more of a function (e.g., second line of defense), as opposed to a capability. As part of integrating enterprise risk
management, respondents requested an expanded discussion on decision-making throughout the Framework,
including the role of bias and risk appetite, and a stronger connection to culture.
Given the focus on capabilities and practices as opposed to a specific function, the Framework contains limited
discussion on the lines-of-defense model. Further discussion on roles and responsibilities is included in
Appendix C.
The Framework now includes a new chapter, "Integrating Enterprise Risk Management," which focuses on how
enterprise risk management is integrated with strategy-setting through performance, and the value of integration
Internal Use Only
for the entity, such as improved decision-making. The new chapter and each principle in the Framework
enhance the discussion of decision-making and the impact of management bias.
The Relationship of Enterprise Risk

Management to Internal Control
There was diverse feedback on the relationship between enterprise risk management and internal control. Some
respondents requested clarification of the structural aspects of the two frameworks (e.g., where there is overlap)
and the conceptual linkages of these two topics. Some suggested COSO merge the two frameworks into one,
while others preferred two separate and distinct frameworks. Still others suggested including the entirety of the
internal control conversation in the Framework rather than referencing Internal Control–Integrated Framework.
The new Framework now clarifies the relationship between enterprise risk management and internal control and
identifies those instances where it relies on concepts established in Internal Control–Integrated Framework.
Since Internal Control–Integrated Framework is used as a regulatory standard, and to avoid inadvertently
expanding the scope of that framework for regulatory application, the COSO Board decided to maintain two
separate and distinct frameworks. Therefore, the COSO Board did not include components in this update that
are common to both frameworks (e.g., control activities) to avoid redundancy and to encourage users to become
familiar with both.
However, some concepts introduced in Internal Control–Integrated Framework, such as governance of

enterprise risk management, are further developed in this Framework. These additions limited the ability to
shorten the document.
Discussion on Strategy
Respondents expressed overall support for the emphasis on strategy throughout the Framework. Some
requested clarity on the transition from strategy planning to implementation and when to revisit strategy. A few
held the view that objectives precede strategy, and others requested replacing strategy with strategic objectives.
There were varying opinions about including the setting of mission, vision, and core values within the scope of
The Framework retains the current focus on the "possibility of strategy not aligning, implications from the
strategy chosen, and risks to performing the strategy" as these provide a more detailed analysis of the
importance of integrating enterprise risk management with strategy-setting. The Framework now clarifies how
enterprise risk management is applied across strategy and performance. It retains the link to mission, vision, and
core values as that provides the foundation of the acceptable type and amount of risk. Additionally, the
Framework retains the hierarchy relationship between strategy and business objectives, and the terminology of
Internal Use Only
strategy versus strategic objectives, as both are consistent with commonly used strategy and business
frameworks.
Role of Culture
Overall, there was positive support for the inclusion and prominence of culture in the exposure draft. Some
respondents suggested further expanding the discussion on the culture spectrum and emphasizing links to
performance management, conduct, and incentives. A few suggested that culture is not part of the definition of
enterprise risk management, while others suggested that entities do have a culture and risk is a part of it. Some
wanted a discussion on fraud risk as it relates to culture.
The Framework has been revised to consolidate Principles 4, 5, and 6 into the new Principle 4, Demonstrates
Commitment to Core Values. This principle emphasizes the relationship between enterprise risk management
and the core values established by the board and management for the entity. Additionally, the revised
Framework is enhanced with examples of how culture influences enterprise risk management practices and
decision-making, including the influence of management bias. It does not include discussions of fraud risk, as
this is addressed in Internal Control–Integrated Framework.
Risk Appetite and Tolerance

Several respondents took a risk-centric view to risk appetite, as opposed to an objective-centric view. Related
comments focused on setting boundaries for specific risks or groups of common risks (e.g., credit risk) and
reinforced a view of managing risk through discrete groups. Further, several respondents requested that the
discussion on risk appetite be revised to make it measurable for specific risks instead of focused on decision-
making. Others requested a visual diagram, demonstrating the hierarchy of risk appetite and tolerance.
The Framework retains the use of risk appetite in the development of strategy and business objectives, and the
emphasis on how it is used in decision-making. A diagram has been added to clarify the relationship between
risk appetite, tolerance, and limits and triggers, and how those elements apply to strategy, objectives, and
specific risks.
Respondents also questioned the use of acceptable variation in performance in lieu of risk tolerance. In
particular, some strongly expressed a desire to revert to using risk tolerance from the 2004 Framework, while
others noted the use of acceptable variation in performance as an improvement.
The final Framework has revised the use of acceptable variation in performance to tolerance and enhanced the
discussion on how tolerance is tied to an entity’s objectives, taking an objective-centric view.
Internal Use Only

Risk Assessment and Risk Profiles
Some feedback targeted the technical risk assessment practices, including the use of risk profiles. Specifically,
several respondents requested a more detailed discussion of quantitative risk assessment methods (e.g.,
modeling, simulations, decision trees) and other practical tools. Some expressed concern about the value of
heat maps, arguing that they are typically risk-centric and do not accurately reflect the relationship of risk with
performance. Several noted the absence of discussion on the distribution of outcomes, while many questioned
the inclusion of inherent risk assessments.
The final Framework has revised Principle 11, Assess Severity of Risk, to focus more explicitly on the impact to
the achievement of business objectives and strategy. It also clarifies how heat maps can be used to depict risk in
the context of objectives. Additionally, a discussion on quantitative approaches to risk assessments was added.
Some respondents questioned the practical application of risk profiles, whereas others noted limiting the risk
profile to one graphic may be too prescriptive. Those supportive of the risk profiles noted that they provide an
effective explanation of the relationship between risk, performance targets, risk capacity, and risk appetite.
The final Framework retains the use of risk profiles as they provide management with a view of how risk impacts
performance and how risk appetite can be used for decisions. Enhancements have been made to clarify the risk
profile graphics across different types of business objectives, and how risk profiles can be used with both
qualitative and quantitative data.
Information and Technology

Some respondents requested a detailed discussion on information and technology; others questioned whether
data management and technology were within the scope of enterprise risk management. Several focused on
reporting information from a risk-centric perspective as opposed to a business viewpoint.
The Framework now has a revised Information, Communication, and Reporting component to reduce the focus
on information systems and put more emphasis on the greater role of data and evolving technology as part of
enterprise risk management. Specifically, information has been added on how an entity manages and analyzes
data, and the use of evolving technology to manage data more efficiently and effectively. The Framework also
now highlights objective-based reporting to support management in decision-making.
Guidance
Some respondents requested guidance on how a company could apply the concepts discussed in the
Framework. Specifically, they asked for more examples, including mini or full case studies, tools to assist in
Internal Use Only

evaluating enterprise risk management (e.g., maturity models), and general implementation guidance (e.g., risk
reports).
In response, the COSO Board and the PwC Project Team agreed to develop a separate document containing
examples on applying the Framework, Enterprise Risk Management–Integrating with Strategy and Performance:
Compendium of Examples. This document illustrates the application of all the principles in the Framework
across different industries, entity sizes, and types, and actual and expected company practices.
Footnotes
fn Downloads from the COSO.org website.

2
C. Roles and Responsibilities for

In any entity, everyone shares responsibility for enterprise risk management. The leader of the entity (i.e., chief
executive officer or president) is ultimately responsible and should assume ownership for the achievement of the
entity’s strategy and business objectives. That person should also have a deep understanding of those factors
that may impede the achievement of strategy. It is up to other managers to "live and breathe" the behaviors that
align with the culture, oversee enterprise risk management, leverage information systems tools, and monitor
performance. Other personnel are responsible for understanding and aligning to the cultural norms and
behaviors, business objectives in their area, and related enterprise risk management practices. The board of
directors provides risk oversight to the achievement of strategy.
This appendix looks at approaches an organization can take for assigning roles and responsibilities for
enterprise risk management, and provides guidance on the roles and responsibilities of the board of directors,
chief executive officer, chief risk officer, management, and internal auditor. The information is presented in a
"lines of accountability model."
The lines of accountability model offers an organization a balanced approach to managing risk and seizing
opportunities, all while enabling risk-based decision-making that is free of bias. However, there is no one-size-
fits-all approach to using this model and no prescriptive details on the number of lines of accountability
necessary. Some industries offer specific guidance for implementing an accountability model, but organizations
Internal Use Only

must consider factors such as their size, strategy and business objectives, organizational culture, and external
stakeholders. Individual organizations may establish roles across any number of different lines of accountability
with specific regulatory guidance and oversight. Regardless of the number of lines of accountability, the roles,
responsibilities, and accountabilities are defined to allow for clear "ownership" of strategy and risk that fits within
the governance structure, and culture of the entity.
Board of Directors and Dedicated

Committees
Different entities will establish different governance structures, such as a board of directors, a supervisory board,
trustees and/or general partners, and dedicated committees. In the Framework (Chapters 5 through 9), these
governance structures are commonly referred to generally as "the board of directors."
The board of directors is responsible for providing risk oversight of enterprise risk management culture,
capabilities, and practices. Therefore, board members must be objective, capable, and inquisitive. They should
have technical knowledge and expertise that is relevant to the entity’s operations and environment, and they
must commit to the time necessary to fulfill their day-to-day risk oversight responsibilities and accountabilities. In
some jurisdictions, the board has legal responsibility for carrying out its oversight role. Figure C.1 lists typical
board oversight practices of enterprise risk management.
Figure C.1: Board Oversight Activities

Enterprise Risk Board Risk Oversight Activities
Management Component
Governance and Culture  Assesses the appropriateness of the entity’s strategy, alignment to the
mission, vision, and core values, and the risk inherent in that strategy.
 Defines the board risk governance role and structure including sub-
committees for the entity.
 Engages with management to define the suitability of enterprise risk

management.
 Oversees evaluations of the entity’s culture and that management

remediates any noted gaps.
 Promotes a risk-aware mindset that aligns the maturity of the entity with its
culture.
Internal Use Only

 Oversees the alignment of business performance, risk taking, and

incentives/compensation to balance short-term and long-term strategy
achievement.
 Challenges the potential biases and organizational tendencies of

management and fulfills its independent and unbiased oversight role.
 Understands the entity’s strategy, operating model, industry, and issues and
challenges affecting the entity.
 Understands how risk is monitored by management.
Strategy and Objective-Setting  Sets expectations for integrating enterprise risk management into the
strategic management processes, including strategy planning, capital
allocation, etc.
 Discusses and understands the risk appetite and considers whether it aligns
with its expectations.
 Engages in discussion with management to understand the changes to

business context that may impact the strategy and its linkage to new,
emerging, or manifesting risks.
 Encourages management to think about the risks inherent in the strategy

and underlying business assumptions.
 Requires management to demonstrate an understanding of the risk capacity

of the entity to withstand large, unexpected events.
Performance  Reviews the entity’s strategy and underlying assumptions against the
portfolio view of risk.
 Sets expectations for risk reporting, including the risk metrics reported to the
board relative to the risk appetite of the entity and external enterprise risk
reporting disclosures.
 Understands how management identifies and communicates the most

severe risks as depicted by the entity’s portfolio view.
 Reviews and understands the most significant risks, including emerging

Internal Use Only
risks, and significant changes in the portfolio view of risk and specifically
what responses and actions management is taking.
 Understands the plausible scenarios that could change the portfolio view.
Review and Revision  Asks management about any risk manifesting in actual performance (both
positive and negative).
 Asks management about the enterprise risk management processes and

challenges management to demonstrate the suitability and functioning of
those processes.
The board of directors may choose to manage its risk oversight responsibilities at the full board level or may
assign specific tasks to dedicated committees with a risk focus. Where a particular committee has not been
established for risk oversight, the responsibilities are carried out by the board itself.
Board-level committees can include the following:
 Audit committee: Establishes the importance of risk oversight. Regulatory and professional standard-
setting bodies often require the use of an audit committee, sometimes named the audit and risk committee.
The role and scope of authority of an audit committee can vary depending on the entity’s regulatory
jurisdiction, industry norm, or other variables. While management is responsible for ensuring financial
statements are reliable, an effective audit committee plays a critical risk oversight role. The board of
directors, often through its audit committee, has the authority and responsibility to question senior
management on how it is carrying out its enterprise risk management responsibilities.
 Risk committee: Establishes the direct oversight of enterprise risk management. The focus of the risk
committee is entity-wide risk in non-financial areas that go beyond the authority of the audit committee and
its available resources (e.g., operational, obligations, credit, market, technology).
 Compensation committee: Establishes and oversees the compensation arrangements for the chief
executive officer and other executives, as appropriate, to motivate without providing incentives for undue
risk taking. It also oversees that management balances performance measures, incentives, and rewards
with the pressures created by the entity’s strategy and business objectives, and helps structure
compensation models without unduly emphasizing short-term results over long-term performance.
Internal Use Only

 Nomination/governance committee: Provides input to and oversight of the selection of candidates for
directors and management. It regularly assesses and nominates members of the board of directors; makes
recommendations regarding the board’s composition, operations, and performance; oversees the
succession-planning process for the chief executive officer and other key executives; and develops
oversight processes and structures. It also promotes director orientation and training, and evaluates
oversight processes and structures (e.g., board/committee evaluations).
Management and the Three Lines of

Accountability
Management is responsible for all aspects of an entity, including enterprise risk management. Responsibilities
assigned to the various levels of management are outlined here.

The chief executive officer (CEO) is accountable to the board of directors and is responsible for overall
enterprise risk management culture, capabilities, and practices required to achieve the entity’s strategy and
business objectives. (In privately owned and not-for-profit entities, this position may have a different title, but
generally the responsibilities are the same.) More than any other individual, the CEO sets the tone at the top
along with the explicit and implicit values, behaviors, and norms that define the culture of the entity.
The CEO’s responsibilities relating to enterprise risk management include:
 Providing leadership and direction to senior members of management, and shaping the entity’s core
values, standards, expectations of competence, organizational structure, and accountability.
 Evaluating alternative strategies, choosing a strategy, and setting business objectives that consider
supporting assumptions relating to business context, resources, and capabilities within the risk appetite of
the entity.
 Maintaining oversight of the risks facing the entity (e.g., directing all management and other personnel to
proactively identify, assess, prioritize, respond to, and report risks that may impede the ability to achieve
the strategy and business objectives).
 Guiding the development and performance of the enterprise risk management process across the entity,
and delegating to various levels of management at different levels of the entity.
 Communicating expectations (e.g., integrity, competence, key policies) and information requirements (e.g.,
the type of planning and reporting systems the entity will use).
Internal Use Only

Chief Risk Officer
One of the more prominent roles in enterprise risk management is that of chief risk officer (CRO). This position is
tasked with overseeing enterprise risk management as a second line of accountability. This role should normally
have reasonably direct access to the CEO, or the authority to have access for specific issues or types of risk. An
alternative to having a chief risk officer is to assign the underlying responsibilities to another member of
management, typically in the second line of accountability.
Organizations develop the CRO role and responsibilities in a way that best meets their needs for effective
enterprise risk management. Some entities choose to align the role of chief risk officer with the chief strategy
officer so that strategy and risk are managed together under the CEO. Other entities delegate responsibility for
enterprise risk management to first-line functions, including operating unit and functional unit leaders, leaving
second-line responsibility to the CRO. These entities often align staff within divisions, operating units, and
functions with the CRO to support enterprise risk management efforts across the entity.
The CRO is typically responsible for:
 Assisting the board of directors and management in fulfilling their respective risk oversight responsibilities.
 Establishing ongoing enterprise risk management practices suitable for the entity’s needs.
 Building and maintaining relationships with those responsible for managing risks throughout the entity.
 Overseeing enterprise risk management ownership within the respective lines of accountability.
 Reviewing the operation of enterprise risk management in each operating unit.
 Communicating with management through a forum, such as the enterprise risk management committee,
about the status of enterprise risk management, which includes discussing severe risks and emerging
risks.
 Promoting enterprise risk management to the CEO and operating unit leaders and assisting in integrating
practices into their business plans and reporting.
 Evolving organizational capabilities in line with the maturity and suitability of enterprise risk management.
 Escalating identified or emerging risk exposures to executive management and the board.
Management
Management comprises the CEO and senior members leading the key operating units and business-enabling
functions. Each of these management roles may have different responsibilities and accountabilities within the
lines of accountability model, depending on the entity. For example, a chief technology officer may play a
Internal Use Only

second-line role in a financial services company, but in a technology company that same position would play a
first-line role. Some smaller entities may combine roles, with one person having responsibilities for one or more.
Examples of management for a larger public or private entity, a smaller business entity, and a government entity
are noted in Figure C.2.
Figure C.2: Management Roles within Different Entities

Large Public/Private Entity Small Business Entity Governmental Entity
 Chief executive officer and  President  Secretary

president
 Chief financial officer/vice  Assistant secretary/deputy
 Chief administrative officer president (VP) of finance/ director/undersecretary
finance director/head of
 Chief audit executive  Chief financial officer
finance/controller
 Chief compliance officer  Chief information officer
 Chief data officer  Chief of human resources
 Director of risk management/
 Chief financial officer  Chief of staff
head of risk management
 Chief human resources officer  Deputy assistant secretary/
 General manager/VP of
directorate
 Chief information officer operations
 Director of risk management/
 Chief innovation officer  Human resources manager/
head of risk management
director
 Chief legal officer/general
 General counsel
counsel  IT manager
 Inspector general
 Chief marketing officer  Marketing manager
 Chief risk officer
 Chief strategy officer
In some entities, the CEO establishes an enterprise risk management committee of senior members of
management including functional managers, such as the chief financial officer, chief audit executive, chief
information officer, and others. Examples of the functions and responsibilities of such a committee include:
 Assuming overall responsibility for enterprise risk management, including the processes used to identify,
assess, prioritize, respond to, and report on risk.
 Communicating the enterprise risk management process to the CEO and the board.
Internal Use Only
 Considering and discussing emerging risks.
 Defining roles, responsibilities, and accountabilities at the different levels of management.
 Providing policies, methodologies, and tools to operating units to identify, assess, and manage risks.
 Reviewing the entity’s risk profile.
 Reviewing acceptable variation in performance and taking action where appropriate.
Management also guides the development and implementation of enterprise risk management practices within
their respective functional or operating unit and verifies that these practices are applied consistently.
Depending on how many layers of management exist within an entity, subunit managers or lower-level
supervisory personnel are directly involved in executing policies and procedures at a detailed level. It is their
responsibility to carry out the enterprise risk management process that senior management has designed and
implemented. Each manager is accountable to the next higher level for his or her portion of enterprise risk
management, with the CEO being ultimately accountable to the board of directors, and the board being
accountable to external stakeholders such as shareholders or other owners of the entity.
First Line: Core Business

Management is responsible for identifying and managing the performance and risks resulting from practices and
systems for which it is accountable. The first line is also responsible for the risks inherent to the strategy and
business objectives. As the principal owners of risk, management sets business objectives, establishes
acceptable variation in performance, trains personnel, and reinforces risk responses. In short, the first line
implements and carries out the day-to-day tasks to manage performance and risks taken to achieve strategy and
Second Line: Support Functions

Support functions (also referred to as business-enabling functions) include management and personnel
responsible for overseeing performance and enterprise risk management. They provide guidance on
performance and enterprise risk management requirements, and evaluate adherence to defined standards. Each
of these functions has some degree of independence from the first line of accountability, and they challenge the
first line to manage performance and take prudent risks to achieve strategy and business objectives. In some
entities, independent teams without separate and distinct reporting lines may provide some degree of challenge.
These organizational functions or operating units support the entity through specialized skills, such as technical
risk management expertise, finance, product/service quality management, technology, compliance, legal, human
Internal Use Only

resources, and others. As management functions they may intervene directly in modifying and supporting the
first line in appropriate risk response.
Second-line responsibilities often include:
 Supporting management policies, defining roles and responsibilities, and setting targets for
implementation.
 Providing enterprise risk management guidance.
 Supporting management to identify trends and emerging risks.
 Assisting management in developing processes and risk responses to manage risks and issues.
 Providing guidance and training on enterprise risk management processes.
 Monitoring the adequacy and effectiveness of risk responses, accuracy, and completeness of reporting,
and timely remediation of deficiencies.
 Escalating identified or emerging risk exposures to management and the board for awareness and
potential action.
There are various methods of achieving objectivity across these two lines of accountability. For example, one
company may have enterprise risk management teams embedded in the first line but with a separate second-
line risk function. Another company may spread its risk management teams across the two lines depending on
the complexity and nature of the business. These and other approaches can work as long as unbiased oversight
is not constrained.
Third Line: Assurance Functions

Assurance functions, most commonly internal audit, often provide the last line of accountability by performing
audits or reviews of enterprise risk management practices, identifying issues and improvement opportunities,
making recommendations, and keeping the board and executive management up-to-date on matters requiring
resolution. Two factors distinguish the last line of accountability from the others: the high level of independence
and objectivity (enabled by direct reporting to the board), and the authority to evaluate and make
recommendations to management on the design and operating effectiveness of the entity overall.
External Auditors
External auditors provide management and the board of directors with a unique, independent, and objective view
that can contribute to an entity’s achievement of its strategy and business objectives.
Internal Use Only

In an external audit, the auditor expresses an opinion on the fairness of the financial statements in conformity
with applicable accounting standards, thereby contributing to the entity’s external financial reporting objectives.
The auditor conducting a financial statement audit may contribute further to those objectives by providing
information useful to management in carrying out its enterprise risk management responsibilities. Such
information includes:
 Audit findings, analytical information, and recommendations for actions necessary to achieve established
 Findings regarding deficiencies in enterprise risk management and internal control that come to the
auditor’s attention, and recommendations for improvement.
This information frequently relates not only to reporting but to strategy, operations, and compliance practices as
well, and can be important to an entity’s achievement of its business objectives. The information is reported to
management and, depending on its significance, to the board of directors or audit committee.
It is important to recognize that a financial statement audit, by itself, normally does not include a significant focus
on enterprise risk management. Nor does it result in the auditor forming an opinion on the entity’s enterprise risk
management. Where, however, law or regulation requires the auditor to evaluate a company’s assertions related
to internal control over financial reporting and the supporting basis for those assertions, the scope of the work
directed at those areas will be extensive, and additional information and assurance will be gained.
D. Risk Profile Illustrations
Introduction to Risk Profiles

A risk profile provides the composite view of risks related to a specific strategy or business objective at a
particular level of the entity (e.g., overall entity level, business unit level, functional level) or aspect of the
business model (e.g., product, service, geography). These risk profiles bring together several important
considerations in enterprise risk management, namely performance targets, the assessment of the overall
amount of risk for varying levels of performance, risk appetite, and tolerance. Risk profiles are used to help
organizations evaluate alternative strategies and support the process of identifying and assessing risks.
This relationship between risk and performance is rarely constant. Changes in performance do not always result
in corresponding changes in risk, and therefore a single-point illustration used in many typical enterprise risk
management approaches is not always helpful. A more complete illustration shows the aggregate amount of risk
Internal Use Only

associated with different levels of performance, where risk is shown as a continuum of potential outcomes. The
organization balances the amount of risk with desired performance along this continuum.
This appendix offers examples of how risk profiles may be developed and applied to support the organization in
applying the principles of the Framework.
Developing Risk Profiles

When developing a risk profile, the organization must understand the:
 Strategy or relevant business objective.
 Performance target and acceptable variances in performance.
 Risk capacity and appetite for the entity.
 Severity of the risk to the achievement of the strategy and business objective.
The risk profile, as depicted in this appendix, enables the organization to evaluate:
 The relationship between risk and performance, noting that the amount of risk for a given strategy or
business objective is typically not static and will change for different levels of performance.
 Assumptions underlying the risk assessment for a given strategy or business objective.
 The level of confidence with which the assessment has been performed and the potential for unknown
risks.
 Where corrective actions may be required in setting strategy, business objectives, performance targets, or
risk responses.
Figure D.1: Risk Profile
Internal Use Only

To develop a risk profile, the organization determines the relationship between the level of performance for a
strategy or business objective and the expected amount of risk. On a risk graph, performance is plotted along
the x-axis and risk is along the y-axis (Figure D.1). The resulting line is often referred to as a "risk curve" or "risk
profile."
Each data point is plotted by considering the perceived amount of risk that corresponds to the achievement of a
business objective or strategy. As performance changes, the organization identifies how the amount of risk may
change. Risk may change due to the changes in execution and business context.
Both quantitative and qualitative approaches can be used to plot points. If the organization has sufficient data on
a strategy or business objective, it may use a quantitative approach, such as probabilistic modeling or regression
analysis. Where data is not available or where business objectives are less important, the organization may
prefer to use a qualitative approach, such as performing interviews, facilitating workshops, or benchmarking.
Example D.1 describes how one entity plotted its risk profile.
Example D.1: Developing a Risk Profile
A university has a strategy of becoming the institution of choice for graduate students in the region. To support the
strategy, it has decided on a business objective of developing a new curriculum to meet emerging needs. The
university has identified the following five risks for this business objective:
 Failing to build sufficient interest and awareness of the courses to generate growth in student applications,
which could impact the university’s reputation.
 Generating actual or perceived conflict of interest between academic freedom and the new curriculum.
 Failing to attract and retain additional faculty required to teach and administer new classes.
Internal Use Only

 Failing to secure additional government funding to administer the new curriculum.
 Incurring unbudgeted costs in support of the new curriculum.
In addition, the university has identified that this new objective creates potential risk to other objectives, such as
the possibility of marginal students affecting the university’s brand.
The university measures performance based on the

number of student enrollments. It assesses the severity
of the risks to the achievement of the business objective
changes at various levels of student enrollment. That is,
the distance between the point and the x-axis represents
the impact of the five risks identified, as depicted on the
right. For each level of student enrollment, the university
considers the following:
 How might some risks escalate across varying

levels of performance? For instance, the risk of
attracting faculty may increase at higher levels of
enrollment as more instructors may be required.
 How might risks change in severity and what

supporting assumptions may change at varying
levels of performance? For instance, assumptions
of government funding may be contingent on
achieving set levels of enrollment.
 Are there new or emerging risks with each

incremental increase in student enrollment? For
instance, does enrollment above a certain level
create a new risk relating to the physical space
required to accommodate students?
 Are there some risks that no longer apply at certain

levels of performance? For instance, do the
concerns about failing to generate sufficient
interest and awareness of the university’s courses
become increasingly irrelevant above a certain
Internal Use Only

level of enrollment?
In preparing this profile, the university uses a combination of quantitative and qualitative approaches. Quantitative
approaches include data modeling (reviewing historical student enrollments and correlation with the launch of new
programs, the average number of operational incidents, revenues and losses per student). Qualitative approaches
include reviewing campus health and safety requirements, forecasting revenue and government grants, and
conducting interviews and workshops with key stakeholders. The risk profile shown below illustrates that:
 There is a high amount of risk assumed if only 100 new students enroll because of the new curriculum (risk
of underperformance).
 Risk reaches its lowest point at 600 enrollments, which may not represent the optimal number of students
from a performance perspective.
 Any enrollments in excess of 600 represent an incremental increase in risk. The university has established
that it can accept a maximum of 1,100 new students.
Having determined how the amount of risk can change,

and understanding the drivers and assumptions that
support change, the organization can determine its
desired performance target. To set that target, the
organization evaluates the business objective in the
context of the entity’s risk appetite, resources, and
capabilities. In the case described above, the university
ultimately decides that it will set a performance target of
seeking to attract 700 new students. The risk profile here
illustrates this target and the amount of risk the
university is willing to assume in the pursuit of the
objective.
Risk, Strategy, and Objective-Setting

Incorporating Risk Appetite
Using a risk profile, the organization can outline its risk appetite in relation to a proposed strategy or business
objective. In Figure D.2, the risk appetite is plotted as a horizontal line parallel to the x-axis (performance). The
gradient of the line indicates that the risk appetite remains constant for all levels of performance at a given point
Internal Use Only
in time. The y-axis (risk) uses the same metric or expression of risk appetite as is referred to in an entity’s risk
appetite statement. For example, the y-axis may be earnings at risk, value at risk, or other metric.
Figure D.2: Risk Profile with Risk Appetite
The section of the curve from the point of intersection (Point A) where it continues above the risk appetite line
indicates a level of performance that exceeds the entity’s appetite and where risk becomes disruptive to the
entity.
Organizations may also want to incorporate an additional parallel line above risk appetite to indicate risk
capacity, shown in Figure D.3.
Figure D.3: Risk Profile with Risk Capacity
Using Risk Profiles to Consider Alternative Strategies
Internal Use Only

Organizations can develop profiles of potential risks as part of considering alternative strategies. For each
strategy, an organization may prepare a risk profile that reflects the expected types and amount of risks. These
risk profiles support the strategy selection process by highlighting differences in the expected risk for different
strategies.
Figure D.4 illustrates how profiles can be compared. Alternative A shows a flatter curve, indicating that the entity
faces less incremental risk as performance increases. That is, the intersection of the risk curve and risk appetite
is farther to the right, indicating greater opportunity for performance before the entity exceeds appetite.
Established entities operating in mature, stable markets or with stakeholders who expect lower risk profiles may
seek strategies that resemble Alternative A.
Conversely, risk-taking entities such as start-ups or venture capitalists may explore strategies that are more
typical of Alternative B. In this case, an entity would seek more aggressive performance in return for assuming
greater risk.
Figure D.4: Risk Profiles of Alternative Strategies
Quantitative and qualitative techniques are used to develop the profile of potential risks and may be the same
tools that are then used to support risk identification and assessment processes. This includes quantitative
analysis and modeling where there is sufficient data. Where data is not available, more qualitative techniques
may be employed.
Considering Risk in Establishing Business Objectives and Setting

Performance Targets
Once an organization selects a strategy, it carries out a similar analysis to establish business objectives.
Organizations that are faced with alternative objectives seek to understand the shape and height of a curve for a
potential business objective.
Internal Use Only

First, the organization sets a performance target for its business objectives. The performance target is
determined in relation to the risk appetite and selected strategy. On a risk profile, the target demonstrates the
desired performance and corresponding amount of risk (see Figure D.5).
Figure D.5: Risk Profile with Performance Targets
Further, it illustrates the distance between the accepted amount of risk and risk appetite. The more aggressive
the entity, the less will be the distance between the intersection of the performance target and the risk curve
(Point A), and the intersection of performance target and risk appetite (Point B).
Using Risk Profiles to Demonstrate Acceptable Variation in

Performance
The organization next determines the acceptable variation in performance on both sides of the target. This is
illustrated in the figures by the dotted lines that run parallel to the performance target. The trailing and exceeding
variances are set to reflect the risk appetite of the entity. There is no requirement that they be equidistant from
the performance target. The closer the variances are set to the performance target, the less appetite for risk.
However, by setting variations close to performance, management considers the trade-offs in the additional
resources required to manage variability.
Identifying Risks in Performance

Organizations identify and assess the risks to business objectives and chosen strategy. Any potential risks that
have been identified as part of the selection process provide a starting point for identifying and assessing risks in
execution. This process yields a risk profile of actual risks for each business objective and overall strategy—one
that either confirms the expected risks or one that indicates additional risks.
Internal Use Only
Additional risks may be identified for a number of reasons. The organization may have completed a more
rigorous analysis after selecting a business objective, or may have gained access to more information, giving it
more confidence in its understanding of the risk profile, or may have determined it needs to update the list of
expected risks due to changes in the business context having occurred.
The outputs of the risk identification process, the risk universe, form the basis on which an organization is able to
construct a more reliable risk profile.
Using Risk Profiles when Assessing Risk

Risks identified and included in a risk profile are assessed in order to understand their severity to the
achievement of an entity’s strategy or business objectives. Management’s assessment of risk severity can focus
on different points of the risk profile for different purposes:
 To confirm that performance is within the acceptable variation in performance.
 To confirm that risk is within risk appetite.
 To compare the severity of a risk at various points of the curve.
 To assess the disruption point in the curve at which the amount of risk has greatly exceeded the appetite of
the entity and impacts its performance or the achievement of its strategy or business objectives.
The risk profile in Figure D.6 depicts the amount of risk within an assumed time horizon. To incorporate time into
the risk profile, management must define the performance target with reference to a time period.
Figure D.6: Assessing Risk Using a Risk Profile
Internal Use Only

In assessing the distance of the curve from the x-axis, management considers the aggregate amount of known
(existing, emerging, and new risks) and unknown risks. The amount of unknown risk may be estimated with
varying levels of confidence depending on the type of business objective, experience and knowledge of the
organization, and available data. Where the number and amount of unknown risks is potentially large (e.g.,
developing new technology), the distance between the risk curve and the x-axis will typically be greater to
indicate greater risk. For business objectives in more mature environments with significant performance data,
knowledge, and experience, the amount of unknown risk may be considered much less significant, and the
distance between the risk curve and the x-axis will therefore be smaller. The distance of the curve from the x-
axis also demonstrates how multiple risks impact the same business objective.
The organization may choose to use different assessment methods for different points of the risk curve. When
focused on the acceptable variation in performance, analysis of risk data may be a suitable approach. When
looking at the extreme sections of the curve, scenario analysis workshops may prove more effective in
determining the height and shape of the curve.
As with considering alternative strategies and identifying risks, management uses quantitative and qualitative
approaches, or a combination of both, to assess risks and develop a risk profile. Qualitative assessment is
useful when risks do not lend themselves to quantification or when it is neither practicable nor cost effective to
obtain sufficient data for quantification. For example, consider a reputable technology company that is
contemplating launching a new product that is currently not commercially available. In developing a risk profile of
the risk of launching the R&D of the new product, management relies on its own business knowledge and its
engineers’ expertise to determine the height and shape of the curve.
For risks that are more easily quantifiable, or where greater granularity or precision is required, a probability
modeling approach is appropriate (e.g., calculating value at risk or cash flows at risk). For example, when the
same technology company assesses the risk of maintaining operations in a foreign country, it employs modeling
when plotting the curve to identify sufficient points outlining the severity of its foreign exchange exposure.
Using Risk Profiles when Prioritizing Risks

How organizations prioritize risks can affect the risk profile for a strategy or business objective. The following are
examples of how the prioritization criteria (see Principle 14) are incorporated into the risk profile:
 Adaptability influences the height and shape of the risk curve reflecting the relative ease with which the
organization can change and move along the curve.
 Complexity of a risk will typically shift the risk curve upwards to reflect greater risk.
 Velocity may affect the distance at which acceptable variation in performance is set from the target. (Note
that the velocity of the risk also reflects the third dimension of time, and therefore is not reflected in the risk
curve.)
Internal Use Only

 Persistence, not shown on the risk curve as it relates to a third dimension, may be reflected in a narrowing
of the acceptable variation in performance as the entity acknowledges the sustained effect on
performance.
 Recovery, the time taken to return to acceptable variation in performance, is considered part of
persistence. How the entity recovers will shape the risk curve outside of the acceptable variation in
performance and the relative ease with which the entity can move along the curve.
Many organizations choose to use severity as a prioritization criterion. For example, consider the risk profiles in
Figure D.7. If an organization were asked to prioritize the risks in Risk Profile A compared to those in Risk Profile
B, it may well select Risk #3 in Profile A as the most important because of its absolute severity (a risk-centric
perspective). But if the organization were to view Risk Profile A from a business objective perspective, it would
see that the entity is still well within its risk appetite for the particular performance target. In fact, both Risk Profile
A and B have the same severity of risk for their respective performance targets. Consequently, the severity of
one risk (e.g., Risk #3 in Risk Profile A) should not be the sole basis for prioritization relative to other risks.
Figure D.7: Using Risk Profiles to Compare Risks Impacting Objectives
Using Risk Profiles when Considering Risk Responses

Once the organization develops a risk profile, it can determine if additional risk responses are required. The
height and shape of the risk curve can be impacted depending on the risk response chosen (see Principle 15):
 Accept: No further action is taken to affect the severity of the risk and the risk profile remains the same.
This response is appropriate when the performance of the entity and corresponding risk are below the risk
appetite line and within the lines indicating acceptable variation in performance.
 Avoid: Action is taken to remove the risk, which may mean ceasing a product line, declining to expand to a
new geographical market, or selling a division. Choosing avoidance suggests that the organization is not
Internal Use Only
able to identify a response that would reduce the impact of the risk to an acceptable severity. Removing a
risk will typically shift the curve downwards and/or to the left with the intent of having the target
performance to the left of the intersection of the risk curve and the risk appetite.
 Pursue: Action is taken that accepts increased risk to achieve increased performance. This may involve
adopting more aggressive growth strategies, expanding operations, or developing new products and
services. When choosing to exploit risk, management understands the nature and extent of any changes
required to achieve desired performance while not exceeding the target residual risk. Here the risk curve
may not change but the target may be set higher, and therefore setting the target at a different point along
the risk curve.
 Reduce: Action is taken to reduce the severity of the risk. This involves any of myriad everyday business
decisions that reduce residual risk to the target residual risk profile and risk appetite. The intent of the risk
response is to change the height and shape of the curve, or applicable sections of the curve, to remain
within the risk appetite set for the entity. Alternatively, for risks that are already within the risk appetite, the
reduce response may pertain to the reduction in variability of performance through the deployment of
additional resources. The effective reduction of a risk would see a flattening of the risk curve for the
sections impacted by the risk response.
 Share: Action is taken to reduce the severity of a risk by transferring or otherwise sharing a portion of the
risk. Common techniques include outsourcing to specialist service providers, purchasing insurance
products, and engaging in hedging transactions. As with the reduce response, sharing risk lowers residual
risk in alignment with risk appetite. A section of the risk curve may change, although the entire risk curve
likely shares similarities to one where risk has not been shared.
 Review business objective: The organization chooses to review and potentially revise the business
objective given the severity of identified risks and acceptable variation in performance. This may occur
when the other categories of risk responses do not represent desired courses of action for the entity.
 Review strategy: The organization chooses to review and potentially revise the strategy given the severity
of identified risks and risk appetite of the entity. Similar to reviewing business objectives, this may occur
when other categories of risk responses do not represent desired courses of action for the entity. Revisions
to a strategy, or adoption of a new strategy, also require that a new risk profile be developed.
Figure D.8 shows how a risk profile changed after carrying out a risk response, such as entering into an
insurance arrangement. For example, fruit farmers may purchase weather-related insurance for floods or storms
that would result in their production levels dropping below a certain minimum. The risk curve for production
levels flattens for the outcomes covered by insurance.
Figure D.8 Effect of Risk Response
Internal Use Only

Developing a Portfolio View
After selecting risk responses, management develops a composite view of residual risk (i.e., post-assessment
and implementation of risk response). This composite view forms an entity-wide portfolio view of the risk that the
entity faces.
While the portfolio view represents the view of risk at that level, management may choose to depict that view
through a variety of lenses. Figures D.9 and D.10 illustrate two alternatives for viewing risk profile. The first,
Figure D.9, illustrates a risk profile linked to strategy and entity objetives. The second, Figure D.10, illustrates the
risk profile relating to the portfolio view of entity-level onbjectives.
An organization may choose how to depict the portfolio depending on how performance is articulated and who is
concerned. For instance, a chief financial officer may focus on a view that depicts the severity of risk in relation
to financial performance. A chief operating officer may focus on a view that depicts the severity of risk in relation
to operational performance. And the chief human resources officer may focus on a view that depicts the severity
of risk in relation to culture and resource allocation. Yet, each of these views is based on one shared
understanding of risk to business objectives.
Internal Use Only
Through the portfolio view, the organization identifies severe entity-level risks. Figure D.9 illustrates the portfolio
view.
Figure D.9: Portfolio View Using Entity-Level Objectives
When preparing a portfolio view, the organization may also choose to develop a risk profile that provides added
context on the portfolio view. Figure D.10 illustrates the risk profile of two entity-level objectives. The first graph
illustrates how risk to the achievement of entity objective 1 (at the current level of performance) is within the both
risk appetite and risk capacity (and shown as green in Figure D.9). The second graph illustrates how risk to the
achievement of entity objective 2 is above the risk appetite, although still within risk capacity (red in Figure D.9).
These two perspectives are reflected above in Figure D.9.
An organization will typically use both qualitative and quantitative techniques in developing this view. Qualitative
techniques include scenario analysis and benchmarking. Quantitative techniques include regression modeling
and other means of statistical analysis to determine the sensitivity of the portfolio to sudden or large changes.
These changes may be represented as shifts in the risk curve or gradient.
Figure D.10: Risk Profile Relating to Entity Objective
Internal Use Only

Analysis may also identify the point on the curve where change becomes a disruption to the performance of the
entity. For example, using entity objective 1, an organization identifies that a drop of more than 25% in a specific
index represents a disruptive change where the entity exceeds its risk appetite and affects the achievement of
the strategy. This is represented at the point where the gradient of the curve steepens significantly (Point A).
Further, the organization determines that a 50% drop would affect performance to the extent that the entity
Internal Use Only

exceeds its risk capacity and threatens the viability of the entity. This is represented where the risk curve
intersects the risk capacity line (Point B).
By using stress testing, scenario analysis, or other analytical exercises, an organization can avoid or more
effectively respond to big surprises and losses. By analyzing the effect of hypothetical changes on the portfolio
view, the organization identifies potential new, emerging, or changing risks and evaluates the adequacy of
existing risk responses. The purpose of these exercises is for management to be able to assess the adaptive
capacity of the entity. They also help management challenge the assumptions underpinning the selection of the
entity’s strategy and assessment of the risk profile.
Monitoring Risk Management Performance

Organizations can use graphical representations to understand how risk is impacting performance. As shown in
Figure D.11, management analyzes the risk profile to determine whether the current level of performance risk is
greater, less than, or as expected compared to the risk assessment results. Additionally, management considers
whether a change in performance has created new factors that influence the shape of the curve. Based on this
analysis, management can take corrective action.
Figure D.11: Using Risk Profiles to Monitor Performance
 Has the organization performed as expected and achieved its target? Using a risk profile, the organization
reviews the performance set and determines whether targets were achieved or if variances occurred. Point
Internal Use Only

B on the figure shows an organization that has not met its planned performance (Point A) but remains
within acceptable variation.
 What risks are occurring that may be impacting performance? In reviewing performance, the organization
observes which risks have occurred or are presently occurring. Monitoring also confirms whether risks
were previously identified or whether new, emerging risks have occurred. That is, are the risks that were
identified and assessed and that inform the shape and height of the risk curve consistent with what is being
observed in practice?
 Was the entity taking enough risk to attain its target? Where an entity has failed to meet its target, the
organization seeks to understand whether risks have occurred that are impacting the achievement of the
target or whether insufficient risk was taken to support the achievement of the target. Given the actual
performance of the entity in the figure, Point B also indicates that more risk could have been taken to attain
its target.
 Was the estimate of risk accurate? In those instances where the risk was not assessed accurately, the
organization seeks to understand why. In reviewing the assessment of severity, the organization
challenges the understanding of the business context, the assumptions underpinning the initial assessment
and whether new information has become available that may help refine the assessment results. Point C
on the figure indicates where an entity has experienced more risk than anticipated for a given level of
performance.
Given the results of the monitoring activities, the organization can determine the most appropriate course of
action.
Compendium of Examples
Internal Use Only

January 2018
COSO ERM 2017 - Compendium ey.pdf

Internal Use Only
Board Members
Robert B. Hirth Jr.
COSO Chair
Richard F. Chambers
Mitchell A. Danaher
Charles E. Landes
Douglas F. Prawitt
Sandra Richtermeyer
PwC—Author
Miles E.A. Everson
New York, USA
Dennis L. Chesley
Washington DC, USA
Frank J. Martens
Matthew Bagin
Director
Internal Use Only
Washington DC, USA
Hélène Katz
Director
New York, USA
Katie T. Sylvis
Director
Washington DC, USA
Thomas Holland
Manager
New York, USA
Sallie Jo Perraglia
Manager
New York, USA
Andrise Scott
Manager
Washington DC, USA
Maria Grimshaw
Senior Associate
New York, USA
Additional PwC Partners, Principals, and Staff

Glen Brady
Partner
Missouri, USA
Peter Claude
Partner
New York, USA
Internal Use Only

Peter Frank
Principal
New York, USA
Rob Gormly
Principal
Washington DC, USA
David Fisher
Managing Director
Washington DC, USA
PwC also wishes to thank Violet Rukambeiya, Derrick Sturisky, and Kathleen Crader Zelnik for their
contributions to the development of the Compendium.
Foreword
Management—Integrating with Strategy and Performance. That publication recognizes the increasing
importance of the connection between strategy and entity performance as well as concepts and applications of
enterprise risk management. The second part of that publication, the Framework, accommodates different
viewpoints and organizational structures to enhance strategies and decision-making. It also sets out core
definitions, components, and principles, and it provides direction for all levels of management involved in
During the development of Enterprise Risk Management—Integrating with Strategy and Performance, the PwC
Project Team received requests for the publication to include examples of the Framework in use. The publication
you are reading now responds to that request, providing illustrations of how organizations of different types and
sizes and in different industries and geographies might choose to apply these principles. All the examples were
developed by identifying industry practices through interviews, case studies, and research.
Each example focuses on a specific industry, but those in other industries can benefit from the insights.
Similarly, while each example describes how a different entity has scaled and adapted the principles, other
entities can use the information as they see fit.
Internal Use Only
Management—Integrating with Strategy and Performance: Compendium of Examples.
1. Introduction
The COSO publication Enterprise Risk Management—Integrating with Strategy and Performance sets out a
relationship between an entity’s mission, vision, and core values; its strategic goals and directions; and the
approaches used in carrying out its strategy.
This complementary publication offers a compendium of examples to illustrate how an organization might apply
principles from Enterprise Risk Management—Integrating with Strategy and Performance to its day-to-day
practice. Each example highlights specific principles that are relevant to entities of different types and sizes in
different industries. Together, the examples relate to each of the five components and twenty principles set out
in the Framework.
How to Use This Document

To get the most out of this publication, your organization should consider the principles in the Framework and
how to tailor them to the particular strategies, business objectives, risks, and opportunities for the entity. The first
step is to think about the size, scale, and complexity of your organization, and then find the section that best
applies (see below).
Each example is a standalone case, which means that not all aspects of the components and principles are
illustrated in each case. Nor are the examples meant to provide "how-to" instructions or illustrate best practices.
But all the components, principles, and definitions illustrated here are discussed in Enterprise Risk
Management—Integrating with Strategy and Performance, and you should refer to that publication for a
comprehensive discussion of how entities design, implement, and oversee enterprise risk management.
Keep in mind that this compendium of examples is written from the perspective of day-to-day business practices,
which does not preclude a risk management function from having its own separate activities. In many cases, a
risk function exists within a regulated industry that must adhere to specific activities set by the regulators. This
publication is not intended to interpret or supersede regulations that apply to any entity.
Internal Use Only
Also note that smaller entities may apply these principles using different approaches. For example, all public
companies have boards of directors or other similar governing bodies with oversight responsibilities relating to
the achievement of an entity’s strategy and business objectives. A smaller entity may have a less-complex
operation, governance and operating model, and organizational and legal structure. Management may also
communicate more frequently with directors, enabling greater reliance on board oversight for enterprise risk
management practices.
Some entities that are just beginning to develop enterprise risk management capabilities may find the examples
to be complex, while entities that have more advanced enterprise risk management capabilities may find them
simplistic. Keep in mind that this compendium was written for a wide audience and is not intended to be tailor-
made for any one organization. Rather, it provides additional context and understanding to the Framework.
What the Examples Include

The examples have been developed for entities of different sizes (local, national, international) and in different
sectors, organized as follows:
Local
 Financial services company (Chapter 4)
 Consumer products company (Chapter 7)
National
 Government entity (Chapter 3)
 Energy company (Chapter 5)
 Technology company (Chapter 8)
 Healthcare company (Chapter 10)
International
 Higher education institution (Chapter 2)
 Not-for-profit entity (Chapter 6)
 Industrial products company (Chapter 9)
Internal Use Only

Applying the Principles
The examples in the various chapters show how the principles can be applied, with each focusing on aspects of
different components covered in Enterprise Risk Management—Integrating with Strategy and Performance.
Each example:
 Provides context to the industry in which the illustrated entity operates (both external and internal
environments).
 Provides background information on the specific entity.
 Highlights the applicable principles.
 Discusses in detail how the organization applies those principles.
 Shows how enterprise risk management is integrated with the business.
 Summarizes the key benefits of those enterprise risk management practices.
Please note that the names of organizations and people in the examples are fictional, and any resemblance to
actual organizations and people is coincidental.
What Principles Are Covered

Table 1.1 shows which principles are primarily illustrated in the examples for each type of entity (denoted by a
"◆"). Some of the examples include secondary information beyond the primary principles to provide context
(e.g., information about the risk appetite or business context), denoted by an "*." The presentation of the
examples follows the order of components in the Framework that the principles primarily relate to (Governance
and Culture; Strategy and Objective-Setting; Performance; Review and Revision; Information, Communication,
and Reporting).
Table 1.1: Principles Illustrated by Examples
Internal Use Only

2. Governance in a Higher Education
Institution
Industry Context fn 1
Higher education, often referred to as postsecondary or tertiary education, refers to learning delivered by
universities, academies, colleges, seminaries, and institutes of technology that award academic degrees or
professional certifications at the successful conclusion of a program of study. Many of these institutions also
have research programs driving technology developments, scientific discoveries, and innovation in all
disciplines.
Higher education entities may be influenced by any or all of the following external factors:
 Government policies and funding that impact operations and revenue streams.
Internal Use Only

 Pressures from business and other external stakeholders that challenge institutions to better account for
student outcomes.
 Increased competition from international institutions in attracting students.
 Technology that has fueled the growth of on-line programs purporting to offer greater flexibility, accelerated
learning, and lower tuition for students.
 Legal uncertainties relating to intellectual property ownership, authority of course materials, and academic
freedom for teaching and research staff.
They may also be influenced by the following internal factors:
 Pressures to maintain certain levels of domestic and international student enrolments, which have an
impact on forecasted revenue from student tuition and the reputation of the university.
 Challenges in attracting and retaining highly skilled faculty and administrative staff capable of developing
challenging curricula and supporting the changing operating needs of the institution.
 Student activism relating to operating decisions that affect the direction and scope of student learning,
research programs, and academic freedom.
 Requirements for complying with all laws and regulations concerning ethics, privacy, cyber risks,
operations, and campus safety.
Institutions typically finance their operations through a combination of student tuition, government funding,
grants, donors, and other sources of income. This involves:
 Attracting and maintaining international and domestic student enrolments to generate tuition fees.
 Meeting the standards required for government funding, borrowing, research grants, and subsidies based
on the institution’s reputation for academic rigor and innovation.
 Entering into business partnerships with private enterprises, industry groups, and other organizations in
pursuit of a common objective.
 Soliciting financial support from alumni and other benefactors through lobbying, outreach, and marketing
programs.
 Managing the financial assets of the institution.
Internal Use Only

Key Benefits of Enterprise Risk
Management in the Example
This example shows how boards can use enterprise risk management to identify and manage entity-wide risks
and reduce performance variability.
Principles Demonstrated
The following principles are primarily demonstrated in this example:
 Principle 1: Exercises Board Risk Oversight–The board of directors provides oversight of the strategy and
carries out governance responsibilities to support management in achieving strategy and business
objectives.
 Principle 2: Establishes Operating Structures–The organization establishes operating structures in the

pursuit of strategy and business objectives.
Aspects of the following principles are also demonstrated:
 Principle 8: Evaluates Alternative Strategies–The organization evaluates alternative strategies and

potential impact on risk profile.
 Principle 14: Develops Portfolio View–The organization develops and evaluates a portfolio view of risk.
 Principle 20: Reports on Risk, Culture, and Performance–The organization reports on risk, culture, and
Facts and Circumstances fn 2
The university in this example is a highly prominent institution based in Southeast Asia within a network of
partner universities in Europe and North America. It is renowned for its Schools of Business and Medicine as
well as its executive MBA program, all of which attract students from around the globe. It has 30,000 students
and over 6,000 employees (faculty and administrators).
The eleven-member board that oversees the university is made up of representatives from the business, legal,
and medical communities; alumni; and faculty and student population. Six board members are considered
independent directors. The president of the board is a retired executive and alumnus of the university who
assumed the role four years ago.
Internal Use Only

Recently, the university’s student enrolment has declined and financial results have not met forecasts. There
have been several contributing factors to these trends:
 The rise of international on-line MBA programs that are luring students with promises of accelerated paths
to completion and lower living and tuition costs.
 Increasing requests for programs of study and research in emerging fields of technology, analytics,
bioscience, and aerospace that require a higher cost of delivery.
 Changes to the laws affecting pension plans, which have increased labor costs.
 Lower than expected returns on the university’s investment portfolio due to deterioration in the local stock
market and confidence in the regional economy.
 Legacy operating systems and technology that are increasingly disruptive to the efficiency of internal
processes and operations.
 Increased security costs and student support services following a series of on-campus incidents and cyber
bullying attacks.
During an analysis of its various revenue streams, the university identified that non-tuition related revenue was
lagging behind the other revenue sources (see Figure 2.1). Therefore, as part of its longer-term planning, the
university is exploring opportunities for joint ventures and third-party relationships to support the achievement of
its strategy and business objectives.
The university has already met with one investor, Lambda Labs. A partnership with Lambda Labs would see a
multiyear investment in the university’s infrastructure and provide a welcome injection of working capital. As a
part of a regular review of board oversight and to bolster stakeholder confidence, the board intends to enhance
transparency of its governance, oversight, and risk management systems.
Figure 2.1: University Projected Revenue over Ten

Years
Internal Use Only

Lambda Labs stated that while the financial reporting and forecasting information already provided was critical to
their decision to pursue further discussions, they require greater visibility and information on the risks and
potential impacts on the university’s long-term performance. As an example, Lambda pointed to the increasing
number of student protests occurring over proposed curriculum changes and funding decisions, and the impact
those could have on the university’s reputation and its ability to attract future investments.
Discussion
Designing Board Oversight
The board is supported by three existing sub-committees designed to oversee the performance of the university
in relation to its mission, vision, and core values. The board delegates authority to each of the committees, which
is outlined in greater detail in their respective charters:
 Investments Committee: oversight of the investments portfolio in line with the university’s risk appetite.
 Audit Committee: oversight of financial reporting and audit matters.
 Remuneration and Nomination Committee: appointment and remuneration of the board of directors, where
applicable, and senior management.
Internal Use Only

The board retains governance and oversight for the following:
 Authorization and accreditation of the university by the ministry of education.
 Review of and concurrence with the university’s strategy and risk appetite.
 Approval of financial statements and significant investments.
 Approval of designated policies and procedures including staff and academic codes of conduct.
The board identified increasing third-party arrangements as an opportunity to enhance revenue, and it is
responsible for reviewing proposals to enter into any significant arrangements. Given the increasing number of
such proposals, the board has struggled to manage this particular responsibility. In recent board meetings, some
directors have expressed concern about the volume of applications. Many of the proposals are highly technical
or in specialist areas outside the experience of the directors, which adds to the time required to review them.
When reviewing a third-party proposal, the board is typically provided with information on the purpose of the
agreement, performance targets, potential risks, and ongoing performance-monitoring approaches. But board
members have long expressed reservations about the level and quality of information provided. They tend to
focus on the assumptions provided that underpin the proposed arrangements and on any contingent payments
or obligations placed on the university under the contract, including any that could affect the future accreditation
of the university.
As a part of the regular review of board oversight and in an effort to enhance its reporting, the board decided to
make the following changes:
 All board members will be required to complete training offered by the National Institute of Board Directors.
The training course highlights the responsibilities of directors and includes sections on enterprise risk
management.
 Future director nominations will focus on increasing the diversity of experience and expertise of board
members in line with the university’s mission, vision, and five-year strategic plan. Future candidates will be
considered from a range of fields including technology, sciences, and geopolitical and regulatory affairs.
 To help add rigor, consistency, and efficiency to the review process, and to improve transparency, the
board will establish a management steering committee to improve the university’s risk management
capabilities and practices when assessing potential partnerships.
 The new steering committee will be given the task of reviewing the university’s current reporting
capabilities and proposing improvements to provide better insight into performance and the portfolio view
of risk.
Internal Use Only

Creating a Steering Committee
At the request of the board, the chief financial officer and chief operating officer created a steering committee
comprising representatives from each of the schools, the Office of Industry and Commercial Liaisons,
information technology teams, and other core administrative functions. The following objectives of the steering
committee were set:
 Develop criteria for evaluating third-party agreements that align with the university’s five-year strategic plan
and cover a range of strategic, performance, and risk considerations.
 Develop new integrated performance reporting for the university that expands on the current financial
reporting of key performance indicators.
The steering committee began by examining the university’s longstanding mission, vision, and core values:
 Mission: To provide world-class academic and research opportunities.
 Vision: To be the leading university of choice in academic excellence enabling staff and students to
contribute to the advancement of society.
 Core values: The pursuit of academic excellence and quality, integrity, freedom of enquiry and
expression, diversity, and inclusion.
Next, the committee looked at the university’s five-year strategic plan, which is based on the mission, vision, and
core values, and considers risk appetite. The strategic plan has four parts, each of which provides a detailed
description of the supporting business objectives, activities, and anticipated resources to achieve the overall
strategy:
 Delivering academic excellence.
 Fostering innovation and advancement.
 Supporting the needs of the future economy.
 Optimizing financial and operational performance.
Key Observation
By highlighting the assumptions that underpin the strategy and business objectives, or the assessment of risks,
the organization is in a better position to identify changes to the risk profile and performance of the entity in a
timely manner.
Internal Use Only

The steering committee identified and assessed risks related to the strategy and performance of that strategy. In
addition, the team worked closely with other stakeholders to identify the assumptions underpinning the strategy.
Those assumptions included anticipated growth of student enrolment, levels of government funding and other
grants, and developments in technology and science that drive interest to particular areas of research. Other
assumptions concerned funding allocations, regulatory requirements, and policy objectives.
Designing Relevant Reporting

Figure 2.2 is an extract from the university’s five-year plan, showing the risks identified during the strategy-
setting process and assumptions underlying the business objective and performance target.
Figure 2.2: Five-Year Strategy Part 1: Delivering Academic

Excellence
Internal Use Only

Internal Use Only
Key Observation
By using the strategy and business objectives to structure a report, an organization will more clearly highlight
information relating to new and changing risks and the impact to performance. Those who use the report can
observe how one risk may impact multiple objectives, or how changes in the business context may impact more
than one risk.
Considering the risks identified, the new steering committee decided on the following approach to improve the
university’s current reporting capabilities:
 Confirm who is anticipated to use the reports and what the specific reporting requirements of those users
are, given their responsibilities. Report users are likely to include:
 Members of the board with responsibility for governance and oversight of the university.
 The ministry of education that retains regulatory oversight over many of the university’s functions,
including accreditation, government funding, and quality assurance.
Internal Use Only

 Potential third-party investors and partners who are looking for insights and confirmation of the
university’s financial and operational performance and the portfolio view of risks that are managed on
an ongoing basis.
 External auditors and ratings agencies.
 Agree on the performance and risk information that should be periodically reported to the board.
 Identify the resources and capabilities required to develop ongoing, integrated reporting.
 Assign roles and responsibilities.
At the time, the university was using a "balanced scorecard approach" for reporting, which covered the four parts
of the strategic plan (see Figure 2.3). The steering committee decided to retain that approach. It reviewed the list
of indicators, selecting which it would periodically report on to the board, and whether any additional context and
analysis would be needed.
Figure 2.3: University Monthly Management Report—Executive

Dashboardfn 3
Internal Use Only

Internal Use Only
Key Observation
The rating and trend analysis was completed in relation to objectives, not risks. This approach focuses the board
on performance-related conversations rather than risk-centric conversations.
The balanced scorecard included key indicators and trends for each business objective to highlight levels of
performance and identify potentially manifesting risks. The analysis, included in the monthly management report,
integrated the discussion of performance and risk to provide context to the university’s level of confidence in
achieving its strategy and business objectives (see Figure 2.4).
Figure 2.4: University Monthly Management Report
Internal Use Only

Internal Use Only
Internal Use Only
The analysis also permitted the university to highlight those risks or trends that impact more than one section of
the strategic plan. As an example, the increase in university partnerships with industry and commercial entities
influences the risk profile of Part 3, Supporting the Needs of the Future Economy, and Part 4, Optimizing
Operational and Financial Performance.
Once it improved its reporting practices, the university was able to provide greater transparency of its current
and forecasted performance to share with potential third parties. In the case of Lambda Labs, the
pharmaceutical research group was seeking to partner with the university to build a state-of-the-art research
laboratory that would house world-class research teams and teaching facilities for undergraduate and
postgraduate medical students. The construction of the laboratory would be seen as a competitive advantage in
recruiting students and bolstering the quality of the academic curriculum and teaching capabilities.
As part of the proposed contract, Lambda Labs included a provision granting them an exclusive license and
patents to the use of any inventions produced as result of the contract. Using the evaluation criteria, the
members of the steering committee compared the effect of the agreement on the university’s projected financial
performance and its objective of maintaining a rigorous academic curriculum.
 The Office of Industry and Commercial Liaisons (OICL) identified that the agreement would be highly
lucrative to the university and likely result in increased revenues from government funding and grants,
greater investment from other potential donors, higher student admissions, particularly from international
locations, and less need to self-fund significant capital expenditures that would have been necessary in the
mid- to long-term. However, it also identified the potential for the partnership to overperform in some of
these areas, which could challenge the capacity of the university.
 The steering committee also noted the potential of the academic program. They identified two areas of
concern in particular: actual or perceived bias in the research, and the ability to maintain academic
freedom.
 Moreover, the impact of the proposed new research would have mixed results on the ability to recruit and
retain academic staff. While the facilities themselves would likely entice more interest from experienced
researchers and faculty staff, the clauses in the contract that might affect academic freedom and cause the
perception of or actual bias would likely have an opposite effect. The steering committee also identified
clauses in the contract that could impact existing employment contracts and performance metrics relating
to research and publication efforts.
The steering committee presented the findings to the board for their consideration. Figure 2.5 is an extract of
that report.
Figure 2.5: Report to Board—Extract
Internal Use Only

The following detailed analysis in Figure 2.6 outlines the anticipated changes to the risk profile and performance
of the university if the research center were to be built.
Figure 2.6: Analysis of Risk Profiles
Internal Use Only

Internal Use Only
In its oversight role, the board is required to balance the financial windfall and reputational gains from any
agreement against the potential threats to academic freedom and independence of research. In this case, the
board ultimately decided to pursue the opportunity with Lambda as it aligned with both its mission and vision and
five-year strategic plan, with the proviso that additional clauses be inserted in the contract guaranteeing the
university’s rights to teaching, research methods, and publication that are free from commercial influences.
Oversight Delivers Value

Prior to enhancing its enterprise risk management capabilities, the board had taken a less rigorous approach to
understanding risk when venturing into new areas. The efforts in place today provide the board with greater
confidence that it has considered the full spectrum of risks and evaluated the decisions on more than just the
financial merits, such as those offered by the Lambda deal.
Further, by updating reporting to include performance and the risks associated with the levels of performance
the university was pursuing, the board had provided the information it needed to exercise its oversight role. The
reporting assisted the board in asking more insightful questions and analyzing the level of risk it was accepting
relative to the partnership with Lambda Labs. Due to active board oversight, the university was able to secure
the partnership, and revenue is expected to increase as the partnership goes into effect. More timely and
focused reporting also enables the board to act sooner and with greater clarity, thereby reducing overall
performance variability.
Footnotes
Internal Use Only

fn Reminder: The examples do not illustrate a complete view of all enterprise risk management practices
1 in an organization. Each organization should consider and adapt the principles set forth in the
Framework to its specific strategies, risks, and opportunities based on its size, scale, and complexity.
fn Names of organizations and people in this example are fictional, and any resemblance to actual
2 organizations and people is coincidental.
fn For brevity, only select key performance metrics listed in Figure 2.2: Five-Year Strategy Part 1:
3 Delivering Academic Excellence are shown in the executive dashboard.
3. Culture in a Government Entity
Government entities often have complex and diverse missions that set the stage for the overall strategy to
provide services to the public. Developing and carrying out a strategy can be complicated by changes in budget,
political climate, highly visible public oversight, and even the overall mission. Many government entities face
significant resource constraints and declining budgets, which impede their ability to hire in response to attrition
and retirement. This challenging environment often results in employees who focus only on carrying out their
day-to-day responsibilities, not the bigger picture.
Government entities may be influenced by any or all of the following external factors:
 Political landscapes that affect funding and priorities.
 Budget allocations by legislatures that impact the priorities of the entity and any mission changes.
 Demographics, including population growth rates and age distribution, that impact the size of the
population the entity serves.
 Technological shifts that impact the type and amount of automation within operations and the challenge to
keep pace.
 Changing leadership within governments that create new priorities or modify existing ones.
 Climate change, which impacts scrutiny of related government policies.
Internal Use Only

 Availability of capital, which depends on the current political atmosphere and may require government to
constrain activities or quickly reallocate funds.
 Attrition and competition, which can impact the availability of highly skilled labor.
 Operational failures that challenge the ability to carry out the mission.
 Availability of investment for technology infrastructure that impacts the ability to perform complex and
interconnected activities.

This example shows how a government agency changed its culture to more effectively identify and manage
entity-wide risks.
 Principle 3: Defines Desired Culture–The organization defines the desired behaviors that characterize the
 Principle 4: Demonstrates Commitment to Core Values–The organization demonstrates a commitment to

 Principle 5: Attracts, Develops, and Retains Capable Individuals–The organization is committed to building
Aspects of the following principle are also demonstrated:
Facts and Circumstancesfn 5

The Department of Local Enterprise is a government entity that has experienced years of declining budgets and
increasing mission responsibilities. It also has been faced with an aging workforce, resulting in a high rate of
attrition due to retirement. These factors have affected the department’s ability to effectively manage its
Internal Use Only

operations. For some time managers and employees have been overwhelmed and, as a result, have focused on
carrying out their day-to-day responsibilities without considering performance or risk implications.
The operational area that reviews applications for real estate development has been particularly hard hit. Over
one two-year period, there was an increase in new, first-time applications, a trend tied to revitalization efforts
across several communities. Already short staffed, the group was unable to keep up with the volume.
Consequently, there were severe delays in reviewing applications and issuing permits—up to nine months in
some cases, three times longer than other permit-issuing entities. Worse, the delay snowballed. After two years
the backlog of a few hundred applicants grew to several thousand.
Most of the employees who handled the applications considered the situation at the time as being futile and just
focused on reviewing what they could in a day’s work. The few employees who tried to discuss the situation with
management had their concerns ignored.
This operational issue began to negatively affect the reputation and trust of the entity when the media reported
on the significant delays, and external stakeholders expressed grave concerns about the management of basic
operations. The public embarrassment was matched by calls for investigations into what went wrong. In
response, senior leadership met to discuss how they could solve the application backlog by reallocating
resources and considering opportunities for more efficiency. But they also realized it was time to address a
growing cultural challenge, reiterate the department’s core values, and look at creative ways to attract the next
generation of employees.
Discussion
Addressing Cultural Challenges
Russ Desjarles, the head of the Department of Local Enterprise, recognized that the backlog of real estate
development applications was a symptom of a larger and growing operational and cultural issue. Management at
all levels had not been adequately evaluating the performance and risk implications of their actions and using
that information to make better decisions. Additionally, the tone from management suggested that employees
should just focus on getting their work done, not on raising issues of risk. Russ and his leadership team
acknowledged that this culture was causing problems to linger.
The leaders agreed on a first step to evolve the culture to be more risk aware: embed enterprise risk
management capabilities into each business unit in order to create a safe place for employees to talk about risk
and provide line of sight into each operating area. They did this by creating the role of "risk ambassador" for
each business unit. These risk ambassadors were to be the primary link between their business unit and senior
management on issues of risk. They were given the responsibility of helping their individual units develop
adequate risk management practices and infrastructure to identify, assess, and treat risk at all levels of the
Internal Use Only

operation. This organizational model allowed the leadership team to be connected to every business unit to drive
training, communication, and feedback about the cultural changes made.
Key Observation
Defining roles and responsibilities for enterprise risk management at all levels of an organization sets the
expectation that it is not something left to those in charge of risk, but something the entire organization must
embrace and participate in.
Crucial to the success of this model was choosing the right people to be risk ambassadors. Each ambassador
needed to command respect from both employees and the head of the business unit—for example, a senior
manager with a reporting line directly to the head of the business unit. This helped to improve acceptance of the
ambassador within the business unit and made it more likely that employees would be willing to discuss risks
with them. The success of this effort soon became apparent. Within the first three months of the program, a risk
had been brought up through the ambassador network, which was then escalated to the head of the business
and resulted in a change to the process that kept the risk from manifesting.
Also important to the success of the model was the effort to communicate the message from the top—that
message being that a fundamental change in environment was needed, one in which all employees felt safe
bringing up and discussing risks. Russ reiterated this message in all meetings with employees at all staff levels.
The senior leadership discussed what was required to create a safe environment, and they produced a webcast
on how to do that. The risk ambassador program showed the tangible commitment to the new culture. Further,
several early examples of employees escalating risk information, and the department subsequently responding
to the risks without retaliation, communicated to the organization that management’s efforts were sincere and
that all comments would be taken seriously.
Because Russ could not offer financial incentives to promote the desired behavior, other types of rewards were
established, including being recognized by senior leadership. The new practices were formalized into written
employee roles and responsibilities, which became part of the measure of individual employee performance
during annual personnel reviews. This action reinforced the message that any deviations from the expected
behavior would be handled through the personnel performance management process.
Several statements of responsibility related to practices that were intended to help move the organization toward
the desired culture:
 Management creates a safe environment, which encourages transparent risk identification by staff from
across the units and is supportive of open risk discussions.
Internal Use Only

 Management motivates employees to embrace risk management and provides them with the tools and
training to do so.
 Management encourages integrating risk in the decision-making process.
 Risk ambassadors promote enterprise risk management awareness through transparency in all directions
and by sharing business unit enterprise risk management successes and best practices.
 Employees understand and accept responsibility for identifying, assessing, and managing risk.
Finally, the leadership team built on an existing strength to change the culture: its successful training program.
Historically, training had been a primary catalyst for communicating transformational ideas. It was also one of the
only venues where employees could interact across business units, so they generally looked forward to
participating in training. Leadership recognized the power of training and decided to use it to address some of
the cultural issues and to enhance the organization’s overall risk capabilities. Training was tailored to different
staff levels to reinforce the desired behaviors at each level. For senior management, training emphasized the
importance of building a culture where risk information is shared at all levels. For employees, training
emphasized the importance of identifying and escalating risk information.
Key Observation
By aligning risk reporting with existing reporting processes, risk management is not viewed as a separate activity,
but as one part of managing performance and operations at each level.
The positive results were soon apparent. For those employees in the real estate development applications
group, raising the level of risk awareness through training allowed them to identify and communicate risks to the
objective of processing the applications, which resulted in modifying the process and improving efficiency. At
another training event, Carina Mack, Cordell Bramble, and Madeline Fromm, ambassadors from three different
business units, identified a risk that was common to them all. Considering the information in aggregate changed
the assessment of the risk and revealed a greater exposure. The three ambassadors worked with their business
unit leaders to establish a small cross-functional team to develop the right response to the risk. Carina, Cordell,
and Madeline were subsequently recognized by leadership for their efforts to identify, prioritize, and treat the
risk. In-depth risk management training is now provided at least once a quarter to the risk ambassadors, since
they are responsible for embedding risk management practices and capabilities into the operations of their
respective units.
Russ has also made time for regular discussions on emerging risks. In these discussions, ambassadors identify
emerging risks, considering the business context of the department and changes to the internal and external
Internal Use Only

environment. This practice has now been carried into the regular processes of identifying business unit risks and
strategic planning.
Understanding Changes in the Culture

Having implemented several cultural changes, leadership wanted to evaluate the impact of the measures taken.
They already conducted an annual employee survey with broad focus, and that had a good participation rate. To
avoid "survey fatigue" (which tends to drive low response rate), they decided they could use the information from
the existing survey and build on it.
To that end, they collected the survey data from previous years and reported the responses concerning culture
to the risk ambassadors and senior executives. Figure 3.1 illustrates the results of the survey over eight years,
with the changes in culture being introduced between years 7 and 8. The four areas being tracked by the survey
show improvement, but did not reach 80%, which was the target.
Figure 3.1: Employee Survey Results
Note that while the survey results did not drive culture change, they provided point-in-time information on how
behaviors were changing. Senior executives were asked to review the trends and develop an action plan to
change behaviors in their units to drive a culture of awareness and transparency for risk.
Designing Relevant Reporting

The issue of the real estate development applications revealed that the leadership team did not have a
comprehensive view of the department’s top risks. In addition to taking steps to reinforce the desired behaviors
and encourage communication of identified risks, senior leaders designed a risk-reporting process to provide
Internal Use Only

information that would enhance decision-making and performance review. To that end, they developed a matrix
showing the information requested, who required it, and the frequency with which it was requested.
Key Observation
You need to understand the stakeholders’ expectations for reporting before you begin to design your reports.
That’s the only way you’ll prepare a report that gives them what they need.
The matrix provided what they needed to initiate two reporting requirements (raise awareness of risk and better
integrate risk into decision-making). The first step was to tie the risks for each business unit to the unit objectives
and performance through the quarterly business performance review. The discussion, which until this time
focused on detailed business performance, was modified to include how the department assessed, prioritized,
and responded to the risks. The response discussion included the current response, the progress of any planned
responses, challenges that management identified to implementing planned responses, and opportunities to
improve the process as a result of the analysis.
The second reporting requirement called for more formal consideration of risk during the decision-making
process. Both of these reporting requirements increased transparency of the risks being considered as part of
business decisions and of how risks impact the performance of the business unit. As well, they imposed a
consistency on management’s review of decisions.
Throughout the entire chain of command, leaders now expect personnel to understand the risks at their level
and be able to report them. This expectation is built into the management structure, and risk is a common
agenda item at management meetings.
Building Human Capital

Russ and the leadership team at the Department of Local Enterprise have continued to build a risk-aware culture
with three specific initiatives:
 To respond to the opportunity to attract the next generation of talent (due to high attrition rate), they
created a six-month rotational program where participants work with the risk management team, and then
move into other management positions. This model allows the program participants to see the value of
openly discussing risk and how risk information can be used to enhance decision-making. The program
has helped to change the culture as the program participants take the information into the different
business units where they use their new skills.
 The leadership team has established a relationship with a local university that includes enterprise risk
management in its curriculum. The senior managers provide the university with job descriptions for
Internal Use Only

available positions for graduates, and the university feeds those opportunities into its pipeline of talented
students that already have enterprise risk management knowledge.
 The operating model of ambassadors has been continued and is now embedded so that unit leaders better
understand the risks to the business objectives of their individual units. Many of the ambassadors now
think differently about the business and have consequently been elevated in their levels of authority.
These three initiatives have allowed the leadership team of the Department of Local Enterprise to add enterprise
risk management skills and capabilities to the list of required skills for succession planning.
Key Observation
Discussions that specifically focus on emerging risks and risks from the external environment can help an
organization understand important disruptive events.
Russ also recognized that the business units needed to embrace risk management and embed it into their
operations if they wanted to receive timely risk information to inform decision-making and avoid issues such as
the one related to real estate permits. To help support this practice, leadership established a series of operating
standards that all the units are expected to meet. These standards provide enough flexibility so units can
implement risk management effectively while still retaining consistency across units. The department uses peer
review as one method of evaluating the competence of the staff directly responsible for risk management and
whether the units are achieving the standards. Ambassadors review the work of other ambassadors and provide
feedback on how capabilities can be enhanced. Aggregate feedback is also provided to inform topics for
enterprise-wide training.
Leveraging Culture Results in Enhanced

Performance
Together, all of these changes to enhance the culture and focus on risk awareness created an environment in
which employees felt empowered. The result was their finding a solution to the original backlog problem. The
focus on the desired behaviors and culture allowed the department to enhance—not inhibit—their ability to
identify and communicate risks in the entity. Now the leadership team is better able to identify and respond to
entity-wide risks before they became national news.
Footnotes
Internal Use Only

4. Culture in a Financial Services

Company
Financial services companies offer a wide variety of financial products to customers who want to manage their
financial assets. These companies range from local credit unions to global institutions. Customers vary from
individual retail clients to large organizations with sophisticated financing requirements. No matter what the size
and scope of a financial institution, its complexity of products, operations, and balance sheet management is
derived from its mission, vision, and strategy and influenced by the prevailing economic and regulatory climate.
Regional banks, in particular, provide the financial lifeblood for the area in which they operate, supporting
communities, industry, and small businesses in growing localized economies and creating jobs.
Financial services entities may be influenced by any or all of the following external factors:
 Regulatory scrutiny and heightened expectations of staff conduct, lending and sales practices, and the
effectiveness of enterprise risk management programs.
 The health of the local economy, which typically is strongly correlated to the ability to increase deposits
and lending activity and is affected by financial downturns.
 Economic implications from the distribution of wealth and by institutions financing new opportunities and
businesses.
 Disruptions to the traditional banking models as new technology becomes available (e.g., e-banking).
 Significant capital and liquidity requirements imposed by regulators in order to solidify the financial
foundations and resilience of financial institutions.
Internal Use Only

 Social expectations of corporate philanthropy and support of community causes.
 The need to manage new and increased capital requirements imposed by regulators.
 Competition for talented employees in new areas such as e-banking, model development, and credit risk
management to support initiatives and respond to changes in the market.
 Stable, long-standing relationships centered on understanding customers’ businesses, risk profiles, and
capacity to meet their financial obligations.
 A relationship-based approach to lending that relies increasingly on qualitative information from customers,
given the availability of audited financial statements, tax returns, or other verifiable information.

This example shows how a financial services company relies on its culture to increase the range of
opportunities. It identifies opportunities to realign internal operations and customer interactions with its culture in
order to promote its long-term financial success.
 Principle 3: Defines Desired Culture–The organization defines the desired behaviors that characterize the
 Principle 4: Demonstrates Commitment to Core Values–The organization demonstrates a commitment to

 Principle 5: Attracts, Develops, and Retains Capable Individuals–The organization is committed to building
Aspects of the following principle are also demonstrated:
 Principle 6: Analyzes Business Context–The organization considers potential effects of business context
on risk profile.
Internal Use Only

Broad Bridge Bank was founded 120 years ago. This regional bank’s brand is based on a simple principle of
serving the towns and business centers in the area: "We are at the heart of our community." It currently has
$950 million in assets and approximately 30,000 customers. Customers range from retail to small commercial,
industrial, and agricultural businesses that rely on the bank for working capital and related purposes.
The bank has twelve branches and introduced e-banking services nine years ago. The move to e-banking
reduced some overhead costs and provided greater transparency of the behaviors and financial health of its
customers. Bank managers have autonomy to tailor branch operations to their community needs, accept new
customers, authorize lending decisions up to a certain value, and refinance existing financial arrangements with
approved customers. Many bank managers pride themselves on knowing their customers well and offering
personalized service. As one manager puts it, "the bank succeeds when our customers succeed."
During a recent financial crisis, several things happened that affected the bank:
 Deposits and lending activities reduced dramatically as smaller businesses struggled to survive the
economic downturn.
 Many small businesses that relied on their homes and other property as the main source of collateral were
adversely impacted as property values plummeted, increasing risk to the bank. Collateral requirements of
new and existing customers started to become more stringent as result.
 Regulators began to scrutinize the bank’s lending practices and capabilities in assessing the
creditworthiness of customers.
Broad Bridge Bank responded to these observations by moving away from qualitative assessments to more
quantitative, verifiable sources of information and introducing more standardized assessment practices. The
authority of bank managers to authorize new loans and other transactions was curtailed.
In addition to changes in banking practices, Broad Bridge Bank moved to offset rising costs and improve
efficiencies by:
 Reducing staff and branch hours.
 Changing performance targets that emphasize transactions with higher fees or lower processing
complexity and associated costs.
 Increasing on-line services to standardize processing workflow and reduce overhead costs.
 Reducing staff benefits and incentives.
 Reducing involvement in community activities, investments, and philanthropy.

Internal Use Only
Figure 4.1 illustrates the impact over several years of the bank’s decision to diversify the asset base to have a
larger proportion of lower-yield, less-risky assets.
Figure 4.1: Broad Bank’s Asset Allocation and

Financial Performance
Other relevant facts include they following:
 The board of Broad Bridge Bank, which meets quarterly, comprises seven independent directors with
backgrounds in finance, banking, and law. Only three of the directors have lived or worked in the local
area. The bank has chosen not to establish separate sub-committees and is governed by its board charter.
The charter assigns governance and oversight responsibilities to the board in accordance with its mission,
vision, and core values. Board directors are limited to a maximum of three terms, each lasting four years.
 The board recently appointed a new director, Betty Fund. She is a member of the community and local
chamber of commerce, and was previously the financial director of a local business franchise. She was
chosen to strengthen ties between the board and the local communities that the bank serves.
 In accordance with regulatory requirements, the board has appointed a chief risk officer (CRO), Tyler
Mann, who reports directly to the board. Tyler has delegated authority to design and implement a suitable
risk management framework.
Discussion
Before attending her first board meeting, Betty Fund asked Tyler Mann to prepare a report outlining the portfolio
view of risk given the performance of the bank. The report highlighted the following:
 There is increasing disparity between the expectations of regulators, shareholders, the community, and
bank customers.
Internal Use Only
 Competing priorities create confusion among leadership and lead to inconsistent decision-making.
 Lending practices and ratios are affecting the economic recovery of the local areas the bank services.
 Lender distress is increasing, as evidenced by late repayments and defaults.
 The number of complaints and adverse social media postings about staff interactions with bank customers
is on the rise.
 Market share has started to diminish as customers move to new, competitive entrants in e-banking.
 Staff turnover has increased, and the bank has experienced difficulties in attracting new staff in targeted
areas such as IT resources, compliance, and credit risk management.
The report concluded that while efforts to secure the financial future of the bank have been successful in
achieving the business objectives relating to financial safety and soundness, greater risk now existed in the
achievement of business objectives relating to customer satisfaction, market share, branding, and innovation. As
well, in the longer term, the risks to these other objectives were likely to eclipse the financial safeguards
introduced by the bank and impact its pursuit of its mission and vision.
Defining Desired Behaviors

At the quarterly board meeting, Betty asked Tyler to present his findings from the report. Afterwards, the board
concluded that the bank needed to renew its focus on its mission, vision, and core values, and asked the
management team to put together a plan of action to present at the next board meeting.
The management team decided on an approach that would help them set their priorities. They began by defining
desired behaviors in accordance with mission, vision, and core values. They also undertook an enterprise-wide
assessment of the existing culture to identify where behaviors may have deviated or where changes were
required. Their plan of action is illustrated in Figure 4.2. They also implemented mechanisms for monitoring
future changes.
Figure 4.2: Broad Bank’s Plan of Action for Defining Culture and
Desired Behaviors
Internal Use Only

Following the analysis, management defined its priorities for implementing changes. They began by alerting staff
that they would be assessing current bank operations, including lending and sales practices, customer service,
and back office operations. The goal was to identify potential risks and their root causes and propose
management actions. In an email to the bank’s staff, the chief executive officer reaffirmed his commitment to the
core values of Broad Bridge Bank and assured staff that they would be free from retribution if they came forward
with any concerns. A series of staff and team meetings were scheduled for the following weeks. Meetings were
held in informal settings and were led by members of management, not by the group team leader. This format
allowed staff to be more comfortable in raising their concerns.
Management used the following statements to gauge reactions and obtain insights from staff during the
meetings:
 Our core values are clearly understood.
 Policies and procedures provide clear guidance for expected behavior.
 Decisions are made in line with our core values, even in the absence of a defined process or policy.
 My leader does not compromise compliance and good risk management practices in pursuit of sales
targets.
 I have a clear understanding of what is expected of me.
 I am encouraged by my leaders to report issues and concerns.
 I can articulate how my role fits into the bank’s objectives.
Key Observation
To analyze observations and assess the impact on performance, management groups the findings by objective,
not by risk type, to better identify where risks are either occurring or changing in severity.
Internal Use Only

After this exercise, the management team reconvened to analyze what they had learned from the employees,
which they summarized as follows:
 Staff were bearing the brunt of customer frustration in response to more stringent loan application
processes, shorter branch hours, and reallocation of client portfolios from long-standing relationship
managers.
 Bank managers felt less empowered to make decisions and help customers most effectively. As one
manager stated, "I used to help my customers build better businesses. Now I hand them a form to fill in."
 Customers were posting complaints about the bank’s customer service on social media, stating that Broad
Bridge Bank had turned its back on its customers and its community.
 Several larger clients had been interviewed by the local press and admitted that the lack of support from
Broad Bridge Bank was impairing their ability to grow their businesses and create jobs in the area.
 Staff were aware of the bank’s brand, but that had not been translated into policies or other tools to help
with decision-making. Consequently, inconsistent decisions were being made concerning underwriting,
budgeting, and other operational matters.
 Staff were unsure how performance targets and incentives were determined given the competing
objectives of being financially successful while meeting the needs of the community.
In response to what they learned, the management team prepared a plan to address how the core values of the
organization should be strengthened and integrated into day-to-day operations. The plan reaffirmed
management’s commitment to the mission, vision, and core values of the bank as follows:
 Mission: Support the economic growth and foster financial prosperity of our community through the
provision of banking and financial services.
 Vision: Be the most trusted business advisor and bank of choice for our community.
 Core values: We act with the utmost integrity and professionalism, providing the highest level of customer
service and honoring our responsibilities we have to our customers, staff, and community.
The plan has four major sections that are in line with the strategic plan, business objectives, and core values:
1. Demonstrating leadership.
2. Providing excellent customer service.
3. Improving internal operations.
4. Building human capital.

Demonstrating Leadership
Internal Use Only
Management implemented training modules specific to the mission, vision, and core values, and through this
scenario-based training they enabled personnel to better understand how individual expectations drive desired
behaviors throughout the bank. For example, relationship managers were given a scenario of receiving a
financing application from a long-standing customer who did not meet all of the revised quantitative information
requirements. Training was provided on what other information could be relied on to meet the regulatory
requirements and how to decide whether to approve the application that was in line with the bank’s core values
and risk appetite. Staff were also given guidance on how to work collaboratively with clients to strengthen
applications where needed.
Management set for themselves the expectation that they would embed the values and desired behaviors in all
future communications. The values and behaviors would be front and center in leading the organization to be
aligned with strategy, risk, and performance. They also developed new board-level reporting metrics related to
risk, performance, and culture, including:
 Community engagement indexes.
 Customer satisfaction and loyalty.
 Employee empowerment and commitment.
The intention was to join these to existing financial, market share, regulatory compliance, and efficiency metrics
to form a more comprehensive balanced scorecard in assessing the bank’s performance and risk profile.
Providing Excellent Customer Service

Having reviewed customer complaints and considered the experiences described by branch staff and call-center
team members, the bank decided to reinstate the delegation of authority that had been in place before the
financial crisis. This meant that those employees who interacted directly with customers would once again be
making the majority of day-to-day decisions, approving applications by new customers, and changing lending
limits and refinancing terms. Of course, the expectation remained that all decisions must still align with the
bank’s risk appetite and performance targets.
Branch operations were also reviewed. Where appropriate, branch opening hours were extended to mirror the
needs of small businesses and rural communities. An analysis of the walk-in traffic confirmed that the costs of
keeping some branches open is offset by the increasing banking activity and directly correlated to customer
satisfaction scores and brand perception within the community.
The bank also launched its "customer first" campaign to encourage relationship managers and bankers to spend
more time with their customers and to better understand their businesses. Managers were encouraged to make
site visits and develop a communication plan for all clients to ensure ongoing contact, anticipate future needs,
Internal Use Only

and identify potential issues. One objective of the campaign was to get ahead of clients experiencing difficulties
and come up with alternative financing options before defaults took place.
Improving Internal Operations

The bank also turned its attention to its internal operations. While it had progressively updated policies and
procedures to meet new regulatory requirements, it had not reviewed the impact on its ability to adhere to its
core values. The bank therefore undertook a modeling exercise to determine the relationship between its lending
practices and subsequent economic growth. That is, it researched the impact of banking activities on sales,
revenue growth, and job creation for local businesses. Based on what they learned, the bank revised its
underwriting and credit risk management policies to clarify types of qualitative information they could rely on to
support more consistent lending decisions by relationship managers and lending staff.
Additional training was offered to all staff to reinforce expected behaviors and compliance with policies and
procedures. The bank also developed a program of ongoing training so that the growth and development of
employees would continue to be integrated with the established values and behaviors.
Finally, a full-time community relations advisor was appointed to promote stakeholder interests. The role
includes identifying opportunities for the bank to get involved in community initiatives and philanthropic
investments. To that end, the advisor now works closely with the heads of retail and commercial banking as well
as the customer care teams to promote more effective community engagement.
Building Human Capital

The bank integrated the values and desired behaviors into the human capital life cycle, which includes recruiting,
performance management, and termination.
New employees are now required to complete the training modules (mentioned above) to promote the bank’s
values, and behaviors are communicated and understood from the onset. The bank reinforces its values and
desired behaviors by circulating periodic newsletters to highlight new policies and processes and remind
employees of their personal responsibilities. Culture is reinforced through required annual training for all
employees.
The values and desired behaviors have also been integrated into annual performance reviews, which are the
basis for evaluating and compensating team members. Every role in the organization is measured against the
common set of desired behaviors. Adherence to risk-related procedures is part of the review.
Broad Bridge Bank also decided to review its incentives program and consequently modified the compensation
structure to focus on long-term sustainable performance in line with core values, rather than short-term
performance. They made adjustments to include performance incentives to recognize positive risk management
behaviors, and mechanisms that trigger bonus forfeiture in the case of reckless risk taking. By integrating risk
metrics into the employee compensation program, management demonstrated its commitment to promoting
Internal Use Only

desired behaviors of performance and risk. Connecting compensation and risk-adjusted performance helped
create outcomes that aligned with the company’s portfolio view of risk. The rewards and consequences
demonstrated that risk management is everyone’s responsibility.
Following each performance evaluation, management now establishes performance goals with employees for
the upcoming year, embedding enterprise risk management practices and capabilities into the achievement of
those goals. Accountability for risk management responsibilities is clearly defined and employees are required to
fulfill risk-related objectives as part of their annual goals. Management has also established individual and unit-
level performance measures, incentives, and rewards, embedding the values and desired behaviors into the
process. Customer satisfaction measures have been included in an effort to maintain a customer-centric posture
and incorporate customer expectations into the process.
Ongoing Review
Six months after the initial review and before the next analyst briefing with investors, Betty Fund requested an
update from Tylor Mann on how the changes in culture had affected performance. While the culture had not
completely changed, there were some measureable impacts:
 Walk-in traffic during extended opening hours remained high in remote branches as customers looked to
complete their banking at the beginning or end of the day’s trading hours.
 Profitability and efficiency ratios deteriorated slightly after the initial outlay of costs in implementing
management changes but have since stabilized.
 Credit file reviews had uncovered less variability in lending decisions with greater understanding by lending
staff on reviewing and approving applications and transactions.
 The number of customer complaints had not changed, but resolutions were being achieved 18% faster.
 The bank’s social media platform was once again focused on its community initiatives and activities and
was no longer being used by customers as a means to communicate their dissatisfaction.
 The community advisor reported strong correlation between the provision of banking services and growth
of new jobs in local counties. Further, the advisor was working with relationship managers to capture more
qualitative data for existing customers to support their future banking needs.
Key Observation
Review activities should account for the time horizon of the entity’s strategy and business objectives as well as
any associated assumptions.
Internal Use Only

Refocus on Culture to Meet Objectives
When Broad Bridge Bank identified that the actions they were taking to meet their financial objectives were
impacting their customer service objectives, they recognized the need to update their core values and focus
more on meeting customer service objectives. The bank’s directors and chief risk officer reinforced the need to
make decisions that considered the full spectrum of risks, not just the potential financial impact. With a refocus of
the culture on all of the bank’s goals, decisions are now being made that balance the customer, the community,
and the financial returns. And by having a complete understanding of the risks to all of these goals, the bank is
now better able to identify opportunities to attain each of them.
Tylor summarized the results of the changes by saying that while some of the actions taken by management had
put additional pressure on the bank’s financial results and efficiency ratios, the bank’s reputation had already
started to improve in the eyes of the community. Living the core values of the bank is now seen as integral to the
long-term strategy and will be highlighted to analysts and investors alike.
Footnotes
5. Strategy and Objective-Setting in an

Energy Company
Energy sector entities include those that are involved in the exploration, production, or management of
resources such as oil, gas, and coal, as well as others that service these industries. Entities are usually divided
into three major components: upstream, midstream, and downstream:
Internal Use Only

 Upstream entities find and produce energy commodities such as crude oil and natural gas.
 Midstream entities process, store, market, and transport commodities.
 Downstream entities refine, distribute, and retail energy commodities.
Energy entities may be influenced by any or all of the following external factors:
 Political intervention, which is often driven by the perceived economic value (jobs) versus the social and
environmental considerations of any project and often gives rise to significant regulation.
 Economic performance that can be strongly influenced by changing commodities prices, such as crude oil
and natural gas, and be sensitive to changes in consumer demand.
 Social values, such as the call for clean energy (e.g., electricity) and the health and safety concerns
emanating from energy exploration and distribution methods that may drive stakeholder activity.
 Technological advances in extraction, refinement, and distribution.
 Legal and environmental considerations related to extraction and distribution.
 The importance of access to capital to maintain the viability of the entity.
 The challenge of securing skilled labor for operations, sometimes in remote locations.
 Processes to maintain safe and efficient operations that comply with all laws and regulations.
 Technology that supports operations.

This example demonstrates how enterprise risk management, applied in the setting of strategy, helps to
increase the range of opportunities and the allocation of future resources, and improves overall performance by
reducing variability in carrying out the chosen strategy.
Internal Use Only

on risk profile.
 Principle 7: Defines Risk Appetite–The organization defines risk appetite in the context of creating,

 Principle 9: Formulates Business Objectives–The organization considers risk while establishing the
A national downstream provider of oil and gas, Delta Company, has been operating for over fifty years and is
publicly traded. It is regulated at the federal level, although local governments also have input on significant
infrastructure developments. The company has a solid safety record, with only minor leaks in the distribution
system in recent years. The company has a mission that refers to the acquisition and delivery of safe, reliable oil
and natural gas in a sustainable, cost-effective manner.
Over the years, Delta has generated consistently strong earnings, and in the past five years it has been rated as
"outperform" by many analysts based on its earnings history, dividend policy, and safety record. Delta’s
management and board are eager to maintain this rating, and they recognize that larger capital requirements,
especially those that may challenge the dividend policy, could trigger a downgrade in that rating.
The organization is keenly aware that it has little ability to influence demand for its products. The company is
generally expected to supply products to meet any level of demand. With current expectations of growth in
consumption, capital investment may be needed unless efforts to influence demand can be put in place. With
this in mind, Delta is in the process of deciding whether to move from traditional gas meters to smart meters.fn
10
Gas Consumption
Current daily consumption of gas typically follows a pattern as illustrated in Figure 5.1, which shows that the
demand generally hovers around 50% of the current distribution capacity. During heavy periods of demand this
can rise to 70% of capacity. Delta does not wish to see demand exceed 85% of its capacity to deliver. As
demand increases closer to the capacity, the company will have to consider adding costly infrastructure. In the
current scenario, when there is heavy demand, the usage is trending closer to capacity.
Figure 5.1: Typical Hourly and Peak Natural Gas Consumption

Internal Use Only
Discussion
Linking Risk Appetite to Mission and Vision
Senior management, as part of their annual review of risk appetite, met on several occasions to discuss overall
risk appetite. Individual views on what constitutes acceptable risk taking for the business were expressed,
compared, and used as the basis of articulating the overall risk appetite. There was strong consensus that the
company has always taken a conservative approach when dealing with significant change that could introduce
new risks or elevate current risks to safety. This approach has always been considered prudent given the nature
of the product, the overall mission, and the assessment of the maximum amount of risk Delta can absorb.
However, Delta is willing to accept slightly greater risk when considering ways to improve customer service and
overall financial performance.
Management has chosen to portray risk appetite through the lens of the key stakeholders: customers,
employees, regulators, and suppliers. By understanding what matters to the stakeholders, the managers are
better prepared to make decisions that align with those views and reduce unintended challenges.
As they embarked on this effort, the organization initially considered the impact on stakeholders of shifting to
smart metering, comparing the pros and cons, outlined in Table 5.1.
Table 5.1: Assessing the Impact on Stakeholders

Internal Use Only
Based on what they found, the organization communicated its risk appetite as follows:
Delta Company will pursue innovation where it leads to improved customer service and efficiency in operations
provided unless such innovation potentially elevates the safety concerns or creates significant disruption to
business operations. Innovation that creates significant concerns about ongoing financial performance will be
considered only where customer safety risks are unacceptably high.
This risk appetite is cascaded through the entity, becoming more focused for each department. (Note: As this
example is focused on a decision that has an impact on strategy, examples illustrating risk appetite for a division
or business unit are not shown here.)
Choosing a Strategy for Meters

The company had not upgraded its gas metering infrastructure in many years, relying on traditional diaphragm
meters for its residential customer base. These meters are relatively inexpensive to produce and install and
generally have a long life expectancy. However, they fail from time to time, causing customer supply to be cut
off. Further, they must be read manually, and they only capture gas usage at the time of reading.
There are several factors the company needed to consider when developing a new strategy for meters. First, the
current infrastructure did not allow the organization to manage consumer consumption patterns, so it did not
have the information it needed to implement approaches that could change consumer behavior. For instance,
implementing peak period billing provides an incentive for customers to shift discretional gas usage to non-peak
periods.
While the company had objectives relating to overall consumer consumption, it could not develop acceptable
levels of variation to that objective under the existing information limitations. To address this concern, the
company identified an opportunity to use smart metering technology, which would allow consumers to better
manage their usage. Delta explored a "go, no-go" decision on moving toward this opportunity. Central to this
decision was the infrastructure cost associated with upgrading to the smart meters, the cost efficiencies gained
by not having to read meters manually, and the opportunity to capture consumption data that was not currently
Internal Use Only
available to the company. Another key consideration was the safety concern of the radio frequencies emitted by
smart meters. Further, with expected growth rates, Delta knew it might need to invest in added infrastructure to
meet growing demand.
Analyzing Alternative Metering Strategies

The company focused on two options: 1) retain the current diaphragm meters, and 2) convert to new smart
meters. In considering these two options, the company reviewed the following risk categories relating to its
objective of managing natural gas demand:
 Capacity: the extent to which system capacity expansion would help satisfy increasing demand.
 Customer acceptance: the extent to which customers would embrace new technology.
 Customer behavior: the extent to which customer behavior would change once smart meters were
installed.
 Economic: the extent to which smart meters would be economically viable.
 Regulator/Government: the extent to which new restrictions on the entity might be imposed or removed.
 Resources: the extent to which resources would be able to operate the new technology.
 Safety: the extent to which safety would be compromised.
 Supplier performance: the extent to which supplier performance would affect company performance.
 Technology: the extent to which designed technologies would function as intended.
Key Observation
Risks in the initial assessment consider all stakeholders.
In order to meet the objective of managing gas demand, management developed an initial profile for each of the
two options following these broad risk categories. As this profile was being used for the initial consideration of
the merits of moving to smart metering technology, the organization completed the exercise on a qualitative
basis only. Should management decide to proceed with smart meters, they may further refine this profile using
quantitative information when they install the meters.
Key Observation
Using the same objective for both scenarios increases comparability between the resulting risk profiles.
Internal Use Only

Each of the risk categories contained within the profile were reviewed by several departments in the company,
most importantly by finance, human resources, marketing, media relations, operations, and strategy. Once
management was comfortable that there was consensus on the risk ratings, they were able to develop a
comprehensive risk profile for each option. Figure 5.2 shows the level of risk relative to varying levels of
consumer consumption for both types of meters. The performance measure is shown as percentage demand of
natural gas system capacity. Delta is able to operate for short durations above its capacity by accessing gas
reserves from other neighboring utilities.
Figure 5.2: Relative Risk—Traditional Meters vs. Smart Meters
Figure 5.3 combines the information for traditional and smart meters in a graph comparing the risk profiles. It
shows that the traditional meter has less risk at the current target level of demand, but as consumption
increases, the overall amount of risk increases. Delta has little ability to change overall consumer demand, but
smart metering provides a mechanism to change customer behavior, which impacts the demand. At the level of
upper performance tolerance, the risk associated with the two types of meters is the same (Point A). The profiles
show that as demand increases beyond the upper performance tolerance, the risk associated with the smart
meter is lower than the traditional meter. Some of the risks that change at the upper demand levels for the
traditional meter are customer behavior, regulator/government, supplier performance, and resources.
Figure 5.3: Comparing Risk Profiles—Managing Gas Demand
Internal Use Only

Management decided to recommend moving to the smart meter technology, based on the overall impact on
capacity demand (performance). Consequently, they built a full business case to present to the board and,
ultimately to the regulator, to approve the change to smart meters. After meeting with management, Delta’s
board agreed with the recommendation.
This approach also addressed a concern about capital investment needed to expand capacity. At current growth
rates, Delta knew it would need to expand system capacity over the next ten years. Implementing smart meters
created the ability to shift demand, which would defer this capital expansion. Management believed that with
proper planning and oversight, the company could successfully implement such a strategy. Installing smart
meters would allow the company to allocate capital resources based on the risk appetite developed. They were
also aware that similar companies in other regions might be willing to share experiences in implementing these
programs (because they weren’t direct competitors). With all this in mind, the senior management team, with the
help of human resources, began to identify individuals to hire or assist with the project.
Cascading Business Objectives

Delta developed many supporting objectives to meet this high-level objective of implementing smart meters.
While not shown in this example, the company considered questions such as:
 Do we have sufficient financial capital necessary to achieve the objective?
 Do we have sufficient staff to carry out the tasks necessary to achieve the objective?
 What processes, systems, or supporting technologies may be impacted by setting this objective?
Internal Use Only

 What would happen if the company performs 20% or 30% above the goal being set for this business
objective?
 What would happen if the company performs 20% or 30% below the goal being set for this business
objective?
Figure 5.4 shows three entity-level objectives developed by management and cascaded into various divisions,
relating to project management, information technology, and human capital. These divisional objectives helped
to address a risk to the entity-level objective. In addition, the figure shows how the organization identified risks to
these objectives at each level.
Having considered the potential risks for the various business objectives, Delta was confident they could achieve
each of them.
Figure 5.4: Cascading Objectives—Delta
Internal Use Only

Internal Use Only
Figure 5.5 follows the path of the first objective, "Identify a vendor suitable for implementing smart meters," and
shows that Delta has set acceptable variations in performance for these objectives.
Figure 5.5: The Path to Acceptable Variation
Internal Use Only

As Figure 5.5 illustrates, Delta initially set the range of acceptable variation for identifying qualified vendors at a
minimum of three and a maximum of eight. But upon review, the senior managers became concerned that the
specifications may be overly restrictive and could exclude some potential vendors. Management debated
lowering the qualifications and potentially reducing quality and increasing operating costs against the benefit of
creating greater competition for the contract. Following this discussion, the organization revisited the qualification
requirements, reducing some specification levels to allow more vendors to prequalify.
Key Observation
Once the objectives are set, the conversation shifts to acceptable variation in performance. Risk appetite is
reflected in the setting of objectives and goals.
Next, the organization combined the information into a simple depiction of the entity-level objectives, goals, and
acceptable variation and how the objectives cascaded into the business. Figure 5.6 illustrates how this was done
for the first business objective on project management. The other two objectives (in gray) would be completed in
a similar manner.
Figure 5.6: Entity-level View of Objectives, Goals, and Tolerance
Internal Use Only

Looking Forward
From the outset, Delta set out to improve its ability to pursue new opportunities, to enhance its allocation of
resources, and to improve overall performance by reducing variability in carrying out the chosen strategy.
Management gained confidence that they could foresee the risks associated with adopting new smart meters
versus retaining the older-style meters. Those risks were considered in terms of maintaining consistency with the
Internal Use Only

overall mission and how the decision might be viewed by its stakeholders—all cast through the lens of risk
appetite. Equally important, management came to understand that it could reduce variability in demand by
changing the overall metering approach and deploying current resources more efficiently instead of focusing
more resources on existing processes.
Key Observation
The business objectives developed form the basis of the risk assessment considering the risks to the achievement
of each objective.
Footnotes
fn This example has been simplified to focus on one just important strategic initiative. A typical
10 downstream company would likely have more than one initiative in development at any time.
6. Strategy and Objective-Setting in a Not-

for-Profit Entity
The not-for-profit sector consists of a wide variety of entities dedicated to furthering a particular cause or
advocating a particular point of view. These entities are typically divided into two groups: community-serving and
member-serving. Community-serving entities usually focus on delivering human services programs or projects,
aid and development programs, medical research, education, and health services. Their reach may be local,
Internal Use Only
regional, or international. Member-serving entities include mutual societies, cooperatives, trade unions, credit
unions, industry and professional associations, sports clubs, and advocacy groups.
Not-for-profit entities may be influenced by the following external factors:
 Political stability, required to gain access to infrastructure and local administration, such as permits.
 Government support to provide grants for the types of work that these organizations perform.
 An understanding of what drives disposable income and corporate profits, both of which are important for
this sector as much of the funding is donor generated and there is significant competition for funds.
 The emotional aspect of giving, which affects what causes donors respond to.
 Advances in technology that allow organizations to deliver services more efficiently.
 Regulations on the delivery of aid from both the country the organization is headquartered in as well as
where aid is provided (e.g., medical volunteers must comply with any licensing regulations governing their
profession).
 Capital needs for equipment and machinery.
 The right mix of permanent staff and skilled and non-skilled volunteers.
 Effective processes for training to enable efficient and effective response.
 The effectiveness and efficiency of response dependent on access to current technologies.

This example demonstrates how enterprise risk management, applied in the setting of strategy, helps to improve
resource deployment.
on risk profile.
Internal Use Only

 Principle 7: Defines Risk Appetite–The organization defines risk appetite in the context of creating,

 Principle 9: Formulates Business Objectives–The organization considers risk while establishing the
Echo Relief is an international not-for-profit entity operating in fifty countries in both permanent and temporary
locations. Its focus is providing food, shelter, healthcare, and education to needy and displaced persons around
the globe. In responding directly to these humanitarian needs, Echo relies on volunteers. In fact, approximately
90% of the personnel are volunteers and 50% of those return to work on multiple projects. The majority of
volunteers are retired military personnel, doctors, dentists, nurses, emergency medical technicians with trauma
experience, teachers, and people with prior disaster relief or aid experience. New volunteers are always paired
with a "buddy" who has previous experience with the organization.
Echo Relief receives funding primarily from individual and corporate donors with a smaller portion coming from
government grants for specific projects. Most donors designate donations to be used "where needed most,"
which provides flexibility to applying resources. Echo uses 14% of donated funds on administrative costs, and
the remaining 86% goes to programs and projects (80% is generally considered as efficient for a not-for-profit
entity). The percentage assigned to programs and projects can be a differentiator when competing with other
entities for donors, some of which are large international entities and religious organizations.
The mission statement is "Echo Relief helps meet the needs of people who are victims of war, poverty, natural
disasters, disease, and famine." To perform on this mission, Echo provides relief for ongoing needs relating to
disease and famine, and offers immediate response for disasters. In a recent strategy review, senior leadership
focused on whether they wanted to concentrate their resources on the short-term response projects or the long-
term community transformation projects.
Discussion
Linking Risk Appetite to Stakeholder Goals
As a part of regular performance reviews, Echo Relief found that it was making inconsistent decisions about
deploying its resources to different projects. In some cases, projects were accepted that stretched both volunteer
and monetary resources. Consequently, the board of directors decided that management should develop a risk
Internal Use Only

appetite statement. Echo has several stakeholders and the board wanted to include perspectives from
permanent staff, volunteers, and donors in articulating the overall risk appetite. The discussion centered on three
core areas of concern:
 Staff and volunteer safety: because Echo Relief is mandate driven and the projects accepted are often in
fragile and conflict-affected areas, they are willing to take on a moderate amount of risk relating to the
safety of staff and volunteers.
 Misuse of funds: the need to be good stewards of donor funds requires a low appetite for risks relating to
misuse of funds.
 Financing new programs: given the donor history, with a large portion of funding coming from the general
public with no restrictions, Echo Relief has a higher appetite to take on risk relating to financing new
programs. It does not need to run targeted funding campaigns and is able to fund new, innovative
programs.
After the discussion on risk appetite, Echo Relief wrote the following risk appetite statement for the entity overall:
Echo Relief will pursue new programs that enhance delivery of services to those in need within our financial
ability. We will accept moderate risk to the safety of staff and volunteers as we respond to disasters. In order to
maintain good stewardship of donor funds, we have a low appetite for risks related to misuse of funds.
In order to cascade the understanding of the statement, management portrayed risk appetite in greater detail by
aligning statements with the stakeholders noted above. For instance, the part of the risk appetite statement
relating to staff and volunteers added clarity on decisions impacting those individuals. These statements were
cast as shown in Figure 6.1.
Figure 6.1: Risk Appetite Cascaded to Multiple Levels
Internal Use Only

Choosing a Strategy for Delivering Aid
In recent years, Echo Relief has seen an increasing global need for the type of aid they deliver. This increase
was identified through a trend analysis of the number and types of projects that have been undertaken (and not
undertaken) in the last five years. In many cases the demand far surpasses the supply of available aid. Different
parts of the world suffer from conflict, poverty, and natural disasters, requiring aid to be delivered through
various channels. In the case of disaster relief, the usual response is to set up a temporary operation that
requires less capital, but that can be hampered by the lack of infrastructure needed to deliver supplies and
materials. In the case of ongoing relief in response to systemic poverty and widespread famine, Echo invests
directly in communities through schools, hospitals, nutrition programs, and water sustainability projects that often
require larger capital outlays.
As part of its annual strategy assessment, Echo Relief decided to revisit the strategies for delivering aid,
primarily to determine which had the greatest impact on the communities they were serving. Senior leadership
focused on two strategies: emergency relief and disaster recovery. (Previously, Echo provided emergency relief,
but realized they had a larger impact when they arrived after the initial relief efforts and focused on helping
communities rebuild and respond.)
Internal Use Only

Analyzing Emergency Relief and Disaster Recovery
Strategies
The initial discussion of the two strategies revealed a third option, which was to perform both strategies
simultaneously. Senior leadership wanted to understand how the risk profile would change in that case. The
three alternatives were developed to assist Echo Relief meet its stated objective "to provide recovery assistance
to as many vulnerable or displaced people as possible." In considering these alternatives, the entity focused on
the following risks as a part of the risk profile:
 Safety of volunteers: the possibility of harm to staff and volunteers.
 Partner relations: the possibility of no partners with acceptable locations to deliver aid.
 Government relations: the possibility of governments either from the headquarters country or the country
receiving aid not allowing the aid to be provided.
 Misuse of funds: the possibility of funds being used for unacceptable purposes.
 Human capital: the possibility of not having skilled volunteers.
 Supplier performance: the possibility of suppliers being unable to deliver supplies to the recovery area.
 Donor engagement: the possibility of donors not donating to the project.
Key Observation
When developing a risk profile, the element of time should not be included as a factor.
Using these broad risk categories, senior leadership developed an initial profile for each option to consider the
merits of investing in one of the two strategies, or the two together. The exercise was completed qualitatively
using a scale from 1 to 10, not by developing a specific quantitative model. Each of the risks noted were
reviewed by several functions in the organization, most importantly by security, donor engagement,
governmental liaison, partner relations, operations, finance, and human resources. Once leadership was
comfortable that there was consensus on the risk ratings, they were able to develop a comprehensive risk profile
for each option, showing the level of risk relative to the number of people assisted. Figure 6.2 shows the risk
profile for each strategy.
Figure 6.2: Relative Risk—Emergency Relief and Disaster Recovery
Internal Use Only

When the three risk profiles are combined on one graph, as in Figure 6.3, their respective risk curves can be
compared.
Figure 6.3 Assessing Risk—Emergency Relief and Disaster

Recovery
Internal Use Only
In this example, Echo Relief’s risk appetite is above its capacity. During discussions, the senior leadership said
they were willing to respond to any situation where people needed help, even if the funding or personnel is not
immediately available, provided that there is a reasonable expectation that funding can be attained after the fact.
They also noted that the target performance goal is different for Options A and B compared to Option C. If either
Option A or Option B were selected, the target would be set at 40,000, and Echo would likely breach risk
appetite once assistance increased into the range of 70,000 to 80,000 people. They noted that with Option C
they had the ability to assist more than twice the people because they would be maintaining the same number of
headquarters staff regardless of the number of projects. Therefore, the ratio of overhead costs to projects would
go down for every additional project added.
The risk profiles prompted a discussion about performance. Option B (disaster recovery) has less risk than the
other two strategies, until the number of people helped increases to approximately 60,000. If Echo were to select
Option B, they could move performance from 40,000 to 60,000 people helped with little increase in the risk
taken. If they were to choose Option C, they could potentially help even more people. Note that the risk profiles
do not show a tolerance for acceptable variation in performance; at the time a disaster occurs, Echo Relief would
determine the lowest number of people aided that would make the response worthwhile.
Echo Relief ultimately chose a strategy based on the number of people who they could assist within their risk
appetite: Option C. However, the leadership team recognized the need to monitor funds and personnel as aid
delivery begins to approach 120,000 people at any given time to make sure they had the ability to continue
operations.
Internal Use Only

Cascading Business Objectives
After deciding to pursue both strategic alternatives simultaneously, Echo Relief developed entity-level business
objectives to meet this goal, and these were then cascaded throughout the entity. Then, each division developed
division-level objectives in response to risk to the entity-level objectives.
Key Observation
When developing business objectives, be sure to consider all the risks identified as part of the strategy.
Some of the questions that Echo Relief considered as a part of setting the business objectives were:
 At what point do we evacuate volunteers and staff due to safety concerns?
 Do we have the appropriate partners on the ground to deliver the aid?
 What if the government does not allow us access to the damaged areas?
 What is the best allocation of funds to achieve objectives?
 Does the organization have enough available and capable volunteers to deliver the aid?
 What are the implications to the organization from a supplier perspective if there are 10% to 20% more
than the target number of people who need assistance?
 How do we obtain enough donor-generated funds to continue operations?
Having considered these matters in the setting of the business objectives, Echo Relief determined they could
reasonably expect to successfully achieve them. Figure 6.4 illustrates how entity-level objectives cascade to
division-level objectives for four divisions of the organization (partner relations, marketing, supply chain and
human capital). The organization identified risk from the entity-level objective, and then developed divisional
objectives that addressed the entity-level risk. From there, the organization identified risks to the divisional
objectives.
Figure 6.4: Cascading Objectives—Echo Relief
Internal Use Only

Internal Use Only
For the first objective, to identify local partners to deliver aid, Echo Relief set a target of having accredited
partners in or near their fifty country locations predetermined so when a disaster occurs, or a community
development project is approved, they would know who they can work with (see Figure 6.5). Considering risk
appetite in developing this tolerance, senior leadership developed a view that below twenty-five, the organization
would not be able to create a sufficient number of programs to deliver needed services, and therefore would be
outside of risk appetite. Conversely, should that number of accredited partners rise above 100, efforts would be
spread across too many partners to deliver the intended services.
Figure 6.5: Setting Acceptable Variation in

Performance
Internal Use Only
Next, the organization combined the information into a simple depiction of the entity-level objectives, goals, and
acceptable variation and how the objectives cascaded into the business. Figure 6.6 illustrates how this was done
for the first business objective on identifying local partners. The other three objectives (in gray) would be
completed in a similar manner.
Figure 6.6: Combining Information
Internal Use Only

Refreshing Strategy to Deploy Resources
Effectively
In applying the principles relating to strategy and business objectives, Echo Relief refreshed their strategy based
on their mission and vision. They considered the risk associated with the refreshed strategy and developed
business objectives taking those risks into account. Through the process of cascading business objectives from
the entity-level to the divisional level, the organization identified risks to the strategy at each level, and
Internal Use Only

developed further strategies to address those risks. Refreshing the strategy allowed Echo Relief to deploy
resources more efficiently and to enhance the value it could provide to the regions it serves.
Footnotes
fn Names of organizations and people is this example are fictional, and any resemblance to actual
7. Performance in a Consumer Products

Company
The consumer products sector includes a wide variety of companies ranging from mass retailers and specialty
stores to manufacturers and distributors of packaged goods, such as food and beverages. Consumer products
companies often seek profitable growth by expanding business scale and scope while simultaneously
rationalizing operations.
Consumer products entities may be influenced by any or all the following external factors:
 Political interventions, often driven by consumer safety, and social and environmental considerations.
 Commodity prices that affect the cost of manufacturing and distribution.
 Disposable income of consumers, which is a by-product of factors such as unemployment, wage levels,
and inflation.
 Consumer preferences that change rapidly, particularly in the food and beverage industry (e.g., the trend
toward healthier, sustainable food products).
 Digital consumer engagement that is reshaping the way companies interact with their customer base.
Internal Use Only

 Regulations pertaining to climate change, resource scarcity, and consumer protection.
 Access to capital to support investments in technology and research and development, as well as to
support mergers and acquisitions.
 Skilled workers needed for research and development for innovative products.
 The need to invest in more sustainable, efficient, and effective processes.
 Technological advances and investments in data analytics to extract consumer insight and improve cyber
security as more transactions occur on-line.

This example shows the benefit of enterprise risk management to identify and manage entity-wide risks.
 Principle 10: Identifies Risk–The organization identifies risk that impacts the performance of strategy and
 Principle 11: Assesses Severity of Risk–The organization assesses the severity of risk.
 Principle 12: Prioritizes Risks–The organization prioritizes risks as a basis for selecting responses to risks.
 Principle 13: Implements Risk Responses–The organization identifies and selects risk responses.
Aspects of the following principles are also demonstrated in part in this example:
Internal Use Only

Friendly Fruit Juice Company, founded in 1996, is a regional family-owned manufacturer and supplier of fruit
juices with approximately 500 employees. Friendly Fruit Juice strives to be the leading beverage supplier of
healthier and tastier juices in the region, and its mission statement makes this clear:
Our mission is to create and maintain a sustainable company that embraces product innovation to satisfy
customer needs for a healthier and tastier juice while maintaining community trust.
During its early years, Friendly Fruit Juice considered risk whenever a significant issue arose. Often, Jamie
Doyle, the chief executive officer (CEO), would create small teams to identify the causes of the issue and
potential solutions. However, as the company grew, Jamie realized the importance of having more timely and
insightful information for the business. The organization began to shift its focus from these one-off meetings to
integrating enterprise risk management capabilities into daily business operations, mainly with a goal of
identifying and managing entity-wide risks. As enterprise risk management has become more embedded in
strategic decision-making, management has increasingly focused on considering various strategies, and chosen
one that best fits the company’s core mission.
Friendly Fruit Juice takes the time in the monthly senior management meetings to discuss risk as it relates to the
overall performance of the business. Jamie also spends much more time updating the board of directors on
these conversations and engaging them to capture their own views.
Note: This example focuses on one business objective only. In practice, the company would have multiple
objectives, and these activities would be performed over those objectives, and the effect on the multiple
objectives would be analyzed.
Discussion
Every week the marketing department reviews various mainstream and social media postings to identify
changes in customer sentiment and identify any public issues with the reputation and brand. Recently, the
marketing director, Angarika Kapur, identified an escalating trend in comments about the company’s juice line,
with many consumers requesting plant-based juices. The director identified this change in the environment as
potentially affecting the company’s ability to meet one of its stated objectives: "develop innovative products to
meet customer needs."
At the next monthly senior management meeting, Angarika raised this issue, and the group discussed the
consumer feedback as an opportunity for Friendly Fruit Juice to develop a new line. They presented their
proposal to Jamie for consideration in the planning process. After looking at how well this opportunity aligned
with the mission and vision, and considering the potential risks that could arise by selecting such a course of
action, the company decided to develop a line of plant-based drinks.fn 15
Internal Use Only

Based on their historical record of delivering new products to market, Friendly Fruit Juice set an objective to
have the plant-based drink represent 20% of their product line by the end of the first year of production. This
objective cascaded into the organization as shown in Figure 7.1, which focuses on identifying risks across four
main aspects of the business: procurement, manufacturing, distribution, and marketing.
Figure 7.1: Cascading Objectives—Friendly Fruit

Juice
Each department discussed the risks associated with the objectives at their level and then selected their own
approach, based on the initial views of the new goal.
 The Procurement Department, under the direction of Marley Harper, had an initial view that many risks
would be similar to those relating to procurement of fruit juice, and selected an approach based on round-
table discussions.
 The Manufacturing Department, under the direction of Simone Jorgensen, also had an initial view that
many risks would be similar to those relating to fruit juice production. She initially conducted an internal
meeting with her department, and they soon realized that adding a new product line introduced greater
complexity to scheduling.
Consequently, they developed more detailed modeling to better understand the risks of introducing this new
product line.
Internal Use Only

 The Distribution Department, under the direction of Fabien Pisarski, wanted to take a different approach
from the start. They undertook a process analysis to better understand what risks could impact their
distribution channels.
 The Marketing Department, under the direction of Angarika Kapur, felt that they needed more external
information. They used a variety of publicly available data to capture risks, and they ran a series of focus
group sessions with potential users to understand the risks impacting their ability to generate sales.
Procurement
The Procurement Department was responsible for identifying the raw materials for the new plant-based juice
line. Marley Harper’s team’s primary objectives focused on obtaining high-quality ingredients at the best possible
price and adhering to all regulations regarding pesticide usage. They also considered the company’s values and
sourced ingredients from local growers whenever possible (although this was not a direct objective). They
discussed the current business environment and how it would affect the new juice line. Friendly Fruit Juice
sourced 90% of its fruit from five growers, four of which were located within 100 miles of the processing plant.
Although Friendly Fruit Juice Company sourced ingredients primarily from local vendors, it had agreements with
vendors from other regions to allow for the variability of weather conditions, which significantly affect supply and
prices. Of the five local growers, three also were growing vegetables that could be used for the new line. All five
all had strong records of strictly adhering to government requirements on pesticide use.
The team identified risks relating to the objectives of the department, shown in Figure 7.2. They also discussed
some of the responses that were in place across the department to manage these risks, and then they assessed
each risk on a scale of 1 to 5 for likelihood and impact (a scale developed and recommended by the
management team).
Figure 7.2: Identifying Procurement Risks to Objectives
Internal Use Only

The procurement team reviewed the risk ratings, focusing on the possibility that the shift to plant-based juices
would result in higher costs and impact the financial goals of Friendly Juice Company in light of the company’s
risk appetite statement, "Friendly Fruit Juice Company is willing to take on risk in pursuit of value as we strive to
be innovative in the development of products to meet our customers’ needs and remain competitive in the
beverage industry." The procurement team concluded that this shift in production could impact the achievement
of the financial goals, but that the overall risk to the objective was still within the company’s risk appetite.
Manufacturing
The Manufacturing Department also added the new line as a point of discussion during its daily production run
meetings. Simone Jorgensen’s team had two primary objectives: meet customer demand and produce high-
quality juices at the best possible price. The managers and directors of the department discussed the
performance target of having the plant-based product line account for 20% of sales by the end of the first year.
In their review of what would be required to break down plants into juice, they determined that no changes to the
existing machinery would be needed. They also discussed the potential of demand being greater than
anticipated and how that might affect production, noting that they had two manufacturing plants in their
distribution area to allow for the raw materials to be sourced locally, and both plants were located within a
twenty-four-hour drive, which would allow for additional capacity should there be a problem with any of the
machinery used in production. On this second point, they attained greater confidence through modeling product
flow from procurement through the full manufacturing process, including the time needed to change production
runs from fruit-based to plant-based production, and vice versa.
The Manufacturing Department identified four risks associated with the objectives of the manufacturing
department relating to the new plant-based juice line, as shown in Figure 7.3.
Internal Use Only

Figure 7.3: Identifying Manufacturing Risks to Objectives
Distribution
The Distribution Department identified two main objectives relating to the new juice line: get the product into the
distribution channels used by target clients and leverage existing channels for efficiency and best cost. Friendly
Fruit Juice followed a selective distribution model and focused their distribution channels on specialty retailers
for distribution of their current product line. The distribution for the new line was anticipated to be similar, with the
addition of a few new vendors. Fabien Pisarski’s team did a process analysis and then discussed the risks that
they were currently managing for the fruit-based line and how the new line might change those risks or add new
ones. The discussion centered on the ability to meet their two primary objectives, as shown in the Figure 7.4.
The distribution team then assessed the risks on the scale for likelihood and impact, as shown.
Figure 7.4: Identifying Distribution Risks to Objectives
Internal Use Only

Fabien also brought her knowledge of the risks to the monthly senior management meeting.
Marketing
The primary objective of the Marketing Department was to generate new sales for the plant-based juice line.
Friendly Juice Company has focused on specialty retailers for distribution of their current product line. After the
decision was made to develop the plant-based juice line, Angarika Kapur’s team reviewed information captured
from a variety of publicly available data and the focus group sessions with potential users to understand the risk
in developing a marketing plan. Once the product launched, the marketing team met weekly to review the prior
week’s sales. As a part of these discussions, Angarika led a discussion on what could prevent the company from
meeting the objective of the new product accounting for 20% of the sales mix by the end of the first year. Figure
7.5 illustrates the risks identified.
Figure 7.5: Identifying Marketing Risks to Objectives
Internal Use Only

When combined, the relationship between objectives and risks becomes apparent, as shown in Figure 7.6.
Figure 7.6: Identifying Overall Risks to Objectives
Internal Use Only

This view also noted some interesting relationships beyond just risks to objectives:
 As there is a dependency between two objectives (one relating to procurement and one relating to
manufacturing), the pricing risks to one of those objectives may impact the ability to achieve the other and
the overall business objective. (This is depicted as "A" on Figure 7.6.) There is also a third objective
relating to distribution which has a cost aspect and could also impact the ability to achieve the overall
business objective.
 One similar risk was noted by two different groups: marketing and distribution. Each group also assesses
this same risk differently. (This is depicted a "B" on Figure 7.6.)
Assessing and Prioritizing Risks
Internal Use Only

Once all the departments identified and assessed the risks associated with the relevant objectives, Marley,
Simone, Fabien, and Angarika aggregated the information at the enterprise level. That information helped them
to understand how the likelihood and impact of the risks may change at different levels of the company.
Key Observation
Risk should be considered through the lens of objectives so that resources can be used efficiently.
To assess the severity of risk on enterprise objectives, they used information from a review of business plans
and budgets; prior risk assessments; financial, board, and annual reports; customer surveys; and social media
postings. In addition, they used the company’s historical risk occurrence and publicly available information from
other small beverage companies to determine the likelihood of the risk occurring.
As an interim step in examining the information, the team consolidated their respective risk assessments. They
recognized that the consolidation presented more of a risk-centric view rather than an analysis of the effect of
the risks on the objectives. The consolidation is shown in Figure 7.7 with the severity of each risk color-coded:
red = high; yellow = medium; green = low.
Figure 7.7: Consolidation of Risks—Friendly Fruit Juice
Internal Use Only

Marley, Simone, Fabien, and Angarika wanted to use the risk information obtained from the different
departments to understand the effect on the enterprise objectives and determine after prioritization what risk
responses they should employ. To that end, they discussed whether each business objective was at risk. Three
of the seven objectives required little discussion and they determined the status of those objectives were the
same as the related risks (either green or yellow).
Key Observation
When assessing the objectives, the risk with the highest severity may not directly transfer to the objective. The
effect on objectives should be discussed.
Procurement
Internal Use Only

When they discussed the risks to the objective "Obtain high-quality ingredients at the best possible price," there
was general consensus that finding the right mix of ingredients would be critical to achieving a tasty beverage.
That meant more ingredients may be required, which would represent a greater risk to the achievement of the
objective. Further, the dependency on multiple departments increased the concern over achieving this objective.
Therefore, the team decided to rate the objective as medium (yellow). The second objective "Adhere to all
regulations regarding the use of pesticides" was rated as medium, consistent with the respective risks.
Manufacturing
When they discussed the objective "Meet customer demand," they considered whether the risk that had been
measured as high (red) would translate to the objective being a higher risk. The senior management team
determined that the new quality assurance process recently put into place across the department had not been
fully considered when assessing the risk, and therefore the severity of the risks impacting the achievement of the
objective was lower. The second objective of "Produce high-quality products at the best possible price" was
rated as medium, consistent with the respective risks.
Distribution
The conversation about the objective "Get the product into the distribution channels used by customers" sparked
much discussion about how it should be measured. Given that the risks to this objective were assessed as
medium (yellow) and high (red), Marley, Simone, Fabien, and Angarika wrestled with several questions:
 Should we combine the risk ratings for these two risks and use that for the objective?
 Does one risk warrant more attention at the enterprise level than the other?
 Considering both risks, what is the overall impact on the performance for that objective?
They also considered that the risk was assessed differently by different teams. The initial assessments were
viewed as reasonable for the respective areas. Ultimately they determined this objective was at higher risk given
the contract environment with current vendors. Many contracts had been recently negotiated and the marketing
department expressed concern with the negotiating process for several of the vendors. The second objective of
"Leverage existing channels for efficiency and best cost" was rated as moderate, consistent with the respective
risks.
Marketing
Finally, the conversation about the objective "Generate new sales for the plant-based juice line" had a more
diverse risk assessment. While there was overlap with other objectives and there remained a lingering concern
that a new plant-based line would have targeted success, the management team remained confident that,
overall, there was a lower level of risk to the department objective.
Overall Analysis
Internal Use Only
After the discussion, it was determined that the company still had a reasonable expectation of meeting the
business objective and target of "Develop a plant-based juice product meet customer needs that represents 20%
of the overall product line." The outcome of all of the discussions of the objectives and the risks is shown in
Figure 7.8.
Figure 7.8: Extended Consolidation of Risks—Friendly Fruit Juice
By approaching the discussion of risks through the different objectives they may impact, the team was able to
determine which objectives were at greatest risk of not being achieved and the effect on the overall performance
of Friendly Fruit Juices Company. Specifically, this approach enabled the team to identify:
 Risks that could significantly impact a single objective
 Risks that could have an impact multiple objectives and be considered as significant as a result
 Objectives that have a greater number of risks
Internal Use Only

 Dependencies between different risks and objectives that could influence their rating
Key Observation
When prioritizing risk, organizations with multiple objectives and interconnected risks will face a more complicated
process. Additional considerations of complexity, adaptability, velocity, persistence, and recovery should be
considered.
Further discussion noted that additional considerations - beyond risk severity - were needed when determining
which risks and objectives required management’s focus. The establishment of prioritization criteria was
intended to help management select and implement appropriate risk responses and the deployment of limited
resources based on the risk ratings and the status of the objective. Marley, Simone, Fabien, and Angarika
considered two added criteria: adaptability and complexity.
 Adaptability was considered from the view that with the company was embarking into a new product line.
Some objectives tied to launching the new product line were impacted by the same risks relating to its
current product line, such as those relating to pricing and distribution. However, other objectives could be
impacted by new risks that management would need to address for the first time, such as the ability to
appeal to a broader range of customers and possible issues with product consistency and quality. Their
confidence in managing new risks to objectives was less than it was for risks with well-proven responses,
and there may be some refinement needed when managing these risks. Risks that required greater
adaptability or change management efforts were prioritized above those that did not.
 Complexity was viewed through the perspective of whether some risks would impact other risks, or
whether underperformance on one objective would impede the achievement of another objective. While
several objectives were viewed as having potential overlap, three objectives were identified as having
important cost pricing dependencies. These objectives related to procurement, manufacturing, and
distribution and the relevant risks were prioritized as a result.
With this added information, Marley, Simone, Fabien, and Angarika agreed that while the company needed to
address all objectives, two in particular required a more focused attention.
1. The manufacturing objective "Produce high-quality products at the best possible price" was
considered by management as needing added focus as there were several medium-rate risks tied to that
objective and there were noted dependencies with the procurement objective "Obtain high-quality
ingredients at the best possible price".
Internal Use Only

2. The distribution objective "Get the product into the distribution channels used by customers" is one of
two objectives that is associated with a red risk and the only objective to be assigned a red status. While
there was one other higher rated risk impacting the manufacturing objective "Meet customer demand",
the overall assessed risk to the manufacturing objective was deemed lower, suggesting that risks to this
objective did not require the same level of attention as the risks to "Get the product into the distribution
channels used by customers".

In selecting the appropriate responses for the related risks (and hence objectives) that were identified as the
highest priority, the management team considered the following factors:
 Business context: Risk responses were selected and tailored based on the current business context for the
company. Friendly Fruit Juice Company enjoyed a strong brand following based on the quality of the
products used. The existing product lines used organic, locally sourced materials where available.
 Costs and benefits: The strategy of producing a high-quality beverage using organic, locally sourced
materials without additives could result in additional cost. Leonard Kruit, the chief financial officer,
produced an analysis showing the increased cost of materials against the potential sales and revenue
figures.
 Obligations and expectations: Compliance and regulatory requirements, stakeholder expectations, and
other obligations were considered. A primary stakeholder for the company is the consumer. Considering
the prioritization criteria, senior management decided to add two new suppliers to their vendor list to
provide the plant-based materials needed for their new line.
 Risks emanating from the response: New risks that may arise from selecting particular responses were
also discussed. Given the response of adding two new suppliers for the plant-based materials, the team
considered the potential risks to the current supply chain and any impacts on the contracts with current
suppliers.
 Opportunities emanating from the response: The team considered what new opportunities may develop
from selecting particular responses. One of the two new vendors was a locally operated farm that
maintained a market on site for its goods and a booth at one of the premier farmers’ markets in the area.
Friendly Fruit Juice determined that this could be an opportunity for joint marketing and adding locations
where their goods could be sold.
Review of Risks Impacting Manufacturing Objective

Of the risks relating to the functional unit objective "Produce high-quality products at the best possible price,"
focus was given to "The possibility that the cost of manufacturing plant-based juices is higher than fruit-based
juices." Marley, Simone, Fabien, and Angarika considered each of the following potential responses.
Internal Use Only
 Accept: While there is a potential impact on the reputation, brand, and trust if there were an issue with the
quality, the management team was not willing to produce quality products without considering the cost of
manufacturing. The team determined it would not accept this risk.
 Avoid: The plant-based juice line aligned with the mission and risk appetite, and therefore the company
determined to move forward with the strategy. Therefore, they did not select the risk response "avoid."
 Pursue: The team reviewed the performance targets for the new line and determined that they did not want
to pursue increased risk for increased performance.
 Share: Various outsourcing options were considered and determined to be unsuitable.
 Reduce: The team determined that the company should reduce the severity of the risk. Some of the
actions included:
 Developing a detailed understanding of the new manufacturing process and where costs were most
impacted in that process
 Develop real-time indicators that help in identifying when those areas of greatest impact on cost are
exceeding acceptable levels of performance, thereby allowing for management intervention much
earlier
 Designing a new quality assurance procedure for the production of the new line to avoid costly
product waste.
Once these actions are put in place, the team believes that the risk will reduce in severity to an amount
consistent with the overall levels desired by the company.
Review of Risks Impacting Distribution Channel Objective

Of the risks relating to the functional unit objective "Get the product into the distribution channels used by
customers," one stood out as having a higher severity: "The possibility that the new product cannot be placed at
current vendors and its impact on inventory." The team considered each of the following potential responses.
 Accept: The severity of this risk would place performance outside of tolerance, and therefore senior
management will not accept it.
 Avoid: The plant-based juice line aligned with the mission and risk appetite, and therefore the company
decided to move forward with the strategy. Therefore, they did not select the risk response "avoid."
 Pursue: The team determined that there was an opportunity to pursue new vendors and joint market the
plant-based line with vendors who also maintained farmers’ market stands.
Internal Use Only

 Reduce: The team determined that the company could reduce the severity of the risk. While they
considered various options on how management could do that, they felt that the risk response would be
more effective if they were able to partner with another party.
 Share: One possible action included negotiating new agreements with current distributors. Friendly Fruit
Juice entered into an agreement with a reseller to take any unsold plant-based juices who would in turn
convert these juices into generics for resale.
Once these actions are put in place, Marley, Simone, Fabien, and Angarika believe that the risk will reduce in
severity to an amount consistent with the overall levels desired by the company.
Management’s Consideration
The discussions of the monthly senior management meeting were captured to update the portfolio view of risk,
which was presented to the board. The focus of this presentation was the performance goals associated with the
business objectives that are either over- or underperforming, the current portfolio view of risk, emerging risks,
interconnectedness of the risks, and what has changed since the previous quarter. The presentation covered
both quantitative information, such as the combined potential financial impact of certain related risks, and
qualitative information, such as descriptions developed by Marley, Simone, Fabien, and Angarika describing how
additional or modified responses were expected to reduce the severity of risk.
After every quarterly presentation to the board, the results are incorporated into dashboards, and staff meetings
are held to communicate the results and the monitoring and mitigation activities to be implemented. The
dashboard is organized by objectives and includes a view from each level of Friendly Fruit Juice Company.
An Objective Perspective
As noted initially, Friendly Fruit Juice Company’s foray into developing a stronger enterprise risk management
approach was driven by its goal to better identify and manage company-wide risks. Through improved
identification, assessment, prioritization, and response activities, Friendly Fruit Juice recognized it could achieve
its objectives. They came to understand that the amount of risk to objectives cannot be simply calculated by
averaging likelihood and impact. Rather, to meaningfully analyze their ability to meet their objectives, the
organization needed to look at their risks from an overall perspective and understand how the performance of
one objective might affect the achievement of another. This perspective provided Marley, Simone, Fabien, and
Angarika with greater clarity on which objectives required the most attention and what responses offered a more
efficient use of their respective resources.
Footnotes
Internal Use Only

fn This example does not attempt to show how various strategies are evaluated and selected; this aspect
15 of the example has been condensed.
8. Performance in a Technology Company
The technology sector consists of companies involved in the production or delivery of technological products and
services, such as computers, semiconductors, software, IT infrastructure and services, telecommunications, and
home entertainment.
Technology entities may be influenced by any or all of the following external factors:
 Political and government regulatory approaches to spectrum usage, cloud computing, data privacy,
sustainability, and infrastructure.
 Competition from cloud-based products and services that impact the margins of traditional hardware
businesses and affect people with lower disposable incomes in developed countries, who are less likely to
buy high-end consumer products.
 Consumer demand for end-to-end solutions that make the customer experience seamless and secure,
such as cyber security products and services, and technologies that improve overall productivity and
efficiency.
 Rapid technological changes, growing technological complexity, and the shortening of product life cycles.
 Regulatory and legal requirements arising out of political and government changes and legislation.
 Climate change and sustainability demands that push companies to provide incentives to reduce, reuse,
and recycle devices.
Internal Use Only
 Capital demands to sustain merger and acquisitions activities and increased liability in pensions, minimum
health benefit requirements, and legacy staff and low-skilled labor.
 The need for skilled employees, which increases the urgency to retain current talented staff and outsource
entry-level jobs.
 Processes required to obtain third-party assistance to deploy and integrate new services and technologies.
 Innovation in technology that drives efficiency and relevancy of companies in the market.

This example shows the benefit of enterprise risk management to identify and manage entity-wide risks.
 Principle 10: Identifies Risk–The organization identifies risk that impacts the performance of strategy and
 Principle 11: Assesses Severity of Risk–The organization assesses the severity of risk.
 Principle 12: Prioritizes Risks–The organization prioritizes risks as a basis for selecting responses to risks.
 Principle 13: Implements Risk Responses–The organization identifies and selects risk responses.

Internal Use Only

Gulf Technology Company is a national firm that operates in three different sectors: technology services,
software, and hardware. It is a publicly traded company and has been serving individual consumers, businesses,
and governmental agencies for over twenty years. Recently, Gulf Technology has experienced rapid growth
through mergers and acquisitions. The company strives to be an industry leader in a business environment
facing intense competition, rapid technological changes in products and services, and growing pressure on
margins and overall profitability.
Gulf Technology believes that its growth and success in the technology sector can be attributed to the shared
values and innovative spirit of its team. The governance structure comprises the board of directors and its
committees, and multilevel management teams across the three departments. The company clearly defines the
roles and responsibilities of everyone at every level for achieving its mission to lead the industry in the invention,
development, and manufacture of the most advanced technologies for services, software, and hardware.
Senior-level management has worked to instill a culture in which people—regardless of level—manage risk as
an intrinsic part of their job. This culture supports open communication about risk, encourages employees to
express concerns, and maintains processes for elevating concerns to the appropriate level. Rather than being
risk averse, employees strive to understand the risks of any activity they undertake and to manage and pursue
them accordingly.
One division of the hardware business line received the approval and budget from senior management to design
and develop a new product. The business objective for this division is to achieve sales goals for all new product
launches. Supporting this objective are four new product objectives: 1) develop high-quality products, 2)
minimize losses and inefficiencies, 3) be first to market with innovative products, and 4) provide high customer
satisfaction with its products. All of these business objectives support one of the Gulf Technology’s overall
objectives: develop innovative IT hardware products that are secure and cost-effective, and address consumer
needs (see Figure 8.1.)
Figure 8.1: Overview of Strategy and Objectives for

Gulf Technology
Internal Use Only

Discussion
To succeed with the product development and launch, Gulf Technology formed a working group for the life cycle
of new product development, as Figure 8.2 shows. The group comprises representatives from marketing,
finance, development, and supply chain, plus individual designers (front-end, industrial, etc.), and a product
manager who leads it. The group meets weekly to discuss the status of the product during each phase of
development. Any member of the working group can raise for discussion any risk about the project or product
without any fear of retribution. Management encourages this transparency to support risk-informed decisions
and improve the overall quality of products developed and delivered to consumers.
Figure 8.2: New Product Life Cycle
This example follows the evolution of the risk profile for one product through the phases of development to track
and respond. (For the purposes of this example, the earlier phases are not included.)
Internal Use Only

Develop Phase
During a meeting in the develop phase, the marketing manager brought forward new information about changes
in consumer preferences for a particular feature of the product. This discussion occurred because of a recently
implemented practice to identify key insights and potential risks during all new product development projects.
Key Observation
When developing an overall risk profile, the element of time can be factored in by developing a series of profiles
throughout the product life cycle.
Historically, the management of Gulf Technology performed annual company-wide risk identification by
conducting surveys, interviews, and workshops. However, this annual practice proved ineffective for supplying
timely information in the fast-paced technology industry. Greater agility was needed to adjust to rapid
technological changes, changing consumer preferences, and competitors (both large and small) introducing new
and improved products.
Now, all new product working groups use cognitive computing capabilities to conduct real-time risk identification
to supplement the annual company-wide practice. The advanced data analytics allow vast amounts of
unstructured and structured data to be gathered and analyzed through data mining, natural language process,
and machine learning. Data-mining technology is used to analyze comments from various sources, including
end-user blogs and forums on which customers discuss current products. Another source is website recording
technologies that can replay individual customer experiences and track behavior patterns. This data analysis
gives management more useful and relevant information.
By using these cognitive computing capabilities to identify risks, the product manager, Stella Sharpe, realized
the product as currently designed would not meet the changing customer expectations. She led a discussion
with the marketing manager and development lead to better understand how changing a feature could impact
the project objectives and time line. Some of the risks identified included:
 The possibility of a delayed product launch and the impact on the objective of being first to market with
innovative products.
 The possibility of poor customer experience and the impact on achieving high customer satisfaction on
existing products.
To support the risk assessment, Stella Sharpe used impact and likelihood factors developed by the company
and used by all employees. Gulf Technology uses six criteria (financial and non-financial) based on internal data
from tracking customer complaints, negative media coverage, and external events from the publicly available
Internal Use Only
information on the impact of risks on peer organizations. The six criteria are reputation, market, operations,
legal/ regulatory, cost, and value. By consistently using these assessment criteria and measures across the
company, management can view interdependencies between risks and can aggregate risks from other business
units to higher levels of the company.
In the develop phase, the most relevant criteria were determined to be reputation, market, and cost. It became
clear to Stella and others that the potential impact to Gulf Technology’s reputation was high if the company was
not first to market and if they failed to achieve high customer satisfaction. It also became clear that the product
development time line may lengthen to modify the product. Stella was cautious of being overconfident during the
assessment, so she encouraged everyone in the working group to participate in further discussion to minimize
any bias.
Figure 8.3 shows the objectives considered for the new product. During the discussion, Stella recognized there
were two competing objectives: 1) being first to market with innovative products and 2) providing high customer
satisfaction. She then considered how riskimpacts performance at a higher, division-level objective—"achieve
sales goals for all new product launches"—by using a risk profile.
Figure 8.3: Business Unit and New Product Objectives
The risk profile helped management determine what level of risk was acceptable for a given level of
performance. This initial profile is shown in Figure 8.4. The x-axis represents the number of units sold
(performance), and the y-axis represents the number, composition, and severity of risks associated with
achieving this objective—"achieve sales goal for all new product launches." To develop this risk profile, Stella
used a combination of quantitative and qualitative approaches and relied on Gulf’s expertise to determine the
height and shape of the curve. Quantitative approaches included data modeling (reviewing historical product
launches for similar products and corresponding data, including revenue and losses). Qualitative approaches
included reviewing customer complaints and conducting interviews and workshops with key stakeholders. The
target represents the forecast for new product sales.
When the team gathered to discuss what they had learned about the relevance of the product to customer
satisfaction, the project leader determined that they should accept more risk by modifying the product design
and potentially delaying the product release. By accepting the additional risk to achieve the sales goals for this
new product, the risk curve steepened and shifted up, edging close to Gulf Technology’s risk appetite. This is
Internal Use Only

illustrated by comparing the risk profile for the business unit objective of achieving sales goals for new products
in the design phase (Figure 8.4) and the develop phase (Figure 8.5).
Figure 8.4: Design Phase Risk Profile & Figure 8.5: Develop Phase
Risk Profile
Product Launch Phase

The development and building of the new product progressed toward the launch date. One month before the
release date, the development team reported to the working group that they needed a minimum of three
additional weeks to complete the testing of a component of the product. At the same time, Stella Sharpe learned
that the company’s main competitor was aiming to release a similar product close to Gulf Technology’s planned
launch date.
With competing product objectives of releasing a new product on schedule and having a fully tested product to
obtain high customer satisfaction, Stella prioritized the objectives and associated risks to make a more effective
and risk-informed decision, using several criteria:
 Adaptability: the company’s ability to respond if they launched a sub-par product or were late to market in
releasing a fully tested product.
 Complexity: the risks of product obsolescence and low sales to the company’s objective of being market
leader in technology and customer satisfaction.
 Velocity: the risk of not being first to market, which could impact the company faster than releasing a sub-
par product that disappoints consumers.
 Persistence: the risk of adverse media coverage continuing and the consequent impact on sales goals
following a product release that does not meet consumer expectations.
Internal Use Only

With input from the working group, and based on the criteria of adaptability and complexity, Stella decided to
release the product on schedule rather than delay the launch. She determined that the impact to overall sales
would be significant if the product launch were delayed due to additional testing and became the second product
on the market.
Prioritizing risks also helped management decide how to best respond to them, given finite resources. Following
the practice of most companies, Gulf Technology looked to apply one of the following risk responses to each
risk: accept, avoid, reduce, pursue, and share.
 Accept: Gulf Technology would launch the product with the untested feature and determine later how to
service the product as issues arose.
 Avoid: They would remove the untested feature from the product.
 Reduce: They would delay the launch date and allow the development team to perform the additional
testing.
 Pursue: They would launch the product as expected, actually giving prominence to an unproven
technology.
 Share: They would replace the untested feature with a tested feature from a previous product.
Additionally, Gulf management evaluated internal and external pressures, risk priority, risk appetite, and the
costs and benefits associated with the risk response. The goal was to apply the appropriate response to bring
the risk in line with risk appetite.
In considering the cost and benefits of either accepting or avoiding the risk, Stella determined that being first to
market with a product that contained only those features that had been fully tested would have more benefit than
leaving a potentially problematic feature in the product. She avoided the risk by removing the untested feature.
The risk profile from the develop phase showed her how removing the untested feature would impact the
objective of being first to market compared with the objective of obtaining high customer satisfaction, and
ultimately the business unit objective of achieving sales goals for new products.
When the untested feature is removed, the curve on the risk profile flattens and shifts down within the company’s
risk appetite for the objective of being first to market (Figure 8.6). However, when considering the risks impacting
the objective of providing high customer satisfaction, and ultimately the business unit objective of achieving
sales goals for new products, the risk curve steepens because a feature that consumers want is no longer part
of the product, which creates additional risks (Figure 8.7).
Figure 8.6: First-to-Market Risk Profile & Figure 8.7: High Customer
Satisfaction Risk Profile
Internal Use Only

Track-and-Respond Phase
The working group successfully launched the new product on schedule. Once the product was in the market,
Stella Sharpe tracked several metrics including sales (e.g., product sales, gross profit percentages), marketing
(e.g., web traffic, number of leads generated), and product (e.g., inventory management, customer service
requests). These metrics alerted management to key indicators of both risk and performance.
One benefit of tracking performance metrics is the ability to quickly redeploy resources as needed. Historically,
prior to product launches, the company devoted significant effort to getting the product designed, developed,
tested, and marketed. Once a product was launched, substantial time was spent positioning and reacting to
changes in the business context. As a result, Gulf generally could not manage under- and overperformance
(e.g., product sales) and tended to be more reactive.
Several years ago, Gulf shifted to a focus on managing both under- and overperformance of all new products to
ensure they had sufficient capacity and resources to meet demand. For example, one of the company’s call
centers could handle customer service requests of 10% of products sold. So when Stella received real-time
information that sales had spiked significantly in a short period of time (by using the key indicators that tracked
performance), she knew that the information would be fed into the risk identification system, alerting the call
center to staff additional employees in anticipation of an increase in customer calls. This system allowed Gulf to
reallocate resources quickly based on changes in consumer demand.
Stella continued to track key indicators, and three months after the product launch she reported that sales were
lagging and customer complaints about the missing feature were on the rise. In response, the working group
reviewed the entire product development life cycle. Their goal was to understand what risks impacted the new
product development, at what stage they occurred, and how they affected the new product and business division
objectives.
Internal Use Only

With the results of this "postmortem," Stella was able to analyze how the risks associated with high customer
satisfaction actually increased in severity throughout the new product life cycle compared to the risks associated
with being first to market with an innovative product. Although she had prioritized the objective of being first to
market during product development, it became evident that customers would have accepted a short-term delay
in the launch if the end product had had all of the features they were expecting. Specifically, a two- to three-
week delay in the launch was determined to be acceptable to customers, but not a delay of more than one
month. In fact, Gulf Technology determined that customers were more sensitive to a product with all of the
anticipated features and were more likely to switch to a competitor’s product if their expectations were not met.
Stella used the analysis to adjust the approach for other new product launch phases.
Additionally, this information from the postmortem fed into the company-level portfolio view of risks. Specifically,
it showed that the risks to the objective of high customer satisfaction (risk of poor customer experience and poor
quality) maintained their severity as they rolled up to the division- and company-level objectives. Those
dissatisfied customers who switched to a competitor product affected Gulf Technology’s ability to meet its
objective of achieving sales goals for all new product launches. All this information helped senior management
better understand risks they may encounter in the future. Figure 8.8 illustrates the portfolio view of risks.
Figure 8.8: Portfolio View of Risk
Internal Use Only

The Changing Risk Landscape
The risk profile helped senior management better understand how the risks from a business division could
impact the company as a whole and how that risk profile shifted during each phase of the life cycle. This
valuable information helped them learn from the experience to improve future development and launches, as it
provided a better view of what phases and type of risks may cause a greater impact to objectives. Lastly, as Gulf
Technology continues to conduct postmortems on product launches over time, senior management may
consider revising its overall strategy for launching new products.
Footnotes
9. Review and Revision in an Industrial

Products Company
Industrial products companies provide goods and services in the chemical, engineering and construction,
forestry, paper and packaging, industrial manufacturing, metals, and transportation sectors.
Industrial products entities may be influenced by any or all of the following external factors:
 Trade policies of countries where a company operates, acquires materials, transports goods, or sells
products.
 Shifts in economic global power that creates both barriers and opportunities.
 Social unrest that may create risk and even disrupt the supply chain or distribution networks.
Internal Use Only

 Technology advancements that provide opportunities for companies to alter how they address consumer
needs and desires.
 Changes across a wide range of laws, particularly when they operate in several countries, and the need to
comply with these evolving requirements.
 Environmental oversight that can influence operational practices.
 Availability and mix of capital to develop infrastructure and respond to the need for innovation and
technology advances.
 Challenges of entering different industries, geographies, or increasing staffing through organic growth,
mergers, or acquisitions.
 Availability of skilled labor that may impact the ability to maintain and expand operations.
 Reliance on processes that adhere to their quality and safety standards.
 Innovative technologies like 3D printing and robotics.

This example demonstrates how enterprise risk management enhances the company’s ability to make decisions
that increase positive outcomes, increases range of opportunities, and reduces negative surprises.
 Principle 15: Assesses Substantial Change–The organization identifies and assesses changes that may
substantially affect strategy and business objectives.
 Principle 16: Reviews Risk and Performance–The organization reviews entity performance and considers
risk.
 Principle 17: Pursues Improvement in Enterprise Risk Management–The organization pursues

improvement of enterprise risk management.
Internal Use Only

on risk profile.
Mostley Machinery Company is a large international manufacturing company that builds assembly machines that
can produce a range of products. Mostley Machinery’s customers typically use the machines for specific parts of
their own assembly process; in fact, Mostley Machinery does not manufacture machines intended to build a
product from start to finish. For example, they sell a variety of riveting machines that are used as part of an
assembly line. Over 250 companies, ranging from small regional manufacturers to large, global manufacturers,
purchase these riveting machines every year.
Mostley Machinery company is guided by four entity-level objectives:
 Build and maintain customer trust.
 Provide a diverse range of quality products to our customers.
 Operate in a safe and efficient manner.
 Provide stable, long-term value to our shareholders.
Mostley Machinery Company is located in central Europe and trades on a local stock exchange. The company
has seen higher than average growth in recent years, largely due to the expansion of some Asian manufacturing
companies it supplies to. It is organized by product lines, of which there are fifteen. There are also four support
functions: strategy and finance, human resources, information technology, and safety and compliance. The
fifteen product lines report to the chief operating officer. Other members of the senior leadership team include
the chief executive officer, chief financial officer, director of human resources, director of information technology,
and director of marketing.
During recent analyst calls, Myron Zblinski, the chief financial officer (CFO), noted growing concern over Mostley
Machinery’s ability to sustain traditional levels of growth. Some pundits believed that the industry was more likely
to experience disruption as new manufacturing techniques evolved, new materials became more common, and
other entrants were able to penetrate the market. The analyst community historically viewed the company as
one that provided stable growth with a somewhat risk-averse or risk-neutral approach. But now there was a
growing sense that the company had started to take on higher risk ventures in pursuit of higher growth while
reducing the focus on the lower-risk parts of the business that made it initially successful. It remained unclear
whether this was a conscious decision to pursue higher margin products or whether the company had simply
Internal Use Only

drifted from its original focus. This situation had, unfortunately, led some analysts to indicate that they may shift
their recommendation from "buy" to "hold." In response, the senior management team recognized that they
needed to better communicate the company’s view on risk overall and its strategy for addressing changes that
impact the company.
Discussion
The information that senior management used to understand the company’s performance came from many
sources. In the past, they typically relied on their own internal reviews, but the recent concerns of the analysts
prompted them to take a fresh look at things. They needed to determine if the current enterprise risk
management capabilities were meeting the company’s needs. Specifically, they set out to determine if:
 The company was identifying and responding to changes in customer preferences, supply chain, materials,
etc.
 Risk was impacting performance in ways that were currently undetected.
 Changes in enterprise risk management practices could enhance the company’s ability to create or
preserve value.
Responding to Changes in the Business

The senior management team of Mostley Machinery set out to answer the first question: how does the company
currently identify and respond to changes and the effect of those changes on the company’s overall view of risk
(i.e., its portfolio view of risk). The answer was that response is determined in discussions that Myron Zblinski
had previously built into the business processes. These discussions include analysis of changes in product mix,
changes in business lines, geographical changes, and internal changes, when appropriate.
Key Observation
In a small business setting, senior leadership can equip the organization to respond to risks and identify
opportunities by discussing the impact of internal and external changes on the company’s portfolio view of risk.
Every quarter, the senior management team, under Myron’s purview, summarized these discussions. Having the
strategy team involved in this process allowed individuals to see the links between the changes identified and
the entity’s strategy. They could then contribute their ideas and insight as the strategy evolved.
In one of these discussions on external factors, two specific changes in the industry were noted, and the meeting
participants considered the potential impact of each on the company’s overall risk profile. The changes were:
Internal Use Only

 Technology advancements, particularly 3D printing, the growing use of robotics, and the evolution of digital
technology.
 Social unrest and its potential to impact the company’s increasing reliance on global supply chains.
Through this exercise the company identified some areas of greater exposure should the trends continue. For
example, one of the product lines focused on providing replacement parts for their machinery, and the growing
prevalence of 3D printing meant that third parties would soon be able to replicate cheaper parts and create new
competition. Additionally, since many of the company’s customers are themselves manufacturers, the discussion
team recognized that those customers could begin printing their own parts.
The team considered what steps the company could take to mitigate this risk, which led to them discussing
opportunities to differentiate themselves from competitors and create added value. They came up with a two-part
proposal: First, the company should actively pursue 3D printing to internally produce replacement parts
potentially at reduced cost by using AutoCAD. Second, rather than retaining the AutoCAD files for company use
and waiting for customers or other third parties to develop their own specifications to produce parts, Mostley
Machinery could provide customers with the stereolithography files with the purchase of one of its pieces of
equipment. This practice could then be marketed as a competitive differentiator. This idea was recorded and
provided to the strategy and finance team to consider in an upcoming planning cycle.
Key Observation
Considering the effect of developments in the external environment on the portfolio view of risk gives the
organization the ability to respond to certain risks before they materialize and to identify areas where these
developments create strategic opportunities.
Assessing Performance and Considering Risk

The second issue was whether risk was impacting performance in ways that were undetected. The company
had a series of goals aligned to each of its objectives. Each of the goals included a quantifiable aspect, so that
the company could track performance, which was reported as part of the quarterly business performance review.
Senior leadership reviewed the metrics for each goal quarterly. On review, two metrics stood out: sales by region
and sales by product type, illustrated in Figure 9.1.
Figure 9.1: Sales Metrics for Mostley Machinery
Internal Use Only

As noted in Figure 9.1, the company was selling 35% of its equipment to the Asian market. This percentage had
risen in each of the last five years, before which sales to Asia represented less than 10% of the total. This
increase was not planned, but it has driven the majority of the company’s overall growth in this period, and it
exposed the company to a higher amount of risk than the company could sustain, as the Asian market was
viewed by management as more cyclical than the European market.
The team also reviewed the revenue from replacement parts. The goal was to maintain the percentage of
revenue from sales of replacement parts to overall sales at 7%. The company wanted to be sure that it
remained—above all—a provider of equipment, as that generated much higher profit margin than the sale of
replacement parts. At the same time, the company wanted to retain its replacement parts customers, rather than
losing them to their competitors for those parts, or worse, for new equipment.
Taking all this information into account and reviewing historical data to understand seasonal and other trends,
the company defined a lower boundary for the tolerance of 3% and an upward boundary of 11% (see Figure
9.2). Senior management determined that having replacement parts revenue below 3% suggested that parts
were being over-engineered with a higher cost to produce. Above 11%, there was likely either a reliability
problem with current parts or customers were keeping the machine past the intended useful life, choosing to
repair rather than replace machines.
Figure 9.2: Risk Profile for Percentage of Sale of Replacement Parts

to Total Sales
Internal Use Only

In one quarter, the actual performance was 12% (shown as the solid green line in Figure 9.2). This shift in the
percentage of revenue from replacement parts presented a confusing trend for senior management. They
viewed it as being a higher risk to future revenues because, as noted above, customers could easily shift to
lower-cost aftermarket versions or use 3D printing to create their own parts.
In researching the reasons for the 12% replacement sales, senior management identified that three years ago,
Mostley Machinery had streamlined its operations to pursue the goal of operating efficiently. Management was
now starting to see the longer-term implications of that change. An estimated 70% of the customers were
replacing a part purchased (either on their own or as part of new machinery) within two to three years, rather
than the targeted ten-year useful life. These failure times were occurring just before the warranty period ended.
This increased failure rate was resulting in higher sales revenue from replacement parts but also incurring higher
warranty repair costs for Mostley Machinery.
Key Observation
By defining a performance target and tolerance, and by monitoring performance against target and tolerance, an
organization can identify when it may be taking too much or too little risk in certain areas and adjust as needed to
achieve the desired level of performance.
With this insight, leadership considered whether they should adjust the target and/or tolerance for replacement
parts, or whether the company was assuming too much risk by having a lower useful life for key parts.
Ultimately, they decided that the decrease in useful life for parts could threaten the company’s reputation for
quality and their customers’ trust. They determined that in streamlining the process, they had accepted a higher
amount of risk of product quality. Therefore, they initiated a project to determine the cause of the shorter useful
life and to modify the process to bring the average useful life for the parts back to three years.
Considering Current Practices

Internal Use Only
For the past several years, Mostley Machinery has taken steps to understand the current and desired enterprise
risk management capabilities. For instance, the chief executive officer (CEO) and the internal auditor now attend
business performance reviews with the operating divisions to look at progress against performance goals and
how the business is incorporating an understanding of the risks as they operate in pursuit of their goals. This has
helped the CEO to understand performance of the business and the internal auditor to develop an annual audit
plan.
However, the senior team also needed to refresh their understanding of where enterprise risk management
capabilities were integrated into the business. They initially looked at scoring the company using a typical
maturity model, but that was too high level and didn’t provide enough insight into the day-to-day operations.
Instead, each member of the senior leadership team was asked to compile a summary of the key enterprise risk
management activities that had been woven into day-to-day operations. These summaries included the
following:
 The chief financial officer (CFO) noted that risk management was formally part of the budget planning
sessions. The budgeting process asked two questions: Have we allocated funds to support initiatives to
enhance the managing of risk where needed? What efforts are we funding that provide minimal impact on
amount of risk taken by the company?
 The chief operating officer (COO) noted that risk was a topic for discussion at every operations meeting in
addition to the regular discussions on new staff, training, production targets, and quality assurance results.
The plan was to move risk from being a separate agenda item to being a factor of every topic, but that
change would likely take twelve to eighteen months.
 The chief information officer (CIO) noted that risk assessments were being used in the review and
development of new technology on a company-wide basis, where common technology was used by
multiple departments. These assessments had helped to identify potential problems in past projects.
 The vice president of human resources noted that risk management was being woven into performance
reviews.
While there were many positive practices noted in these conversations, it became apparent that there were
opportunities for improvement. For instance:
 Changing revenue patterns over time had not been a focus, as the company typically compared only the
current quarter to the prior quarter, or the current year to the prior year. This meant that slowly evolving
trends were not necessarily identified.
Internal Use Only

 None of the senior leadership team was able to articulate why the amount of risk taken by the company
was appropriate. Few could state with confidence whether it was too high or too low. Most relied more on
personal judgment and experience to determine the appropriate amount of risk.
 While the CEO and internal auditor attended performance meetings, there was no sharing of information
across these meetings. There were concerns that some risks potentially impacting more than one group
might still be looked at in isolation. For instance, at the same time the CFO was asking for spending on
research and development to be reduced, the COO was seeing a growing need to increase efforts on new
product development.
 The company had a spot bonus program for rewarding individuals for specific efforts. The vice president of
human resources noted that of the spot bonuses awarded in the past twelve months, 40% related to
culture (doing the right thing for the client), 40% related to efforts to help meet an internal deadline, and
20% related to long-time service. None of them related to instances of individuals helping shape the risk
profile of the company through their decisions. All senior leadership team members were encouraged to
consider spot rewards for such instances.
Changing Practices
Management realized that it was important to develop capabilities that:
 Support people in making decisions across the company that reflected a common understanding of
acceptable risk taking.
 Consider how performance evolves over a longer period than just one year to the next.
 Enhance communications to the board on emerging risks that could disrupt the business.
 Enhance communications with the analyst community. Most notably, they needed to develop a way to
better communicate how risk factored into decisions.
To begin making these changes, the senior leadership team met to formulate a view of the overall risk appetite.
First they considered the extent to which the overall strategy and entity-level objectives aligned with this mission,
vision, and core values. They reviewed the company’s recent annual reports, internal management reports, and
press releases to identify trends in communication that could be used to infer where leadership was most
interested in minimizing risk or taking risk. They also reviewed internal memos from the CEO and other business
unit leaders to identify where they were asking employees to focus.
Each executive was asked to develop a view of the type and amount of risk acceptable for the strategies related
to their area of the business. Once this was done, the senior leadership members met with their staff to get
Internal Use Only

feedback on how such a statement might be useful in practice and what needed to be made clearer. The senior
leadership then met as a group to discuss, revise, and ultimately finalize the statements.
Figure 9.3 lists a few risk appetite statements that the company developed by entity-level objective to use in
decision-making.
Figure 9.3: Risk Appetite Statements
Once the executive risk committee finalized the statements, they invited the board of directors to review and
comment on them. The statements were then sent to all executives and managers, who were encouraged to
refer to them when making decisions that involved assuming a certain level of risk. They were also instructed to
elevate the decision to the next level if they felt uncertain whether the risk they were taking aligned with the
company’s risk appetite.
One method the company used to assess the success of their efforts was revisiting the sales trend analysis
previously completed and the percentage of sales represented by replacement parts. As part of that assessment
the senior team reflected on the risk appetite expressions, noting that the company:
 Has a low tolerance for risks that create situations or actions that could negatively impact customer trust.
 Will seek to produce equipment of superior quality and reliability, understanding that such goals may come
with a cost.
 Has stakeholders who expect strong financial performance and will not accept risks that unnecessarily
erode financial performance.
The result of the assessment was anew risk profile, which was presented to senior management, showing three
possible levels of risk appetite (see Figure 9.4). In this case, since the company had a history of performance
and an understanding of risk to that performance, risk appetite was being set by management in the context of
Internal Use Only
actual performance (i.e., "We know our performance and tolerance, and now we are figuring out where appetite
should be"). After considerable discussion and debate, the senior management team agreed that risk appetite
was best depicted as line B. With this decision made, it became clear that the actual level of performance
indicated exceeded the overall risk appetite and, therefore, remedial actions were needed.
Figure 9.4: Revised Risk Profile for Percentage of Sale of

Replacement Parts to Total Sales
Developing a Common, Company-wide View of Risk

To develop an enterprise view of risk, staff for all product lines and functions identified risks within their part of
the company. These included everything from those risks related to specific suppliers not delivering on time to
internal systems failure. But to be sure that this effort did not detract from the important risk management efforts
happening within each of the programs, senior leadership appointed a point person from each product line and
function (the working group) to develop a portfolio view of risk. Each product line and function regularly provided
the designated person with updated risk information, an effective system that required minimal effort from the
managers.
Key Observation
Small businesses may have a less-formal process for regularly reviewing and discussing risk. This may include a
management meeting every quarter with key leaders, where risks and interdependencies are discussed.
The senior leadership team supplemented this information with their own insight on the top risks facing the
company and discussed it further, as needed. Over time, they refined the reporting to provide the needed
information from the portfolio view to each stakeholder group, including the board, senior leadership, and risk
owners.
Internal Use Only

Figure 9.5 illustrates the completed portfolio view of risk. Note that the approach is not a linear compilation, but
reflects considerable management judgment. For instance, management has noted in the specific risks to
business objectives that only one was in the moderately high range: "Be a fast follower of product innovation."
That objective is, however, significant to the overall entity-level objectives and as a result the related entity-level
objective was also assessed as having a moderate amount of related risk.
With the combination of captured risk information and management’s own judgment, Mostley Machinery had a
dashboard that provided the insight required, focusing on the impact of risk on performance. The dashboard
illustrated in Figure 9.5 indicates the level of risk to both entity and business unit objective performance targets.
The color scheme is also tailored to reflect the risk appetite.
 Red represents the level of risk that the company is unwilling to accept in the pursuit of value.
 Yellow indicates that the risk is just within the level the company is willing to accept in the pursuit of value,
but the assessed level is higher than desired.
 Green indicates that the risk is fully within the level the company is willing to accept in the pursuit of value.
Figure 9.5: Completed Portfolio View of Risk
Internal Use Only

Completing the Conversation
Having taken on these efforts to understand how enterprise risk management capabilities and practices were
woven into the business, and where they could make changes, the CFO gained a better appreciation of the
analyst observations. Steps were taken to address the appearance of higher-risk activities displacing lower-risk
activities with proven performance. The change in focus on increasing the useful life of parts demonstrated how
risk management can increase positive outcomes. The focus on using 3D printing and the distribution of related
files helped increase the range of opportunities. Further, the focus on company-wide risk and viewing it through
the lens of risk appetite (and carefully considering stakeholder views) will help to reduce negative surprises.
Most notably, the plan addressed the concerns that the company had adopted a higher risk strategy or
inadvertently become more aggressive in its decision-making.
Internal Use Only

Footnotes
10. Risk Information in a Healthcare

Company
Healthcare providers deliver medical services to patients ranging from routine care to specialized critical care
such as surgery, psychiatry, obstetrics and gynecology, and oncology. Healthcare providers may fit into one of a
variety of business models: non-governmental, governmental, not-for-profit, for profit, religious, or academic.
Healthcare may be influenced by the following external factors:
 Intervention in policy and decision-making stemming from special interests rather than business-driven
approaches.
 Reimbursement rates that are affected by the general economy and public policy.
 Consumers using non-traditional sources of healthcare, including telemedicine, small clinics in retail stores,
and physician assistants and nurse practitioners instead of doctors.
 Changing technology and the availability of confidential patient information.
 Strict regulatory requirements along all aspects of the provider delivery model.
 Changing landscape of global healthcare crises, including pandemics.
Healthcare may also be influenced by the following internal factors:
Internal Use Only

 Capital demands to sustain merger and acquisition activities that are needed to maintain and expand
facilities or invest in updated equipment.
 Competition for staff at all levels due to increasing demand from all types of healthcare providers.
 Staff operating in silos, which affects information sharing.
 Dependency on technology in all aspects of the delivery model, from decisions on patient care to
reimbursements for services delivered.

This example shows how enterprise risk management practices reduce performance variability. It also shows
how enterprise risk management information practices help a company improve resource deployment.
 Principle 18: Leverages Information Systems–The organization leverages the entity’s information and
technology systems to support enterprise risk management.
 Principle 19: Communicates Risk Information–The organization uses communication channels to support
Highland Hospitals provides services in traditional hospital settings. It operates thirty affiliate hospitals in five
different states across the US as a not-for-profit business. It specifically supports people in low-income areas
needing routine and critical care. The target demographic is people who have few choices in healthcare
providers because they live in rural communities. Most revenue is generated through reimbursements from
government-provided insurance.
Highland Hospitals has formalized its mission statement:
Internal Use Only

Our mission is to provide the highest quality patient care to all communities in which we serve. We do this
through employing dedicated professionals to deliver top care and professional staff to provide support
throughout the organization. We value all patients equally. We will operate in a financially responsible manner
ensuring our long-term sustainability as a provider of care for our communities.
Senior management recently gathered to set objectives that would support this mission. They established two
that they felt best reflected Highland Hospitals’ pursuit of mission:
 Provide quality care to patients in communities served.
 Hire and retain high-quality physicians, nurses, and support staff.
Over the past several months, Highland Hospitals has become the target of increasing negative media coverage
about surgery and appointment wait lists and overcrowding in its emergency rooms. Despite assurances from
the CEO, Emma Carballo, that healthcare services would not be hampered and all efforts were being made to
address the situation, the company has been slow to respond to the growing call to action. The result has been
increased fatigue and frustration from the medical team, and in particular the nursing staff. So far, the situation
has not affected retention rates, but management has had difficulty hiring more nurses, especially in some of the
more remote communities it serves.
Discussion
Emma called the director of nursing, Antonio Garcia, to talk to him about the recent media coverage and impact
on the nursing staff. She told him that the leadership team was contemplating a number of large-scale initiatives,
but even if approved by the board, those would likely take several years before comprehensively addressing the
growing wait lists and impact to staff. Emma asked Antonio to develop an interim plan of action to continue to
attract and retain nursing staff.
Antonio began by reviewing the available internal data on hiring and retaining nurses to understand the greatest
impacts. These indicators with analysis are shown in Figure 10.1.
Figure 10.1: Performance Indicators Affecting the

Workforce
Internal Use Only

Antonio then compared his internal numbers to information made available by the National Nursing Association.
The association’s latest annual report outlined current trends and explored the challenges in recruiting new
nurses. The report confirmed Antonio’s suspicion that there is an overall shortage of nurses across the country,
with some rural areas more affected than areas with larger populations. The assumptions behind the nursing
shortage were many, including:
 Aging population with a greater number of older adults who are expected to have at least one chronic
condition requiring ongoing medical care, adding to the demands of the existing patient pool.
 Corresponding number of nurses and nursing educators who are approaching retirement age.
 Propensity for graduating nurses to work within the same geographic area from which they graduated from
their medical studies.
Internal Use Only

 Most nursing educational facilities and schools being in urban areas or affiliated with larger universities and
hospitals.
 Ongoing challenges in having nurses with foreign designations and licenses being recognized or
accredited in a timely and cost-efficient manner.
After looking at both the external data and internal indicators, Antonio recognized that he needed to take a
different approach to mitigate the risk of having nursing shortages that would further contribute to Highland
Hospitals’ existing operational challenges. The nursing program had always been managed with consideration to
two primary objectives: providing quality care and hiring and retaining high-quality staff. These objectives are
codependent: without quality staff, it is difficult for Highland Hospitals to deliver the highest quality care, and so
Antonio decided to focus on hiring and retaining high-quality staff.
Antonio knew he needed help in thinking through the components that contribute to hiring and retaining high-
quality staff, which includes identifying candidates and agreeing on competitive benefits. He started by engaging
the human capital officer, Eva Andreotti. They broke the process into two parts—attracting and retaining
nurses—and began to think through what information Antonio needed.
As noted, Highland Hospitals had already identified that they were receiving fewer nursing applications than their
target numbers. Antonio and Eva hypothesized that there were fewer nursing students in local schools than
there used to be, which affected the number of applications. To develop a measure that would give them insight
into potential applicants at an earlier point in their process, Antonio and Eva set out to determine how many
nursing students were being admitted to the local nursing schools. They emailed the director of admissions at
each of the major schools, hoping to validate their hypothesis or learn other reasons students were selecting
different options.
Additionally, they looked at the compensation and benefits that Highland Hospitals offers staff, both having an
impact on retaining current staff and attracting new hires. They began by identifying what their competitors were
offering, including doctors’ offices, home healthcare services, and skilled nursing facilities. They also identified
that corporations, contract nursing, and urgent care centers could be competitors, but noted that the nurses from
the target schools do not tend to go to those organizations. The specific information they wanted included the
following:
 Salary components (base pay, bonuses, and paid leave).
 Flexibility of workplace arrangements including availability of extra shifts.
 Career progression and access to continuing education.
 Human resource policies including sick leave and workplace safety.
Internal Use Only

Antonio and Eva then tackled the job of understanding the culture of the nursing staff. Culture affects why nurses
want to stay at a hospital, and the data showed that once nurses chose Highlands they tended to stay. This
understanding was critical as they looked to identify nurse hires. What behaviors, they wanted to know, drive
that culture, and what encourages nurses to continue working at Highland Hospitals? To find out, they sent a
survey to the nursing staff encouraging them to share their views anonymously. The survey asked nurses:
 When do you feel the most appreciated?
 Do you feel the management team is transparent?
 What three words would you use to describe our culture?
 What would you change to improve our culture?
The survey revealed that one significant driver of low morale was fatigue. The reasons cited were many: a
general shortage of nurses across the system; a shortage specific to certain units because of a gap in
experience with attending nurses; the need to spend significant time training new nurses who lacked clinical
experience; and the imbalance between extremely busy times and very slow times, for which there had been no
analysis of data that could help normalize the resource capacity.
While the survey data was being compiled, Antonio and Eva received their first responses from the nursing
schools. The director of admissions at one of the largest schools indicated that they had not seen a change or
decline in admissions given the number of government scholarships that had been recently made available
particularly for students from more remote, rural areas. He went on to explain that while he was not at liberty to
divulge where and why nursing students accepted employment offers, he could confirm the recent press
coverage of Highland Hospitals was the topic of conversation for many students who had expressed
reservations in applying for positions there.
Using the information that Eva and he had gathered, Antonio started to develop a plan of action to present to the
board. The plan included the following suggestions:
 Launch a digital recruitment campaign to encourage applications at the nursing schools.
 Introduce a variety of non-monetary benefits including increased flexibility for accepting additional shifts,
flexible scheduling such as weekends only to accommodate families, alternative schedules such as fewer
long schedules or shorter schedules, and subsidized daycare through agreements with daycare providers.
 Introduce offers for additional financial and study support for continuing education to allow nurses to
specialize in areas with forecasted skills shortages.
 Establish a mentorship program to address the experience gap. Such a program would provide valuable
information to the leadership of the nursing staff across the hospital system. From the start of the clinical
Internal Use Only

portion of nursing school through internships, new nurses would be matched with a mentor to accelerate
their professional development.
 Implement a new approach for data analytics that enables more accurate staff resourcing needs. The
approach would use a variety of data feeds, assumptions, and historical analysis to anticipate incoming
patient levels and types of care. These include:
 Police reports and traffic condition alerts to prioritize the hospitals to which ambulances are directed in
real time and alert hospital staff of incoming patient volumes.
 Meteorology reports to track weather patterns such as heat waves that are likely to see a spike in
patient admissions.
 Updates from centres for infectious diseases regarding the status of epidemic outbreaks such as flu,
chicken pox, and whooping cough.
 Research papers on longer-term trends in lifestyle choices such as smoking, alcohol consumption,
and exercise habits that may lead to healthcare implications and require specialist nursing care and
skills.
 Periodic demographic data outlining the distribution of population by age, gender, and education
levels for populations surrounding each of the hospitals.
 Refine the key indicators to include more forward-looking metrics to better gauge future resourcing
challenges. Existing metrics on turnover were supplemented to include:
 Scope and persistence of social media coverage relating to employment conditions and patient care.
 Average amount of overtime worked by nurses during periods of high-volume admissions.
 Number of nursing staff undertaking further professional education.
 Launch an initiative to review the time nurses spend on administrative tasks and whether those tasks could
be automated or delegated to administrative staff. The initiative would work with the IT teams to track the
time each nurse spends administering healthcare compared to updating records and charts or completing
other tasks.
Having developed a proposed plan of action, Antonio and Eva then engaged with both the risk and finance
teams. The risk team provided the latest risk report to the board outlining those objectives that were most at risk
of not being achieved and considering the financial, patient, and operational impacts should those risks
materialize. The finance team worked with Antonio and Eva to determine whether the current year’s budget
could absorb the additional costs or whether those costs would need to be distributed over a longer time period.
Internal Use Only

Together, they prepared an integrated plan of action for the CEO that outlined:
 Anticipated impact of the risks associated with resourcing shortages including:
 Loss of revenue from declining patient numbers.
 Increased costs associated with longer wait times.
 Adverse impact on the company’s brand and reputation.
 Additional regulatory and political scrutiny.
 Level of confidence in the ability of Highland Hospitals to adhere to its risk appetite and manage
stakeholder expectations in the absence of a plan of action.
 Forecasted cost of implementing short- and longer-term proposed changes.
 Changes in the risk profile assuming the additional management actions taken to mitigate the risk and its
revised prioritization.
The report concluded that without further action, the hospital would incur significant variations in performance
and face increasing scrutiny from its shareholders and regulators of both the quality of care and the efficiency of
its general operations. The costs associated with implementing additional management actions were presented
in response to the increasing priority associated with the objective of attracting and retaining competent nursing
staff.
Leveraging Structured and Unstructured

Data from Internal and External Sources
Antonio recognized that he needed information from both structured and unstructured sources. That would
provide him with the insight to manage the nursing staff efficiently and hire "best fit" nurses to increase quality
delivery and reduce performance variability in providing care. It also allowed Highlands Hospital to monitor
performance against its objectives and to make more timely decisions when performance was being impacted.
The combination of better information and more timely action will help to reduce the variability in the hospital’s
outcomes.
Footnotes
Internal Use Only

Executive Summary
Click here for the PDF version of the
ERM_Executive_Summary.pdf
.
Oversight Representative
COSO Chair John J. Flaherty
American Accounting Association Larry E. Rittenberg
American Institute of Certified Public Accountants Alan W. Anderson
Financial Executives International John P. Jessup
Nicholas S. Cyprus
Institute of Management Accountants Frank C. Minter
Dennis L. Neider
David A. Richards
Project Advisory Council to COSO
Guidance
Tony Maki, Chair James W. DeLoach John P. Jessup
Internal Use Only

Partner Managing Director Vice President and Treasurer
Moss Adams LLP Protiviti Inc. E. I. duPont de Nemours and

Company
Mark S. Beasley Andrew J. Jackson Tony M. Knapp
Professor Senior Vice President of Enterprise Senior Vice President and Controller
Risk Assurance Services
North CarolinaState University Motorola, Inc.
American Express Company
Jerry W. DeFoor Steven E. Jameson Douglas F. Prawitt
Vice Presidentand Controller Executive Vice President, Chief Professor

Internal Audit & Risk Officer
Protective Life Corporation BrighamYoung University
Community Trust Bancorp, Inc.
PricewaterhouseCoopers LLP
Author
Richard M. Steinberg Miles E.A. Everson
Former Partner and Corporate Partnerand Financial Services

Governance Leader (Presently Finance, Operations, Risk and
Steinberg Governance Advisors) Compliance Leader
New York
Frank J. Martens Lucy E. Nottingham
Senior Manager, Client Services Manager, Internal Firm Services
Vancouver, Canada Boston
Foreward
Over a decade ago, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued
Internal Control – Integrated Framework to help businesses and other entities assess and enhance their internal
control systems. That framework has since been incorporated into policy, rule, and regulation, and used by
thousands of enterprises to better control their activities in moving toward achievement of their established
objectives.
Internal Use Only
Recent years have seen heightened concern and focus on risk management, and it became increasingly clear
that a need exists for a robust framework to effectively identify, assess, and manage risk. In 2001, COSO
initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable
by managements to evaluate and improve their organizations’ enterprise risk management.
The period of the framework’s development was marked by a series of high-profile business scandals and
failures where investors, company personnel, and other stakeholders suffered tremendous loss. In the
aftermath were calls for enhanced corporate governance and risk management, with new law, regulation, and
listing standards. The need for an enterprise risk management framework, providing key principles and
concepts, a common language, and clear direction and guidance, became even more compelling. COSO
believes this Enterprise Risk Management – Integrated Framework fills this need, and expects it will become
widely accepted by companies and other organizations and indeed all stakeholders and interested parties.
Among the outgrowths in the United States is the Sarbanes-Oxley Act of 2002, and similar legislation has been
enacted or is being considered in other countries. This law extends the long-standing requirement for public
companies to maintain systems of internal control, requiring management to certify and the independent auditor
to attest to the effectiveness of those systems. Internal Control – Integrated Framework, which continues to
stand the test of time, serves as the broadly accepted standard for satisfying those reporting requirements.
This Enterprise Risk Management – Integrated Framework expands on internal control, providing a more robust
and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does
not replace the internal control framework, but rather incorporates the internal control framework within it,
companies may decide to look to this enterprise risk management framework both to satisfy their internal control
needs and to move toward a fuller risk management process.
Among the most critical challenges for managements is determining how much risk the entity is prepared to and
does accept as it strives to create value. This report will better enable them to meet this challenge.
John J. Flaherty Tony Maki
Chair, COSO Chair, COSO Advisory Council
Executive Summary
The underlying premise of enterprise risk management is that every entity exists to provide value for its
stakeholders. All entities face uncertainty, and the challenge for management is to determine how much
uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with
the potential to erode or enhance value. Enterprise risk management enables management to effectively deal
with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Internal Use Only
Value is maximized when management sets strategy and objectives to strike an optimal balance between growth
and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s
objectives. Enterprise risk management encompasses:
 Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic
alternatives, setting related objectives, and developing mechanisms to manage related risks.
 Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select
among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.
 Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and
establish responses, reducing surprises and associated costs or losses.
 Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks
affecting different parts of the organization, and enterprise risk management facilitates effective response to the
interrelated impacts, and integrated responses to multiple risks.
 Seizing opportunities – By considering a full range of potential events, management is positioned to identify and
proactively realize opportunities.
 Improving deployment of capital – Obtaining robust risk information allows management to effectively assess
overall capital needs and enhance capital allocation.
These capabilities inherent in enterprise risk management help management achieve the entity’s performance
and profitability targets and prevent loss of resources. Enterprise risk management helps ensure effective
reporting and compliance with laws and regulations, and helps avoid damage to the entity’s reputation and
associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and
avoid pitfalls and surprises along the way.
Events – Risks and Opportunities

Events can have negative impact, positive impact, or both. Events with a negative impact represent risks, which
can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or
represent opportunities. Opportunities are the possibility that an event will occur and positively affect the
achievement of objectives, supporting value creation or preservation. Management channels opportunities back
to its strategy or objective-setting processes, formulating plans to seize the opportunities.
Enterprise Risk Management Defined

Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined
as follows:
Internal Use Only

Enterprise risk management is a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. Enterprise risk management is:
 A process, ongoing and flowing through an entity

 Effected by people at every level of an organization
 Applied in strategy setting
 Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
 Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk
appetite
 Able to provide reasonable assurance to an entity’s management and board of directors
 Geared to achievement of objectives in one or more separate but overlapping categories
This definition is purposefully broad. It captures key concepts fundamental to how companies and other
organizations manage risk, providing a basis for application across organizations, industries, and sectors. It
focuses directly on achievement of objectives established by a particular entity and provides a basis for defining
enterprise risk management effectiveness.
Within the context of an entity’s established mission or vision, management establishes strategic objectives,
selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management
framework is geared to achieving an entity’s objectives, set forth in four categories:
 Strategic– high-level goals, aligned with and supporting its mission

 Operations– effective and efficient use of its resources
 Reporting– reliability of reporting
 Compliance– compliance with applicable laws and regulations.
This categorization of entity objectives allows a focus on separate aspects of enterprise risk
management. These distinct but overlapping categories – a particular objective can fall into more than one
category – address different entity needs and may be the direct responsibility of different executives. This
categorization also allows distinctions between what can be expected from each category of objectives. Another
category, safeguarding of resources, used by some entities, also is described.
Internal Use Only

Because objectives relating to reliability of reporting and compliance with laws and regulations are within the
entity’s control, enterprise risk management can be expected to provide reasonable assurance of achieving
those objectives. Achievement of strategic objectives and operations objectives, however, is subject to external
events not always within the entity’s control; accordingly, for these objectives, enterprise risk management can
provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely
manner, of the extent to which the entity is moving toward achievement of the objectives.
Components of Enterprise Risk Management

Enterprise risk management consists of eight interrelated components. These are derived from the way
management runs an enterprise and are integrated with the management process. These components are:
 Internal Environment– The internal environment encompasses the tone of an organization, and sets the basis
for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk
appetite, integrity and ethical values, and the environment in which they operate.
 Objective Setting– Objectives must exist before management can identify potential events affecting their
achievement. Enterprise risk management ensures that management has in place a process to set objectives
and that the chosen objectives support and align with the entity’s mission and are consistent with its risk
appetite.
 Event Identification– Internal and external events affecting achievement of an entity’s objectives must be
identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s
strategy or objective-setting processes.
 Risk Assessment– Risks are analyzed, considering likelihood and impact, as a basis for determining how they
should be managed. Risks are assessed on an inherent and a residual basis.
 Risk Response– Management selects risk responses – avoiding, accepting, reducing, or sharing risk –
developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
 Control Activities– Policies and procedures are established and implemented to help ensure the risk responses
are effectively carried out.
 Information and Communication– Relevant information is identified, captured, and communicated in a form and
timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a
broader sense, flowing down, across, and up the entity.
 Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary.
Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a
multidirectional, iterative process in which almost any component can and does influence another.
Internal Use Only

There is a direct relationship between objectives, which are what an entity strives to achieve, and enterprise risk
management components, which represent what is needed to achieve them. The relationship is depicted in a
three-dimensional matrix, in the form of a cube. The four objectives categories – strategic, operations, reporting,
and compliance – are represented by the vertical columns, the eight components by horizontal rows, and an
entity’s units by the third dimension. This depiction portrays the ability to focus on the entirety of an entity’s
enterprise risk management, or by objectives category, component, entity unit, or any subset thereof.
Effectiveness
Determining whether an entity’s enterprise risk management is “effective” is a judgment resulting from an
assessment of whether the eight components are present and functioning effectively. Thus, the components are
also criteria for effective enterprise risk management. For the components to be present and functioning
properly there can be no material weaknesses, and risk needs to have been brought within the entity’s risk
appetite.
When enterprise risk management is determined to be effective in each of the four categories of objectives,
respectively, the board of directors and management have reasonable assurance that they understand the
extent to which the entity’s strategic and operations objectives are being achieved, and that the entity’s reporting
is reliable and applicable laws and regulations are being complied with.
The eight components will not function identically in every entity. Application in small and mid-size entities, for
example, may be less formal and less structured. Nonetheless, small entities still can have effective enterprise
risk management, as long as each of the components is present and functioning properly.
Internal Use Only

Limitations
While enterprise risk management provides important benefits, limitations exist. In addition to factors discussed
above, limitations result from the realities that human judgment in decision making can be faulty, decisions on
responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can
occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of
two or more people, and management has the ability to override enterprise risk management decisions. These
limitations preclude a board and management from having absolute assurance as to achievement of the entity’s
objectives.
Encompasses Internal Control

Internal control is an integral part of enterprise risk management. This enterprise risk management framework
encompasses internal control, forming a more robust conceptualization and tool for management. Internal
control is defined and described in Internal Control – Integrated Framework. Because that framework has stood
the test of time and is the basis for existing rules, regulations, and laws, that document remains in place as the
definition of and framework for internal control. While only portions of the text of Internal Control– Integrated
Framework are reproduced in this framework, the entirety of that framework is incorporated by reference into this
one.

Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is
ultimately responsible and should assume ownership. Other managers support the entity’s risk management
philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility
consistent with risk tolerances. A risk officer, financial officer, internal auditor, and others usually have key
support responsibilities. Other entity personnel are responsible for executing enterprise risk management in
accordance with established directives and protocols. The board of directors provides important oversight to
enterprise risk management, and is aware of and concurs with the entity’s risk appetite. A number of external
parties, such as customers, vendors, business partners, external auditors, regulators, and financial analysts
often provide information useful in effecting enterprise risk management, but they are not responsible for the
effectiveness of, nor are they a part of, the entity’s enterprise risk management.
Organization of This Report

This report is in two volumes. The first volume contains the Framework as well as this Executive Summary.
The Framework defines enterprise risk management and describes principles and concepts, providing direction
for all levels of management in businesses and other organizations to use in evaluating and enhancing the
Internal Use Only
effectiveness of enterprise risk management. This Executive Summary is a high-level overview directed to chief
executives, other senior executives, board members, and regulators. The second volume, Application
Techniques, provides illustrations of techniques useful in applying elements of the framework.
Use of This Report

Suggested actions that might be taken as a result of this report depend on position and role of the parties
involved:
 Board of Directors– The board should discuss with senior management the state of the entity’s enterprise risk
management and provide oversight as needed. The board should ensure it is apprised of the most significant
risks, along with actions management is taking and how it is ensuring effective enterprise risk management.
The board should consider seeking input from internal auditors, external auditors, and others.
 Senior Management– This study suggests that the chief executive assess the organization’s enterprise risk
management capabilities. In one approach, the chief executive brings together business unit heads and key
functional staff to discuss an initial assessment of enterprise risk management capabilities and effectiveness.
Whatever its form, an initial assessment should determine whether there is a need for, and how to proceed with,
a broader, more in-depth evaluation.
 Other Entity Personnel– Managers and other personnel should consider how they are conducting their
responsibilities in light of this framework and discuss with more-senior personnel ideas for strengthening
enterprise risk management. Internal auditors should consider the breadth of their focus on enterprise risk
management.
 Regulators – This framework can promote a shared view of enterprise risk management, including what it can
do and its limitations. Regulators may refer to this framework in establishing expectations, whether by rule or
guidance or in conducting examinations, for entities they oversee.
 Professional Organizations– Rule-making and other professional organizations providing guidance on financial
management, auditing, and related topics should consider their standards and guidance in light of this
framework. To the extent diversity in concepts and terminology is eliminated, all parties benefit.
 Educators– This framework might be the subject of academic research and analysis, to see where future
With this foundation for mutual understanding, all parties will be able to speak a common language and
communicate more effectively. Business executives will be positioned to assess their company’s enterprise risk
management process against a standard, and strengthen the process and move their enterprise toward
established goals. Future research can be leveraged off an established base. Legislators and regulators will be
Internal Use Only

able to gain an increased understanding of enterprise risk management, including its benefits and limitations.
With all parties utilizing a common enterprise risk management framework, these benefits will be realized.
Copyright © 2004 by the Committee of Sponsoring Organizations of the Treadway Commission.
1 2 3 4 5 6 7 8 9 0 MPI 0 9 8 7 6 5 4
All rights reserved. For information about reprint permission and licensing please call (201) 938-3245. A
permissions request form for emailing requests is available atwww.aicpa.org/cpyright.htm
Otherwise, requests should be submitted in writing and mailed to Permissions Editor, AICPA , Harborside
Financial Center, 201 Plaza Three, Jersey City, NJ 07311-3881.
1. Definition
Click here for the PDF version of the
ERM_Framework.pdf
.
Chapter Summary: All entities face uncertainty, and the challenge for management is to determine how much
uncertainty it is prepared to accept as it strives to grow stakeholder value. Enterprise risk management enables
management to identify, assess, and manage risks in the face of uncertainty, and is integral to value creation
and preservation. Enterprise risk management is a process, effected by an entity’s board of directors,
management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify
potential events that may affect the entity, and manage risk to be within the entity’s risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives. It consists of eight interrelated
components, which are integral to the way management runs the enterprise. The components are linked and
serve as criteria for determining whether enterprise risk management is effective.
A key objective of this framework is to help managements of businesses and other entities better deal with risk in
achieving an entity’s objectives. But enterprise risk management means different things to different people, with
a wide variety of labels and meanings preventing a common understanding. An important goal, then, is to
integrate various risk management concepts into a framework in which a common definition is established,
components are identified, and key concepts are described. This framework accommodates most viewpoints
and provides a starting point for individual entities’ assessment and enhancement of enterprise risk
management, for future initiatives of rule-making bodies, and for education.
Internal Use Only

Uncertainty and Value
An underlying premise of enterprise risk management is that every entity, whether for-profit, not-for-profit, or a
governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge
for management is to determine how much uncertainty the entity is prepared to accept as it strives to grow
stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value.
Enterprise risk management enables management to effectively deal with uncertainty and associated risk and
opportunity and thereby enhance the entity’s capacity to build value.
Enterprises operate in environments where factors such as globalization, technology, restructurings, changing
markets, competition, and regulation create uncertainty. Uncertainty emanates from an inability to precisely
determine the likelihood that events will occur and the associated impacts. Uncertainty also is presented and
created by the entity’s strategic choices. For example, an entity has a growth strategy based on expanding
operations to another country. This chosen strategy presents risks and opportunities associated with the
stability of the country’s political environment, resources, markets, channels, workforce capabilities, and costs.
Value is created, preserved, or eroded by management decisions in all activities, from strategy setting to
operating the enterprise day-to-day. Value creation occurs through deploying resources, including people,
capital, technology, and brand, where the benefit derived is greater than resources used. Value preservation
occurs where created value is sustained through, among other things, superior product quality, production
capacity, and customer satisfaction. Value can be eroded where these goals are not achieved due to poor
strategy or execution. Inherent in decisions is recognition of risk and opportunity, requiring that management
consider information about internal and external environments, deploy precious resources, and recalibrate
activities to changing circumstances.
Value is maximized when management sets strategy and objectives to strike an optimal balance between growth
and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s
objectives. Enterprise risk management encompasses:
 Aligning risk appetite and strategy – Management considers the entity’s risk appetite first in evaluating strategic
alternatives, then in setting objectives aligned with the selected strategy and in developing mechanisms to
manage the related risks. For example, a pharmaceutical company has a low risk appetite relative to its brand
value. Accordingly, to protect its brand, it maintains extensive protocols to ensure product safety and regularly
invests significant resources in early-stage research and development to support brand value creation.
 Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select
among alternative risk responses – risk avoidance, reduction, sharing, and acceptance. For example,
management of a company that uses company-owned and operated vehicles recognizes risks inherent in its
delivery process, including vehicle damage and personal injury costs. Available alternatives include reducing
Internal Use Only
the risk through effective driver recruiting and training, avoiding the risk by outsourcing delivery, sharing the risk
via insurance, or simply accepting the risk. Enterprise risk management provides methodologies and
techniques for making these decisions.
 Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events,
assess risk, and establish responses, thereby reducing the occurrence of surprises and related costs or losses.
For example, a manufacturing company tracks production parts and equipment failure rates and deviation
around averages. The company assesses the impact of failures using multiple criteria, including time to repair,
inability to meet customer demand, employee safety, and cost of scheduled versus unscheduled repairs, and
responds by setting maintenance schedules accordingly.
 Identifying and managing cross-enterprise risks – Every entity faces a myriad of risks affecting different parts of
the organization. Management needs to not only manage individual risks, but also understand interrelated
impacts. For example, a bank faces a variety of risks in trading activities across the enterprise, and
management developed an information system that analyzes transaction and market data from other internal
systems, which, together with relevant externally generated information, provides an aggregate view of risks
across all trading activities. The information system allows drilldown capability to department, customer or
counterparty, trader, and transaction levels, and quantifies the risks relative to risk tolerances in established
categories. The system enables the bank to bring together previously disparate data to respond more
effectively to risks using aggregated as well as targeted views.
 Providing integrated responses to multiple risks – Business processes carry many inherent risks, and enterprise
risk management enables integrated solutions for managing the risks. For instance, a wholesale distributor
faces risks of over- and under-supply positions, tenuous supply sources, and unnecessarily high purchase
prices. Management identified and assessed risk in the context of the company’s strategy, objectives, and
alternative responses, and developed a far-reaching inventory control system. The system integrates with
suppliers, sharing sales and inventory information and enabling strategic partnering, and avoiding stock-outs
and unneeded carrying costs, with longer-term sourcing contracts and enhanced pricing. Suppliers take
responsibility for replenishing stock, generating further cost reductions.
 Seizing opportunities – By considering a full range of potential events, rather than just risks, management
identifies events representing opportunities. For example, a food company considered potential events likely to
affect its sustainable revenue growth objective. In evaluating the events, management determined that the
company’s primary consumers are increasingly health conscious and changing their dietary preferences,
indicating a decline in future demand for the company’s current products. In determining its response,
management identified ways to apply its existing capabilities to developing new products, enabling the company
not only to preserve revenue from existing customers, but also to create additional revenue by appealing to a
broader consumer base.
 Improving deployment of capital – Obtaining robust information on risk allows management to effectively assess
overall capital needs and enhance capital allocation. For example, a financial institution became subject to new
Internal Use Only
regulatory rules that would increase capital requirements unless management calculated credit and operational
risk levels and related capital needs with greater specificity. The company assessed the risk in terms of system
development cost versus additional capital costs, and made an informed decision. With existing, readily
modifiable software, the institution developed the more precise calculations, avoiding a need for additional
capital sourcing.
These capabilities are inherent in enterprise risk management, which helps management achieve the entity’s
performance and profitability targets and prevent loss of resources. Enterprise risk management helps ensure
effective reporting. And it helps ensure that the entity complies with laws and regulations, avoiding damage to
its reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it
wants to go and avoid pitfalls and surprises along the way.
Events – Risks and Opportunities

An event is an incident or occurrence from internal or external sources that affects achievement of objectives.
Events can have negative impact, positive impact, or both. Events with negative impact represent risks.
Accordingly, risk is defined as follows:
Risk is the possibility that an event will occur and adversely affect the achievement of objectives.
Events with adverse impact prevent value creation or erode existing value. Examples include plant machinery
breakdowns, fire, and credit losses. Events with an adverse impact can derive from seemingly positive
conditions, such as where customer demand for product exceeds production capacity, causing failure to meet
buyer demand, eroded customer loyalty, and decline in future orders.
Events with positive impact may offset negative impacts or represent opportunities. Opportunity is defined as
follows:
Opportunityis the possibility that an event will occur and positively affect the achievement of objectives.
Opportunities support value creation or preservation. Management channels opportunities back to its strategy or
objective-setting processes, so that actions can be formulated to seize the opportunities.
Definition of Enterprise Risk

Management
Enterprise risk management deals with risks and opportunities to create or preserve value. It is defined as
follows:
Internal Use Only

Enterprise risk management is a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.
This definition reflects certain fundamental concepts. Enterprise risk management is:
 A process, ongoing and flowing through an entity

 Effected by people at every level of an organization
 Applied in strategy setting
 Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
 Designed to identify potential events affecting the entity and manage risk within its risk appetite
 Able to provide reasonable assurance to an entity’s management and board
 Geared to the achievement of objectives in one or more separate but overlapping categories – it is a means to
an end, not an end in itself
This definition is purposefully broad for several reasons. It captures key concepts fundamental to how
companies and other organizations manage risk, providing a basis for application across types of organizations,
industries, and sectors. It focuses directly on achievement of objectives established by a particular entity. And,
the definition provides a basis for defining enterprise risk management effectiveness, discussed later in this
chapter. The fundamental concepts outlined above are discussed in the following paragraphs.
A Process
Enterprise risk management is not static, but rather a continuous or iterative interplay of actions that permeate
an entity. These actions are pervasive and inherent in the way management runs the business.
Enterprise risk management is different from the perspective of some observers who view it as something added
on to an entity’s activities. That is not to say effective enterprise risk management does not require incremental
effort, as it may. In considering credit and currency risks, for example, incremental effort may be required to
develop needed models and make necessary analyses and calculations. However, these enterprise risk
management mechanisms are intertwined with an entity’s operating activities and exist for fundamental business
reasons. Enterprise risk management is most effective when these mechanisms are built into the entity’s
infrastructure and are part of the essence of the enterprise. By building in enterprise risk management, an entity
can directly affect its ability to implement its strategy and achieve its mission.
Building in enterprise risk management has important implications for cost containment, especially in the highly
competitive marketplaces many companies face. Adding new procedures separate from existing ones adds
costs. By focusing on existing operations and their contribution to effective enterprise risk management, and
Internal Use Only

integrating risk management into basic operating activities, an enterprise can avoid unnecessary procedures and
costs. And, a practice of building enterprise risk management into the fabric of operations helps identify new
opportunities for management to seize in growing the business.
Effected by People
Enterprise risk management is effected by an entity’s board of directors, management and other personnel. It is
accomplished by the people of an organization, by what they do and say. People establish the entity’s mission,
strategy, and objectives, and put enterprise risk management mechanisms in place.
Similarly, enterprise risk management affects people’s actions. Enterprise risk management recognizes that
people do not always understand, communicate, or perform consistently. Each individual brings to the
workplace a unique background and technical ability, and has different needs and priorities.
These realities affect, and are affected by, enterprise risk management. Each person has a unique point of
reference, which influences how he or she identifies, assesses, and responds to risk. Enterprise risk
management provides the mechanisms needed to help people understand risk in the context of the entity’s
objectives. People must know their responsibilities and limits of authority. Accordingly, a clear and close linkage
needs to exist between people’s duties and the way in which they are carried out, as well as with the entity’s
strategy and objectives.
An organization’s people include the board of directors, management and other personnel. Although directors
primarily provide oversight, they also provide direction and approve strategy and certain transactions and
policies. As such, boards of directors are an important element of enterprise risk management.
Applied in Setting Strategy

An entity sets out its mission or vision and establishes strategic objectives, which are the high-level goals that
align with and support its mission or vision. An entity establishes a strategy for achieving its strategic
objectives. It also sets related objectives it wants to achieve, flowing from the strategy, cascading to entity
business units, divisions, and processes.
Enterprise risk management is applied in strategy setting, in which management considers risks relative to
alternative strategies. For instance, one alternative may be to acquire other companies in order to grow market
share. Another may be to cut sourcing costs in order to realize higher gross margin percentage. Each of these
strategic choices poses a number of risks. If management selects the first strategy, it may have to expand into
new and unfamiliar markets, competitors may be able to gain share in the company’s existing markets, or the
company might not have the capabilities to effectively implement the strategy. With the second, risks include
having to use new technologies or suppliers, or form new alliances. Enterprise risk management techniques are
Internal Use Only

applied at this level to assist management in evaluating and selecting the entity’s strategy and related
objectives.
Applied Across the Enterprise

In applying enterprise risk management, an entity should consider its entire scope of activities. Enterprise risk
management considers activities at all levels of the organization, from enterprise-level activities such as strategic
planning and resource allocation, to business unit activities such as marketing and human resources, to
business processes such as production and new customer credit review. Enterprise risk management also
applies to special projects and new initiatives that might not yet have a designated place in the entity’s hierarchy
or organization chart.
Enterprise risk management requires an entity to take a portfolio view of risk. This might involve each manager
responsible for a business unit, function, process, or other activity developing an assessment of risk for the
activity. The assessment may be quantitative or qualitative. With a composite view at each succeeding level of
the organization, senior management is positioned to make a determination whether the entity’s overall risk
portfolio is commensurate with its risk appetite.
Management considers interrelated risks from an entity-level portfolio perspective. Risks for individual units of
the entity may be within the units’ risk tolerances, but taken together may exceed the risk appetite of the entity
as a whole. Or, conversely, potential events may represent an otherwise unacceptable risk in one business unit,
but with an offsetting effect in another. Interrelated risks need to be identified and acted on so that the entirety of
risk is consistent with the entity’s risk appetite.
Risk Appetite
Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects
the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. Many
entities consider risk appetite qualitatively, with such categories as high, moderate, or low, while others take a
quantitative approach, reflecting and balancing goals for growth, return, and risk. A company with a higher risk
appetite may be willing to allocate a large portion of its capital to such high-risk areas as newly emerging
markets. In contrast, a company with a low risk appetite might limit its short-term risk of large losses of capital
by investing only in mature, stable markets.
Risk appetite is directly related to an entity’s strategy. It is considered in strategy setting, as different strategies
expose an entity to different risks. Enterprise risk management helps management select a strategy that aligns
anticipated value creation with the entity’s risk appetite.
Risk appetite guides resource allocation. Management allocates resources among business units and initiatives
with consideration of the entity’s risk appetite and the unit’s plan for generating desired return on invested
Internal Use Only
resources. Management considers its risk appetite as it aligns its organization, people, and processes, and
designs infrastructure necessary to effectively respond to and monitor risks.
Risk tolerances relate to the entity’s objectives. Risk tolerance is the acceptable level of variation relative to
achievement of a specific objective, and often is best measured in the same units as those used to measure the
related objective.
In setting risk tolerance, management considers the relative importance of the related objective and aligns risk
tolerances with risk appetite. Operating within risk tolerances helps ensure that the entity remains within its risk
appetite and, in turn, that the entity will achieve its objectives.

Well-designed and operated enterprise risk management can provide management and the board of directors
reasonable assurance regarding achievement of an entity’s objectives. Reasonable assurance reflects the
notion that uncertainty and risk relate to the future, which no one can predict with precision.
Reasonable assurance does not imply that enterprise risk management frequently will fail. Many factors,
individually and collectively, reinforce the concept of reasonable assurance. The cumulative effect of risk
responses that satisfy multiple objectives and the multipurpose nature of internal controls reduce the risk that an
entity may not achieve its objectives. Furthermore, the normal everyday operating activities and responsibilities
of people functioning at various levels of an organization are directed at achieving the entity’s objectives.
Indeed, among a cross-section of well-controlled entities, it is likely that most will be apprised regularly of
movement toward their strategic and operations objectives, will achieve compliance objectives regularly, and
consistently will produce – period after period, year after year – reliable reports. However, an uncontrollable
event, a mistake, or an improper reporting incident can occur. In other words, even effective enterprise risk
management can experience a failure. Reasonable assurance is not absolute assurance.
Within the context of the established mission, management establishes strategic objectives, selects strategy,
and establishes other objectives cascading through the enterprise and aligned with and linked to the strategy.
Although many objectives are specific to a particular entity, some are widely shared. For example, objectives
common to virtually all entities are achieving and maintaining a positive reputation within the business and
consumer communities, providing reliable reporting to stakeholders, and operating in compliance with laws and
regulations.
This framework establishes four categories of entity objectives:
 Strategic– relating to high-level goals, aligned with and supporting the entity’s mission
Internal Use Only

 Operations– relating to effective and efficient use of the entity’s resources
 Reporting– relating to the reliability of the entity’s reporting
 Compliance– relating to the entity’s compliance with applicable laws and regulations
This categorization of entity objectives allows a focus on separate aspects of enterprise risk management.
These distinct but overlapping categories – a particular objective can fall under more than one category –
address different entity needs and may be the direct responsibility of different executives. This categorization
also allows distinctions between what can be expected from each category of objectives.
Some entities use another category of objectives, “safeguarding of resources,” sometimes referred to as
“safeguarding of assets.” Viewed broadly, these deal with prevention of loss of an entity’s assets or resources,
whether through theft, waste, inefficiency, or what turns out to be simply bad business decisions – such as
selling product at too low a price, failing to retain key employees or prevent patent infringement, or incurring
unforeseen liabilities. These are primarily operations objectives, although certain aspects of safeguarding can
fall under other categories. Where legal or regulatory requirements apply, these become compliance issues.
When considered in conjunction with public reporting, a narrower definition of safeguarding of assets often is
used, dealing with prevention or timely detection of unauthorized acquisition, use, or disposition of an entity’s
assets that could have a material effect on the financial statements.
Enterprise risk management can be expected to provide reasonable assurance of achieving objectives relating
to the reliability of reporting, and compliance with laws and regulations. Achievement of those categories of
objectives is within the entity’s control and depends on how well the entity’s related activities are performed.
However, achievement of strategic objectives, such as attaining a specified market share, and operations
objectives, such as successfully launching a new product line, is not always within the entity’s control.
Enterprise risk management cannot prevent bad judgments or decisions, or external events that can cause a
business to fail to achieve operations goals. It does, however, enhance the likelihood that management will
make better decisions. For these objectives, enterprise risk management can provide reasonable assurance
that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which
the entity is moving toward achievement of the objectives.
Components of Enterprise Risk

Management
Enterprise risk management consists of eight interrelated components. These are derived from the way
management runs a business and are integrated with the management process. These components are:
Internal Use Only

 Internal Environment– Management sets a philosophy regarding risk and establishes a risk appetite. The
internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people.
The core of any business is its people – their individual attributes, including integrity, ethical values, and
competence – and the environment in which they operate.
 Objective Setting– Objectives must exist before management can identify potential events affecting their
achievement. Enterprise risk management ensures that management has in place a process to set objectives
and that the chosen objectives support and align with the entity’s mission and are consistent with its risk
appetite.
 Event Identification– Potential events that might have an impact on the entity must be identified. Event
identification involves identifying potential events from internal or external sources affecting achievement of
objectives. It includes distinguishing between events that represent risks, those representing opportunities, and
those that may be both. Opportunities are channeled back to management’s strategy or objective-setting
processes.
 Risk Assessment– Identified risks are analyzed in order to form a basis for determining how they should be
managed. Risks are associated with objectives that may be affected. Risks are assessed on both an inherent
and a residual basis, with the assessment considering both risk likelihood and impact.
 Risk Response– Personnel identify and evaluate possible responses to risks, which include avoiding, accepting,
reducing, and sharing risk. Management selects a set of actions to align risks with the entity’s risk tolerances
and risk appetite.
 Control Activities– Policies and procedures are established and executed to help ensure the risk responses
management selects are effectively carried out.
 Information and Communication– Relevant information is identified, captured, and communicated in a form and
timeframe that enable people to carry out their responsibilities. Information is needed at all levels of an entity for
identifying, assessing, and responding to risk. Effective communication also occurs in a broader sense, flowing
down, across, and up the entity. Personnel receive clear communications regarding their role and
responsibilities.
 Monitoring – The entirety of enterprise risk management is monitored, and modifications made as necessary. In
this way, it can react dynamically, changing as conditions warrant. Monitoring is accomplished through ongoing
management activities, separate evaluations of enterprise risk management, or a combination of the two.
Enterprise risk management is a dynamic process. For example, the assessment of risks drives risk response
and may influence control activities and highlight a need to reconsider information and communication needs or
the entity’s monitoring activities. Thus, enterprise risk management is not strictly a serial process, where one
component affects only the next. It is a multidirectional, iterative process in which almost any component can
and will influence another.
Internal Use Only

No two entities will, or should, apply enterprise risk management in the same way. Companies and their
enterprise risk management capabilities and needs differ dramatically by industry and size, and by management
philosophy and culture. Thus, while all entities should have each of the components in place and operating
effectively, one company’s application of enterprise risk management – including the tools and techniques
employed and the assignment of roles and responsibilities – often will look very different from another’s.
Relationship of Objectives and

Components
There is a direct relationship between objectives, which are what an entity strives to achieve, and the enterprise
risk management components, which represent what is needed to achieve them. The relationship is depicted in
a three-dimensional matrix, in the shape of a cube, shown in Exhibit 1.1.
Exhibit 1.1
 The four objectives categories – strategic, operations,

reporting, and compliance – are represented by the
vertical columns
 The eight components are represented by horizontal
rows
 The entity and its units are depicted by the third
dimension of the cube
Each component row “cuts across” and applies to all four objectives categories. For example, financial and non-
financial data generated from internal and external sources, which is part of the information and communication
component, is needed to set strategy, effectively manage business operations, report effectively, and determine
that the entity is complying with applicable laws.
Similarly, looking at the objectives categories, all eight components are relevant to each. Taking one category,
effectiveness and efficiency of operations, for example, all eight components are applicable and important to its
achievement.
Internal Use Only

Enterprise risk management is relevant to an entire enterprise or to any of its individual units. This relationship
is depicted by the third dimension, which represents subsidiaries, divisions, and other business units.
Accordingly, one could focus on any one of the matrix’s cells. For instance, one could consider the top right
back cell, representing the internal environment as it relates to compliance objectives of a particular subsidiary.
It should be recognized that the four columns represent categories of an entity’s objectives, not parts or units of
the entity. Accordingly, when considering the category of objectives related to reporting, for example, knowledge
of a wide array of information about the entity’s operations is needed. But in that case, focus is on the right-
middle column of the model – the reporting objectives – rather than the operations objectives category.
Effectiveness
While enterprise risk management is a process, its effectiveness is a state or condition at a point in
time. Determining whether enterprise risk management is “effective” is a judgment resulting from an
assessment of whether the eight components are present and functioning effectively. Thus, the components are
also criteria for effective enterprise risk management. For the components to be present and functioning
properly there can be no material weaknesses, and risk needs to have been brought within the entity’s risk
appetite.
When enterprise risk management is determined to be effective in each of the four categories of objectives,
respectively, the board of directors and management have reasonable assurance that:
 They understand the extent to which the entity’s strategic objectives are being achieved
 They understand the extent to which the entity’s operations objectives are being achieved
 The entity’s reporting is reliable
 Applicable laws and regulations are being complied with
While in order for enterprise risk management to be deemed effective all eight components must be present and
functioning properly – applying the principles described in the following chapters – some trade-offs may exist
between components. Because enterprise risk management techniques can serve a variety of purposes,
techniques applied relative to one component might serve the purpose of techniques normally present in
another. Additionally, risk responses can differ in the degree to which they address a particular risk, so that
complementary risk responses and controls, each with limited effect, together may be satisfactory.
The concepts discussed here apply to all entities, regardless of size. While some small and mid-size entities
may implement component factors differently than large ones, they still can have effective enterprise risk
Internal Use Only
management. The methodology for each component is likely to be less formal and less structured in smaller
entities than in larger ones, but the basic concepts should be present in every entity.
Enterprise risk management usually is considered in the context of an enterprise as a whole, which involves
considering its application in significant business units. There may, however, be circumstances where the
effectiveness of enterprise risk management is to be evaluated separately for a particular business unit. In such
circumstance, in order to conclude that enterprise risk management for the unit is effective all eight components
must be present and functioning effectively in the unit. Thus, for example, because having a board of directors
with specified attributes is part of the internal environment, enterprise risk management for a particular business
unit may be judged effective only when the unit has in place an appropriately functioning board of directors or
similar body (or the entity-level board of directors applies requisite oversight directly to the business unit).
Similarly, because the risk response component describes taking a portfolio view of risk, for enterprise risk
management to be judged effective there must be a portfolio view of risk for that business unit.

Internal control is an integral part of enterprise risk management. This enterprise risk management framework
encompasses internal control, forming a more robust conceptualization and tool for management. Internal
control is defined and described in Internal Control – Integrated Framework. Because Internal Control –
Integrated Framework is the basis for existing rules, regulations, and laws, and has stood the test of time, that
document remains in place as the definition of and framework for internal control. While only portions of the text
of Internal Control– Integrated Framework are reproduced in this framework, the entirety of Internal Control–
Integrated Framework is incorporated by reference into this framework. Appendix C describes the relationship
between enterprise risk management and internal control.
Enterprise Risk Management and the

Management Process
Because enterprise risk management is part of the management process, the enterprise risk management
framework components are discussed in the context of what management does in running a business or other
entity. But not everything management does is a part of enterprise risk management. Many judgments applied
in management’s decision making and related management actions, while part of the management process, are
not part of enterprise risk management. For example:
 Ensuring there is an appropriate process for objective setting is a critical component of enterprise risk
management, but the particular objectives selected by management are not part of enterprise risk management.
Internal Use Only

 Responding to risks, based on an appropriate assessment of the risks, is a part of enterprise risk management,
but the specific risk responses selected and the associated allocation of entity resources are not.
 Establishing and executing control activities to help ensure the risk responses management selects are
effectively carried out is a part of enterprise risk management, but the particular control activities chosen are
not.
In general, enterprise risk management involves those elements of the management process that enable
management to make informed risk-based decisions, but the particular decisions selected from an array of
appropriate choices do not determine whether enterprise risk management is effective. However, while the
specific objectives, risk responses, and control activities selected are a matter of management judgment, the
choices must result in reducing risk to an acceptable level, as determined by risk appetite and reasonable
assurance regarding achievement of entity objectives.
2. Internal Environment
Chapter Summary: The internal environment

encompasses the tone of an organization, influencing the
risk consciousness of its people, and is the basis for all
other components of enterprise risk management,
providing discipline and structure. Internal environment
factors include an entity’s risk management philosophy;
its risk appetite; oversight by the board of directors; the
integrity, ethical values, and competence of the entity’s
people; and the way management assigns authority and
responsibility, and organizes and develops its people.
The internal environment is the basis for all other components of enterprise risk management, providing
discipline and structure. It influences how strategies and objectives are established, business activities are
structured, and risks are identified, assessed, and acted upon. And it influences the design and functioning of
control activities, information and communication systems, and monitoring activities.
The internal environment is influenced by an entity’s history and culture. It comprises many elements, including
the entity’s ethical values, competence and development of personnel, management’s philosophy for managing
Internal Use Only

risk, and how it assigns authority and responsibility. A board of directors is a critical part of the internal
environment and significantly influences other internal environment elements.
Although all elements are important, the extent to which each is addressed will vary with the entity. For
example, the chief executive of a company with a small workforce and centralized operations might not establish
formal lines of responsibility and detailed operating policies. Nevertheless, the company could have an internal
environment that provides an appropriate foundation for enterprise risk management.
Risk Management Philosophy

An entity’s risk management philosophy is the set of shared beliefs and attitudes characterizing how the entity
considers risk in everything it does, from strategy development and implementation to its day-to-day
activities. Its risk management philosophy reflects the entity’s values, influencing its culture and operating style,
and affects how enterprise risk management components are applied, including how risks are identified, the
kinds of risks accepted, and how they are managed.
A company that has been successful accepting significant risks is likely to have a different outlook on enterprise
risk management than one that has faced harsh economic or regulatory consequences as a result of venturing
into dangerous territory. While some entities may work to achieve effective enterprise risk management to
satisfy requirements of an external stakeholder, such as a parent company or regulator, more often it is because
management recognizes that effective risk management helps the entity create and preserve value.
When the risk management philosophy is well developed, understood, and embraced by its personnel, the entity
is positioned to effectively recognize and manage risk. Otherwise, there can be unacceptably uneven
application of enterprise risk management across business units, functions, or departments. But even when an
entity’s philosophy is well developed, there nonetheless may be cultural differences among its units, resulting in
variation in enterprise risk management application. Managers of some units may be prepared to take more
risk, while others are more conservative. For example, an aggressive selling function may focus its attention on
making a sale, without careful attention to regulatory compliance matters, while the contracting unit’s personnel
focus significant attention on ensuring compliance with all relevant internal and external policies and
regulations. Separately, these different subcultures could adversely affect the entity. But by working well
together the units can appropriately reflect the entity’s risk management philosophy.
The enterprise’s risk management philosophy is reflected in virtually everything management does in running the
entity. It is captured in policy statements, oral and written communications, and decision making. Whether
management emphasizes written policies, standards of behavior, performance indicators, and exception reports,
or operates more informally largely through face-to-face contact with key managers, of critical importance is that
management reinforces the philosophy not only with words but also with everyday actions.
Internal Use Only

Risk Appetite
Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects
the enterprise’s risk management philosophy, and in turn influences the entity’s culture and operating style.
Risk appetite is considered in strategy setting, where the desired return from a strategy should be aligned with
the entity’s risk appetite. Different strategies will expose the entity to different levels of risk, and enterprise risk
management, applied in strategy setting, helps management select a strategy consistent with the entity’s risk
appetite.
Entities consider risk appetite qualitatively, with such categories as high, moderate, or low, or take a quantitative
approach, reflecting and balancing goals for growth and return with risk.
Board of Directors
An entity’s board of directors is a critical part of the internal environment and significantly influences its
elements. The board’s independence from management, experience and stature of its members, extent of its
involvement and scrutiny of activities, and appropriateness of its actions all play a role. Other factors include the
degree to which difficult questions are raised and pursued with management regarding strategy, plans, and
performance, and interaction the board or audit committee has with internal and external auditors.
An active and involved board of directors, board of trustees, or comparable body should possess an appropriate
degree of management, technical, and other expertise, coupled with the mind-set necessary to perform its
oversight responsibilities. This is critical to an effective enterprise risk management environment. And, because
the board must be prepared to question and scrutinize management’s activities, present alternative views, and
act in the face of wrongdoing, the board must include outside directors.
Members of top management may be effective board members, bringing their deep knowledge of the company.
But there must be a sufficient number of independent outside directors not only to provide sound advice,
counsel, and direction, but also to serve as a necessary check and balance on management. For the internal
environment to be effective, the board must have at least a majority of independent outside directors.
Effective boards of directors ensure that management maintains effective risk management. Although an
enterprise historically might have not suffered losses and have no obvious significant risk exposure, the board
does not succumb to the mythical notion that events with seriously adverse consequences “couldn’t happen
here.” It recognizes that while a company may have a sound strategy, competent employees, sound business
processes, and reliable technology, it, like every entity, is vulnerable to risk, and an effectively functioning risk
management process is needed.
Internal Use Only

An entity’s strategy and objectives and the way they are implemented are based on preferences, value
judgments, and management styles. Management’s integrity and commitment to ethical values influence these
preferences and judgments, which are translated into standards of behavior. Because an entity’s good
reputation is so valuable, the standards of behavior must go beyond mere compliance with law. Managers of
well-run enterprises increasingly have accepted the view that ethics pays and ethical behavior is good business.
Management integrity is a prerequisite for ethical behavior in all aspects of an entity’s activities. The
effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people who
create, administer, and monitor entity activities. Integrity and ethical values are essential elements of an entity’s
internal environment, affecting the design, administration, and monitoring of other enterprise risk management
components.
Establishing ethical values often is difficult because of the need to consider the concerns of several parties.
Management values must balance the concerns of the enterprise, employees, suppliers, customers,
competitors, and the public. Balancing these concerns can be complex and frustrating because interests are
often at odds. For example, providing an essential product (petroleum, lumber, or food) may cause
environmental concerns.
Ethical behavior and management integrity are by-products of the corporate culture, which encompasses ethical
and behavioral standards and how they are communicated and reinforced. Official policies specify what the
board and management want to happen. Corporate culture determines what actually happens, and which rules
are obeyed, bent, or ignored. Top management – starting with the CEO – plays a key role in determining the
corporate culture. As the dominant personality in an entity, the CEO often sets the ethical tone.
Certain organizational factors also can influence the likelihood of fraudulent and questionable financial reporting
practices. Those same factors are likely to influence ethical behavior as well. Individuals may engage in
dishonest, illegal, or unethical acts simply because the entity gives them strong incentives or temptations to do
so. Undue emphasis on results, particularly in the short term, can foster an inappropriate internal environment.
Focusing solely on short-term results can hurt even in the short term. Concentration on the bottom line – sales
or profit at any cost – often evokes unsought actions and reactions. High-pressure sales tactics, ruthlessness in
negotiations, or implicit offers of kickbacks, for instance, may evoke reactions that can have immediate (as well
as lasting) effects.
Other incentives for engaging in fraudulent or questionable reporting practices and, by extension, other forms of
unethical behavior may include rewards highly dependent on reported financial and non-financial information,
particularly for short-term results.
Internal Use Only

Removing or reducing inappropriate incentives and temptations goes a long way toward eliminating undesirable
behavior. As suggested, this can be achieved by following sound and profitable business practices. For
example, performance incentives – accompanied by appropriate controls – can be a useful management
technique as long as the performance targets are realistic. Setting realistic targets is a sound motivational
practice, reducing counterproductive stress as well as the incentive for fraudulent reporting. Similarly, a well-
controlled reporting system can serve as a safeguard against temptation to misstate performance.
Another cause of questionable practices is ignorance. Ethical values must be not only communicated but also
accompanied by explicit guidance regarding what is right and wrong. Formal codes of corporate conduct are
important to and the foundation of an effective ethics program. Codes address a variety of behavioral issues,
such as integrity and ethics, conflicts of interest, illegal or otherwise improper payments, and anticompetitive
arrangements. Upward communications channels where employees feel comfortable bringing relevant
information also are important.
Existence of a written code of conduct, documentation that employees received and understand it, and an
appropriate communications channel by themselves do not ensure the code is being followed. Also important to
compliance are resulting penalties to employees who violate the code, mechanisms that encourage employee
reporting of suspected violations, and disciplinary actions against employees who knowingly fail to report
violations. But compliance with ethical standards, whether or not embodied in a written code, is equally if not
more effectively ensured by top management’s actions and the examples they set. Employees are likely to
develop the same attitudes about right and wrong – and about risks and controls – as those shown by top
management. Messages sent by management’s actions quickly become embodied in the corporate culture.
And, knowledge that the CEO has “done the right thing” ethically when faced with a tough business decision,
sends a powerful message throughout the entity.
Competence reflects the knowledge and skills needed to perform assigned tasks. Management decides how
well these tasks need to be accomplished, weighing the entity’s strategy and objectives against plans for their
implementation and achievement. A trade-off often exists between competence and cost – it is not necessary,
for instance, to hire an electrical engineer to change a light bulb.
Management specifies the competency levels for particular jobs and translates those levels into requisite
knowledge and skills. The necessary knowledge and skills in turn may depend on individuals’ intelligence,
training, and experience. Factors considered in developing knowledge and skill levels include the nature and
degree of judgment to be applied to a specific job. Often a trade-off can be made between the extent of
supervision and the requisite competence level of the individual.
Internal Use Only

An entity’s organizational structure provides the framework to plan, execute, control, and monitor its activities. A
relevant organizational structure includes defining key areas of authority and responsibility and establishing
appropriate lines of reporting. For example, an internal audit function should be structured in a manner that
achieves organizational objectivity and permits unrestricted access to top management and the audit committee
of the board, and the chief audit executive should report to a level within the organization that allows the internal
audit activity to fulfill its responsibilities.
An entity develops an organizational structure suited to its needs. Some are centralized, others decentralized.
Some have direct reporting relationships, while others are more of a matrix organization. Some entities are
organized by industry or product line, by geographical location or by a particular distribution or marketing
network. Other entities, including many state and local governmental units and not-for-profit institutions, are
organized by function.
The appropriateness of an entity’s organizational structure depends, in part, on its size and the nature of its
activities. A highly structured organization with formal reporting lines and responsibilities may be appropriate for
a large entity that has numerous operating divisions, including foreign operations. However, such a structure
could impede the necessary flow of information in a small company. Whatever the structure, an entity should be
organized to enable effective enterprise risk management and to carry out its activities so as to achieve its
objectives.
Assignment of Authority and

Responsibility
Assignment of authority and responsibility involves the degree to which individuals and teams are authorized
and encouraged to use initiative to address issues and solve problems, as well as limits to their authority. It
includes establishing reporting relationships and authorization protocols, as well as policies that describe
appropriate business practices, knowledge and experience of key personnel, and resources provided for
carrying out duties.
Some entities have pushed authority downward to bring decision making closer to front-line personnel. A
company may take this tack to become more market-driven or quality-focused – perhaps to eliminate defects,
reduce cycle time, or increase customer satisfaction. Alignment of authority and accountability often is designed
to encourage individual initiatives, within limits. Delegation of authority means surrendering central control of
certain business decisions to lower echelons – to the individuals who are closest to everyday business
Internal Use Only

transactions. This may involve empowerment to sell products at discount prices; negotiate long-term supply
contracts, licenses, or patents; or enter alliances or joint ventures.
A critical challenge is to delegate only to the extent required to achieve objectives. This means ensuring that
decision making is based on sound practices for risk identification and assessment, including sizing risks and
weighing potential losses versus gains in determining which risks to accept and how they are to be managed.
Another challenge is ensuring that all personnel understand the entity’s objectives. It is essential that individuals
know how their actions are related to one another and contribute to achievement of the objectives.
Increased delegation sometimes is intentionally accompanied by or the result of streamlining or “flattening” the
organizational structure. Purposeful structural change to encourage creativity, taking initiative, and faster
response times can enhance competitiveness and customer satisfaction. This increased delegation may carry
an implicit requirement for a higher level of employee competence, as well as greater accountability. It also
requires effective procedures for management to monitor results so that decisions can be overruled or accepted
as necessary. Along with better, market-driven decisions, delegation may increase the number of undesirable or
unanticipated decisions. For example, if a district sales manager decides that authorization to sell at 35% off list
price justifies a temporary 45% discount to gain market share, management may need to know so that it can
overrule or accept such decisions going forward.
The internal environment is greatly influenced by the extent to which individuals recognize that they will be held
accountable. This holds true all the way to the chief executive, who, with board oversight, has ultimate
responsibility for all activities within an entity.
Additional principles related to roles and responsibilities by parties integral to effective enterprise risk
management are set forth in the Roles and Responsibilities chapter.
Human Resource Standards

Human resource practices pertaining to hiring, orientation, training, evaluating, counseling, promoting,
compensating, and taking remedial actions send messages to employees regarding expected levels of integrity,
ethical behavior, and competence. For example, standards for hiring the most qualified individuals, with
emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity
and ethical behavior, demonstrate an entity’s commitment to competent and trustworthy people. The same is
true when recruiting practices include formal, in-depth employment interviews and training in the entity’s history,
culture, and operating style.
Training policies can reinforce expected levels of performance and behavior by communicating prospective roles
and responsibilities and by including such practices as training schools and seminars, simulated case studies,
and role-playing exercises. Transfers and promotions driven by periodic performance appraisals demonstrate
Internal Use Only
the entity’s commitment to advancement of qualified employees. Competitive compensation programs that
include bonus incentives serve to motivate and reinforce outstanding performance – although reward systems
should be structured, and controls in place, to avoid undue temptation to misrepresent reported results.
Disciplinary actions send a message that violations of expected behavior will not be tolerated.
It is essential that employees be equipped to tackle new challenges as issues and risks throughout the entity
change and become more complex – driven in part by rapidly changing technologies and increasing
competition. Education and training, whether classroom instruction, self-study, or on-the-job training, must help
personnel keep pace and deal effectively with the evolving environment. Hiring competent people and providing
one-time training are not enough. The education process is ongoing.
Implications
It is difficult to overstate the importance of an entity’s internal environment and the impact – positive or negative
– it can have on other enterprise risk management components. The impact of an ineffective internal
environment can be far-reaching, possibly resulting in financial loss, a tarnished public image, or a business
failure.
An energy company generally was thought to have effective enterprise risk management since it had high-
powered and respected senior managers, a prestigious board of directors, an innovative strategy, well-designed
information systems and control activities, extensive policy manuals prescribing risk and control functions, and
comprehensive reconciling and supervisory routines. Its internal environment, however, was significantly
flawed. Management participated in highly questionable business practices, and the board turned a “blind-eye.”
The company was found to have misreported financial results and suffered a loss of shareholder confidence, a
liquidity crisis, and destruction of entity value. Ultimately the company went into one of the largest bankruptcies
in history.
The attitude and concern of top management for effective enterprise risk management must be definitive and
clear, and permeate the organization. It is not sufficient to say the right words. An attitude of “do as I say, not as
I do” will only bring about an ineffective environment.
3. Objective Setting
Internal Use Only

Chapter Summary: Objectives are set at the strategic
level, establishing a basis for operations, reporting, and
compliance objectives. Every entity faces a variety of
risks from external and internal sources, and a
precondition to effective event identification, risk
assessment, and risk response is establishment of
objectives. Objectives are aligned with the entity’s risk
appetite, which drives risk tolerance levels for the entity.
Objective setting is a precondition to event identification, risk assessment, and risk response. There must first be
objectives before management can identify and assess risks to their achievement and take necessary actions to
manage the risks.
An entity’s mission sets out in broad terms what the entity aspires to achieve. Whatever term is used, such as
“mission,” “vision,” or “purpose,” it is important that management - with board oversight - explicitly establish the
entity’s broad-based reason for being. From this, management sets strategic objectives, formulates strategy,
and establishes related operations, compliance, and reporting objectives for the organization. While an entity’s
mission and strategic objectives are generally stable, its strategy and many related objectives are more dynamic
and adjusted for changing internal and external conditions. As they change, strategy and related objectives are
realigned with strategic objectives.
Strategic objectives are high-level goals, aligned with and supporting the entity’s mission/vision. Strategic
objectives reflect management’s choice as to how the entity will seek to create value for its stakeholders.
In considering alternative ways to achieve its strategic objectives, management identifies risks associated with a
range of strategy choices and considers their implications. Various event identification and risk assessment
techniques, discussed below and in later chapters, can be used in the strategy-setting process. In this way,
enterprise risk management techniques are used in setting strategy and objectives.
Related Objectives
Establishing the right objectives that support and are aligned with the selected strategy, relative to all entity
activities, is critical to success. By focusing first on strategic objectives and strategy, an entity is positioned to
develop related objectives at an entity level, achievement of which will create and preserve value. Entity-level
Internal Use Only
objectives are linked to and integrated with more specific objectives that cascade through the organization to
sub-objectives established for various activities, such as sales, production, and engineering, and infrastructure
functions.
By setting objectives at the entity and activity levels, an entity can identify critical success factors. These are key
things that must go right if goals are to be attained. Critical success factors exist for an entity, a business unit, a
function, a department, or an individual. By setting objectives, management can identify measurement criteria
for performance, with a focus on critical success factors.
Where objectives are consistent with prior practice and performance, the linkage among activities is known.
However, where objectives depart from an entity’s past practices, management must address the linkages or run
increased risks. In such cases, there is an even greater need for business unit objectives or sub-objectives that
are consistent with the new direction.
Objectives need to be readily understood and measurable. Enterprise risk management requires that personnel
at all levels have a requisite understanding of the entity’s objectives as they relate to the individual’s sphere of
influence. All employees must have a mutual understanding of what is to be accomplished and a means of
measuring what is being accomplished.
Categories of Related Objectives

Despite the diversity of objectives across entities, certain broad categories are established:
 Operations Objectives– These pertain to the effectiveness and efficiency of the entity’s operations, including
performance and profitability goals and safeguarding resources against loss. They vary based on
management’s choices about structure and performance.
 Reporting Objectives– These pertain to the reliability of reporting. They include internal and external reporting
and may involve financial and non-financial information.
 Compliance Objectives – These pertain to adherence to relevant laws and regulations. They are dependent on
external factors and tend to be similar across all entities in some cases and across an industry in others.
Certain objectives follow from the business an entity is in. Some companies, for example, submit information to
environmental agencies, and publicly traded companies file information with securities regulators. These
externally imposed requirements are established by law or regulation, and fall into the reporting or compliance
categories or, in these examples, both.
Conversely, operations objectives, as well as those for internal management reporting, are based more on
preferences, judgments, and management style. They vary widely among entities simply because informed,
competent, and honest people may select different objectives. Regarding product development, for example,
one entity chooses to be an early adapter, another a quick follower, and yet another a slow lagger. These
Internal Use Only
choices affect the structure, skills, staffing, and controls of the research and development function.
Consequently, no one formulation of objectives is optimal for all entities.
Operations objectives relate to the effectiveness and efficiency of the entity’s operations. They include related
sub-objectives for operations, directed at enhancing operating effectiveness and efficiency in moving the
enterprise toward its ultimate goal.
Operations objectives need to reflect the particular business, industry, and economic environments in which the
entity functions. The objectives need, for example, to be relevant to competitive pressures for quality, reduced
cycle times to bring products to market, or changes in technology. Management must ensure that objectives
reflect reality and the demands of the marketplace, and are expressed in terms that allow meaningful
performance measurements. A clear set of operations objectives, linked to sub-objectives, is fundamental to
success. Operations objectives provide a focal point for directing allocated resources; if an entity’s operations
objectives are not clear or well conceived, its resources may be misdirected.
Reliable reporting provides management accurate and complete information appropriate for its intended
purpose. It supports management’s decision making and monitoring of the entity’s activities and performance.
Examples of such reports include results of marketing programs, daily sales flash reports, production quality,
and employee and customer satisfaction results. Reporting also relates to reports prepared for external
dissemination, such as financial statements and footnote disclosures, management’s discussion and analysis,
and reports filed with regulatory agencies.
Entities must conduct their activities, and often must take specific actions, in accordance with relevant laws and
regulations. These requirements may relate to markets, pricing, taxes, the environment, employee welfare, and
international trade. Applicable laws and regulations establish minimum standards of behavior, which the entity
integrates into its compliance objectives. For example, occupational health and safety regulations cause one
company to define its objective as, “Package and label all chemicals in accordance with regulations.” In this
case, policies and procedures deal with communication programs, site inspections, and training. An entity’s
compliance record can significantly – either positively or negatively – affect its reputation in the community and
marketplace.
Subcategories
Internal Use Only
The categories of objectives are part of the common language established by this framework, facilitating
understanding and communication. An entity may, however, find it useful to discuss a subset of one or more
objectives categories, to facilitate communication, internally or externally, on a narrower topic. A company
might, for instance, decide to communicate the effectiveness of a part of the reporting category, say, enterprise
risk management over external reporting, or perhaps over only external financial reporting. Doing so enables
the communication to stay within the context of this enterprise risk management framework, while allowing
communications on specific subsets of categories.
Overlap of Objectives
An objective in one category may overlap or support an objective in another. The category in which an objective
falls sometimes depends on circumstances. For example, providing reliable information to business unit
management to manage and control production activities may serve to achieve both operations and reporting
objectives. And, to the extent the information is used for reporting environmental data to the government, it
serves compliance objectives.
Some entities use another category of objectives, “safeguarding of resources,” sometimes referred to as
“safeguarding of assets,” which overlaps with the other categories of objectives. Viewed broadly, safeguarding
of assets deals with prevention of loss of an entity’s assets or resources, whether through theft, waste,
inefficiency, or what turns out to be simply bad business decisions – such as selling product at too low a price,
failing to retain key employees or prevent patent infringement, or incurring unforeseen liabilities. These are
primarily operations objectives, although certain aspects of safeguarding can fall under the other categories.
Where legal or regulatory requirements apply, these become compliance objectives. On the other hand,
properly reflecting asset losses in the entity’s financial statements represents a reporting objective.
When considered in conjunction with public reporting, a narrower definition of safeguarding of assets often is
used, dealing with prevention or timely detection of unauthorized acquisition, use, or disposition of an entity’s
assets. For further discussion of this category of objectives, reference should be made to Internal Control –
Integrated Framework, including the Addendum to Reporting to External Parties module.
An appropriate process for objective setting is a critical component of enterprise risk management. Although
objectives provide the measurable targets toward which the entity moves in conducting its activities, they have
differing degrees of importance and priority. Accordingly, while an entity should have reasonable assurance that
certain objectives are achieved, that may not be the case for all objectives.
Effective enterprise risk management provides reasonable assurance that an entity’s reporting objectives are
being achieved. Similarly, there should be reasonable assurance that compliance objectives are being
Internal Use Only
achieved. Achieving reporting and compliance objectives is largely within the entity’s control. That is, once the
objectives have been determined, the entity has control over its ability to do what is needed to meet them.
But there is a difference when it comes to strategic and operations objectives, because their achievement is not
solely within the entity’s control. An entity may perform as intended, yet be outperformed by a competitor. It is
subject to external events – such as a change in government, poor weather, and the like – where an occurrence
is beyond its control. It may even have considered some of these events in its objective-setting process and
treated them as having a low likelihood, with a contingency plan in case they occurred. However, such a plan
only mitigates the impact of external events. It does not ensure that the objectives will be achieved.
Enterprise risk management over operations focuses primarily on developing consistency of objectives and
goals throughout the organization; identifying key success factors and risks; assessing the risks and making
informed responses; implementing appropriate risk responses and establishing needed controls; and timely
reporting of performance and expectations. For strategic and operations objectives, enterprise risk management
can provide reasonable assurance that management and, in its oversight role, the board are made aware, in a
timely manner, of the extent to which the entity is moving toward achievement of these objectives.
Selected Objectives
As part of enterprise risk management, management not only selects objectives and considers how they support
the entity’s mission, but also ensures that they align with the entity’s risk appetite. Misalignment could result in
not accepting enough risk to achieve the objectives or, conversely, accepting too much risk. Effective enterprise
risk management does not dictate which objectives management should choose, but that management has a
process that aligns strategic objectives with the entity’s mission and that ensures the chosen strategic and
related objectives are consistent with the entity’s risk appetite.
Risk Appetite
Risk appetite, established by management with oversight of the board of directors, is a guidepost in strategy
setting. Companies may express risk appetite as the acceptable balance of growth, risk, and return, or as risk-
adjusted shareholder value-added measures. Some entities, such as not-for-profit organizations, express risk
appetite as the level of risk they will accept in providing value to their stakeholders.
There is a relationship between an entity’s risk appetite and its strategy. Usually any of a number of different
strategies can be designed to achieve desired growth and return goals, each having different risks. Enterprise
risk management, applied in strategy setting, helps management select a strategy consistent with its risk
appetite. If the risk associated with a strategy is inconsistent with the entity’s risk appetite, the strategy is
revised. This may occur where management initially formulates a strategy that exceeds the entity’s risk appetite,
Internal Use Only

or where the strategy does not embrace sufficient risk to allow the entity to achieve its strategic objectives and
mission.
The entity’s risk appetite is reflected in entity strategy, which in turn guides resource allocation. Management
allocates resources across business units, with consideration of the entity’s risk appetite and individual business
units’ strategic plans, to generate a desired return on invested resources. Management looks to align the
organization, people, processes, and infrastructure to facilitate successful strategy implementation and enable
the entity to stay within its risk appetite.
Risk Tolerances
Risk tolerances are the acceptable levels of variation relative to the achievement of objectives. Risk tolerances
can be measured, and often are best measured in the same units as the related objectives.
Performance measures are used to help ensure that actual results will be within established risk tolerances. For
example, a company targets on-time delivery at 98%, with acceptable variation in the range of 97%–100% of the
time; it targets training with a pass rate of 90%, with acceptable performance of at least 75%; and it expects staff
to respond to all customer complaints within 24 hours, but accepts that up to 25% of complaints may receive a
response within 24–36 hours.
In setting risk tolerances, management considers the relative importance of the related objectives, and aligns
risk tolerances with risk appetite. Operating within risk tolerances provides management greater assurance that
the entity remains within its risk appetite, which, in turn, provides a higher degree of comfort that the entity will
achieve its objectives.
4. Event Indentification
Chapter Summary: Management identifies potential

events that, if they occur, will affect the entity, and
determines whether they represent opportunities or
whether they might adversely affect the entity’s ability to
successfully implement strategy and achieve objectives.
Events with negative impact represent risks, which
require management’s assessment and response.
Events with positive impact represent opportunities,
which management channels back into the strategy and
Internal Use Only
objective-setting processes. When identifying events,
management considers a variety of internal and external
factors that may give rise to risks and opportunities, in
the context of the full scope of the organization.
Events
An event is an incident or occurrence emanating from internal or external sources that affects implementation of
strategy or achievement of objectives. Events may have positive or negative impact, or both.
In event identification, management recognizes that uncertainties exist, but does not know whether an event will
occur, or when, or its precise impact should it occur. Management initially considers a range of potential events
- stemming from both internal and external sources - without necessarily focusing on whether the impact is
positive or negative. In this way management identifies not only potential events with negative impact, but also
those representing opportunities to be pursued.
Events range from the obvious to the obscure, and the effects from the inconsequential to the highly significant.
To avoid overlooking relevant events, identification is best made apart from the assessment of the likelihood of
the event occurring and its impact, which is the topic of Risk Assessment. However, practical limitations exist,
and it is often difficult to know where to draw the line. But even events with a relatively low possibility of
occurrence should not be ignored if the impact on achieving an important objective is great.
Influencing Factors
A myriad of external and internal factors drive events that affect strategy implementation and achievement of
objectives. As part of enterprise risk management, management recognizes the importance of understanding
these external and internal factors and the type of events that can emanate therefrom. External factors, along
with examples of related events and their implications, include:
 Economic– Related events include price movements, capital availability, or lower barriers to competitive entry,
resulting in higher or lower cost of capital and new competitors.
 Natural environment– Events include flood, fire, or earthquake, resulting in damage to plant or buildings,
restricted access to raw materials, or loss of human capital.
 Political – Events include election of government officials with new political agendas, and new laws and
regulations, resulting, for example, in newly open or restricted access to foreign markets, or higher or lower
taxes.
Internal Use Only

 Social– Events include changing demographics, social mores, family structures, and work/life priorities, and
terrorism activity, resulting in changing demand for products and services, new buying venues and human
resource issues, and production stoppages.
 Technological– Events include new means of electronic commerce, resulting in expanded availability of data,
reductions in infrastructure costs, and increased demand for technology-based services.
Events also stem from choices management makes about how it will function. An entity’s capability and capacity
reflect previous choices, influence future events, and affect management decisions. Internal factors, along with
examples of related events and their implications, include:
 Infrastructure – Events include increasing capital allocation to preventive maintenance and to call center
support, reducing equipment downtime, and improving customer satisfaction.
 Personnel – Events include workplace accidents, fraudulent activities, and expiration of labor agreements,
resulting in loss of available personnel, monetary or reputational damage, and production stoppages.
 Process– Events include process modification without adequate change management protocols, process
execution errors, and outsourcing customer delivery with inadequate oversight, resulting in loss of market share,
inefficiency, and customer dissatisfaction and loss of repeat business.
 Technology– Events include increasing resources to handle volume volatility, security breaches, and potential
systems downtime, resulting in backlog reduction, fraudulent transactions, and inability to continue business
operations.
Identifying external and internal factors that influence events is useful to effective event identification. Once the
major contributing factors are identified, management can consider their significance and focus on events that
can affect achievement of objectives.
A manufacturer and importer of footwear, for example, established a vision of being an industry leader in high-
quality men’s shoes. To achieve this, it set out to manufacture products combining style, comfort, and durability,
using the most advanced techniques, together with highly selective import sourcing. The company reviewed its
external operating environment and identified social factors and related events such as changing age of its
primary consumer market and changing trends in work attire. Events from economic factors included foreign
currency fluctuations and interest rate movements. Internal technology factors pointed to an outdated
distribution management system, and personnel factors, to inadequate marketing training.
In addition to identifying events at the entity level, events also should be identified at the activity level. This
helps focus risk assessment (the subject of the next chapter) on major business units or functions, such as
sales, production, marketing, technology development, and research and development.
Internal Use Only

Event Identification Techniques
An entity’s event identification methodology may comprise a combination of techniques, together with supporting
tools. For instance, management may use interactive group workshops as part of its event identification
methodology, with a facilitator employing any of a variety of technology-based tools to assist participants.
Event identification techniques look to both the past and the future. Techniques that focus on past events and
trends consider such matters as payment default histories, changes in commodity prices, and lost-time
accidents. Techniques that focus on future exposures consider such matters as shifting demographics, new
market conditions, and competitor actions.
Techniques vary widely in level of sophistication. While many of the more sophisticated techniques are industry-
specific, most are derived from a common approach. For example, both the financial services and health and
safety industries use loss event tracking techniques. These techniques start with a focus on common historical
events – where the more basic approaches look at events based on internal staff perceptions, while more
advanced techniques are based on factual sources of observable events – and then feed the data into
sophisticated projection models. Companies more advanced in enterprise risk management typically employ a
combination of techniques that consider both past and potential future events.
Techniques also vary in where they are used within an entity. Some focus on detailed data analysis and create
a bottom-up view of events, while others focus top down. Exhibit 4.1 provides examples of event identification
techniques.
Exhibit 4.1
Internal Use Only

 Event inventories – These are detailed listings of potential events common to companies within a particular
industry, or to a particular process or activity common across industries. Software products can generate relevant
lists of generic potential events, which some entities use as a starting point for event identification. For example,
a company undertaking a software development project draws on an inventory detailing generic events related to
software development projects.
 Internal analysis– This may be done as part of a routine business planning cycle process, typically via a
business unit’s staff meetings. Internal analysis sometimes utilizes information from other stakeholders
(customers, suppliers, other business units) or subject matter expertise outside the unit (internal or external
functional experts or internal audit staff). For example, a company considering introduction of a new product
utilizes its own historical experience, along with external market research identifying events that have affected the
success of competitors’ products.
 Escalation or threshold triggers– These triggers alert management to areas of concern by comparing current
transactions, or events, with predefined criteria. Once triggered, an event may require further assessment or an
immediate response. For example, a company’s management monitors sales volume in markets targeted for new
marketing or advertising programs and redirects resources based on results. Another company’s management
tracks competitors’ pricing structures and considers changes in its own prices when a specified threshold is met.
 Facilitated workshops and interviews – These techniques identify events by drawing on accumulated
knowledge and experience of management, staff, and other stakeholders through structured discussions. The
facilitator leads a discussion about events that may affect achievement of entity or unit objectives. For example, a
financial controller conducts a workshop with members of the accounting team to identify events that have an
impact on the entity’s external financial reporting objectives. By combining the knowledge and experience of team
members, important events are identified that otherwise might be missed.
 Process flow analysis– This technique considers the combination of inputs, tasks, responsibilities, and outputs
that combine to form a process. By considering the internal and external factors that affect inputs to or activities
within a process, an entity identifies events that could affect achievement of process objectives. For example, a
medical laboratory maps its processes for receipt and testing of blood samples. Using process maps, it considers
the range of factors that could affect inputs, tasks, and responsibilities, identifying risks related to sample labeling,
handoffs within the process, and personnel shift changes.
 Leading event indicators– By monitoring data correlated to events, entities identify the existence of conditions
that could give rise to an event. For example, financial institutions have long recognized the correlation between
late loan payments and eventual loan default, and the positive effect of early intervention. Monitoring payment
patterns enables the potential for default to be mitigated by timely action.
 Loss event data methodologies– Repositories of data on past individual loss events are a useful source of
information for identifying trends and root causes. Once a root cause has been identified, management may find
that it is more effective to assess and treat it than to address individual events. For example, a company
Internal Use Only

operating a large fleet of automobiles maintains a database of accident claims and through analysis finds that a
disproportionate percentage of accidents, in number and monetary amount, are linked to staff drivers in particular
units, geographies, and age bracket. This analysis equips management to identify root causes of events and take
action.
Depth, breadth, timing, and discipline in event identification vary among entities. Management selects
techniques that fit its risk management philosophy and ensures that the entity develops needed event
identification capabilities and that supporting tools are in place. Overall, event identification needs to be robust,
as it forms the basis for the risk assessment and risk response components.
Interdependencies
Events often do not occur in isolation. One event can trigger another, and events can occur concurrently. In
event identification, management should understand how events relate to one another. By assessing the
relationships, one can determine where risk management efforts are best directed. For example, a change in a
central bank interest rate affects foreign exchange rates relevant to a company’s currency transaction gains and
losses. A decision to curtail capital investment defers an upgrade to distribution management systems, causing
additional downtime and increased operating costs. A decision to expand marketing training may improve sales
capability and service quality, resulting in an increase in frequency and volume of repeat customer orders. A
decision to enter a new line of business, with significant incentives tied to reported performance, can increase
risks of error in application of accounting principles and of fraudulent reporting.
Event Categories
It may be useful to group potential events into categories. By aggregating events horizontally across an entity
and vertically within operating units, management develops an understanding of relationships between events,
gaining enhanced information as a basis for risk assessment. By grouping similar events, management can
better determine opportunities and risks.
Event categorization also allows management to consider the completeness of its event identification efforts.
For instance, a company may have categorized events related to creditor collections into a single category
called creditor defaults. By examining the events in this category, management can gauge whether it has
identified all significant potential events related to creditor defaults.
Internal Use Only

Some companies develop event categories based on categorization of their objectives, using a hierarchy that
begins with high-level objectives and then cascades down to objectives relevant to organizational units,
functions, or business processes.
Exhibit 4.2 illustrates one approach used in establishing event categories within the context of broad internal and
external factors.
Exhibit 4.2
Event Categories
External Factors Internal Factors
Economic Infrastructure
 Capital availability  Availability of assets

 Credit issuance, default  Capability of assets
 Concentration  Access to capital
 Liquidity  Complexity
 Financial markets
 Unemployment Personnel
 Competition  Employee capability

 Mergers/acquisitions  Fraudulent activity
 Health and safety
Natural Environment
 Emissions and waste Process
 Energy  Capacity
 Natural disaster  Design
 Sustainable development  Execution
 Suppliers/dependencies
Political
 Governmental changes Technology
 Legislation  Data integrity

 Public policy  Data and system availability
 Regulation  System selection
 Development
Social
 Deployment
Internal Use Only

 Demographics  Maintenance
 Consumer behavior
 Corporate citizenship
 Privacy
 Terrorism
Technological
 Interruptions
 Electronic commerce
 External data
 Emerging technology
Distinguishing Risks and Opportunities

Events, if they occur, have a negative impact, a positive impact, or both. Events with a negative impact
represent risks, which require management’s assessment and response. Accordingly, risk is the possibility that
an event will occur and adversely affect the achievement of objectives.
Events with a positive impact represent opportunities, or offset the negative impact of risks. Opportunity is the
possibility that an event will occur and positively affect the achievement of objectives and creation of value.
Events representing opportunities are channeled back to management’s strategy or objective-setting processes,
so that actions can be formulated to seize the opportunities. Events offsetting the negative impact of risks are
considered in management’s risk assessment and response.
5. Risk Assessment
Internal Use Only

Chapter Summary: Risk assessment allows an entity to
consider the extent to which potential events have an
impact on achievement of objectives. Management
assesses events from two perspectives - likelihood and
impact- and normally uses a combination of qualitative
and quantitative methods. The positive and negative
impacts of potential events should be examined,
individually or by category, across the entity. Risks are
assessed on both an inherent and a residual basis.
Context for Risk Assessment

External and internal factors influence which events may occur and to what extent the events will affect an
entity’s objectives. Although some factors are common to companies in an industry, the resulting events often
are unique to a particular entity, because of its established objectives and past choices. In risk assessment
management considers the mix of potential future events relevant to the entity and its activities in the context of
matters that shape the entity’s risk profile, such as entity size, complexity of operations, and degree of regulation
over its activities.
In assessing risk, management considers expected and unexpected events. Many events are routine and
recurring, and are already addressed in management programs and operating budgets, while others are
unexpected. Management assesses the risk of unexpected potential events and, if it has not already done so,
expected events that can have a significant impact on the entity.
Although the term “risk assessment” sometimes has been used in connection with a one-time activity, in the
context of enterprise risk management the risk assessment component is a continuous and iterative interplay of
actions that take place throughout the entity.

Management considers both inherent and residual risk. Inherent risk is the risk to an entity in the absence of
any actions management might take to alter either the risk’s likelihood or impact. Residual risk is the risk that
remains after management’s response to the risk. Risk assessment is applied first to inherent risks. Once risk
responses have been developed, management then considers residual risk.
Internal Use Only

Estimating Likelihood and Impact
Uncertainty of potential events is evaluated from two perspectives – likelihood and impact. Likelihood
represents the possibility that a given event will occur, while impact represents its effect. Likelihood and impact
are commonly used terms, although some entities use terms such as probability, and severity, seriousness, or
consequence. Sometimes the words take on more specific connotations, with “likelihood” indicating the
possibility that a given event will occur in qualitative terms such as high, medium, and low, or other judgmental
scales, and with “probability” indicating a quantitative measure such as a percentage, frequency of occurrence,
or other numerical metric.
Determining how much attention should be given to assessing the array of risks an entity faces is difficult and
challenging. Management recognizes that a risk with a low likelihood of occurrence and little potential impact
generally does not warrant further consideration. On the other hand, a risk with high likelihood of occurrence
and significant potential impact demands considerable attention. Circumstances in between these extremes
usually require difficult judgments. It is important that the analysis be rational and careful.
The time horizon used to assess risks should be consistent with the time horizon of the related strategy and
objectives. Because many entities’ strategy and objectives focus on short to mid-term time horizons,
management naturally focuses on risks associated with those time frames. However, some aspects of strategic
direction and objectives extend to the longer term. As a result, management needs to be cognizant of the longer
timeframes and not ignore risks that might be further out.
For example, a company operating in California may consider the risk of an earthquake disrupting its business
operations. Without a specified risk assessment time horizon, the likelihood of an earthquake exceeding 6.0 on
the Richter scale is high, perhaps virtually certain. On the other hand, the likelihood of such an earthquake
occurring within two years is substantially lower. By establishing a time horizon, the entity gains greater insight
into the relative importance of the risk and an enhanced ability to compare multiple risks.
Management often uses performance measures in determining the extent to which objectives are being
achieved and normally uses the same, or congruent, unit of measure when considering the potential impact of a
risk on the achievement of a specified objective. A company, for example, with an objective of maintaining a
specified level of customer service will have devised a rating or other measure for that objective – such as a
customer satisfaction index, number of complaints, or measure of repeat business. When assessing the impact
of a risk that might affect customer service – such as the possibility that the company’s website might be
unavailable for a time period – impact is best determined using the same measures.
Data Sources
Internal Use Only

Estimates of risk likelihood and impact often are determined using data from past observable events, which
provide a more objective basis than entirely subjective estimates. Internally generated data based on an entity’s
own experience may reflect less subjective personal bias and provide better results than data from external
sources. However, even where internally generated data is a primary input, external data can be useful as a
checkpoint or to enhance the analysis. For example, a company’s management assessing the risk of production
stoppages because of equipment failure looks first at frequency and impact of previous failures of its own
manufacturing equipment. It then supplements that data with industry benchmarks. This allows a more precise
estimate of likelihood and impact of failure, enabling more effective preventive maintenance scheduling. Caution
should be exercised when using past events to make predictions about the future, as factors influencing events
may change over time.
Perspective
Managers often make subjective judgments about uncertainty, and in doing so they should recognize inherent
limitations. Findings in psychology research indicate that decision makers in a variety of capacities, including
business managers, are overconfident in their estimation abilities and do not recognize the amount of
uncertainty that actually exists. Studies show a marked “overconfidence bias,” leading to inappropriately narrow
confidence intervals around estimated amounts or likelihoods as applied, for example, in value-at-risk
methodologies. This tendency toward overconfidence in estimating uncertainty can be minimized by effective
use of internally or externally generated empirical data. In the absence of such data, a keen awareness of the
pervasiveness of the bias can help mitigate the effects of overconfidence.
Human tendencies around decision making are exhibited in another way, where it is not uncommon for
personnel to make different choices in pursuit of gains versus avoiding losses. By recognizing these human
tendencies, managers can frame information to reinforce the risk appetite and behavior throughout the entity.
How information is presented or “framed” can significantly affect how the information is interpreted and how the
associated risks or opportunities are viewed, as highlighted in Exhibit 5.1.
Exhibit 5.1
Internal Use Only

Individuals have different responses to potential losses compared with potential gains. How a risk is framed –
focusing on the upside (a potential gain) or downside (a potential loss) – often will influence the response.
Prospect theory, which explores human decision making, says that individuals are not risk neutral; rather, a
response to loss tends to be more extreme than a response to gain. And with this comes a tendency to
misinterpret probabilities and best solution reactions. To illustrate, an individual is confronted with two sets of
choices:
1. A sure gain of $240, or
a 25% chance to gain $1,000 and a 75% chance to gain nothing.
2. A sure loss of $750, or
a 75% chance to lose $1,000 and a 25% chance to lose nothing.
In the first set of choices, most people select a “sure gain of $240,” due to tendencies to be risk averse concerning
gain and positively framed questions. In contrast, most people select a “75% chance to lose $1,000,” due to a
tendency to be risk seeking concerning losses and negatively framed questions. Prospect theory holds that
people do not want to put at risk what they already have or think they can have, but they will have higher risk
tolerances when they think they can minimize losses.
Assessment Techniques
An entity’s risk assessment methodology comprises a combination of qualitative and quantitative techniques.
Management often uses qualitative assessment techniques where risks do not lend themselves to quantification
or when either sufficient credible data required for quantitative assessments is not practically available or
obtaining or analyzing data is not cost-effective. Quantitative techniques typically bring more precision and are
used in more complex and sophisticated activities to supplement qualitative techniques.
Quantitative assessment techniques usually require a higher degree of effort and rigor, sometimes using
mathematical models. Quantitative techniques are highly dependent on the quality of the supporting data and
assumptions, and are most relevant for exposures that have a known history and frequency of variability and
allow reliable forecasting. Exhibit 5.2 provides examples of quantitative risk assessment techniques.
Exhibit 5.2
Internal Use Only

 Benchmarking – A collaborative process among a group of entities, benchmarking focuses on specific events or
processes, compares measures and results using common metrics, and identifies improvement opportunities.
Data on events, processes, and measures are developed to compare performance. Some companies use
benchmarking to assess the likelihood and impact of potential events across an industry.
 Probabilistic Models – Probabilistic models associate a range of events and the resulting impact with the
likelihood of those events based on certain assumptions. Likelihood and impact are assessed based on historical
data or simulated outcomes reflecting assumptions of future behavior. Examples of probabilistic models include
value at risk, cash flow at risk, earnings at risk, and development of credit and operational loss distributions.
Probabilistic models may be used with different time horizons to estimate such outcomes as the range of values
of financial instrumentsover time. Probabilistic models also may be used to assess expected or average
outcomes versus extreme or unexpected impacts.
 Non-probabilistic Models– Non-probabilistic models use subjective assumptions in estimating the impact of
events without quantifying an associated likelihood. Assessing the impact of events is based on historical or
simulated data and assumptions of future behavior. Examples of non-probabilistic models include sensitivity
measures, stress tests, and scenario analyses.
To gain consensus on likelihood and impact using qualitative assessment techniques, entities may employ the
same approach they use in identifying events, such as interviews and workshops. A risk self-assessment
process captures participants’ views on the potential likelihood and impact of future events, using either
descriptive or numerical scales.
An entity need not use common assessment techniques across all business units. Rather, the choice of
techniques should reflect the need for precision and the culture of the business unit. In one company, for
example, in identifying and assessing risk at a process level, one business unit uses self-assessment
questionnaires while another uses workshops. The risks are assessed on an inherent and a residual basis, and
then organized and grouped by risk categories and objectives for both business units. Although different
methods are used, they provide sufficient consistency to facilitate assessment of risks across the entity.
Management is able to derive an entity-wide quantitative impact measure of an event when all of the individual
risk assessments for that event are expressed in quantitative terms. For example, the impact on gross margin of
a change in energy prices is computed across business units and an entity-wide impact is determined. Where
there is a blend of qualitative and quantitative measures, management develops a qualitative assessment
across both the qualitative and quantitative measures, with the resulting composite assessment expressed in
qualitative terms. Establishing common likelihood and impact terms across an entity and common risk
categories for qualitative measures facilitates these composite assessments of risk.
Internal Use Only

Relationships between Events
Where potential events are not related, management assesses them individually. For example, a company with
business units with exposure to different price fluctuations - such as pulp and foreign currency - would assess
the risks separately relative to market movements. But where correlation exists between events, or events
combine and interact to create significantly different probabilities or impacts, management assesses them
together. While the impact of a single event might be slight, the impact of a sequence or combination of events
might be more significant.
For example, a defective valve on a propane tank in a distribution warehouse allows propane to leak; the
warehouse doors are kept closed to retain heat in adjoining offices; the driver of an approaching truck activates
a remote control device to open the warehouse doors. Together, the presence of propane gas and spark
caused by the garage-door motor results in an explosion. These distinct events interact and result in a
significant risk. In another example, a company enters a foreign market with new locally hired managers,
untested reporting systems, and little basis for central management to judge relative performance, with a
resulting significant risk of erroneous or fraudulent reporting.
Where risks are likely to affect multiple business units, management may group them into common event
categories, and consider them first by unit and then together on an entity-wide basis. For example, a financial
services company’s business units are subject to risk of a change in government interest rates, and its
management assesses the risk not only on each individual business unit but also on a combined, entity-wide
basis. A manufacturing company has multiple business units, each with exposure to gold price fluctuations;
management aggregates the risk of potential shifts in the price of gold into a single measure showing the net
effect of a $1/ounce shift on its total gold inventory.
The nature of events, and whether they are related, may affect assessment techniques used. For example, in
assessing the impact of events that could have extreme impact, management may use stress testing, whereas
in assessing the effects of multiple events, management might find simulations or scenario analysis more useful.
Looking at interrelationships of risk likelihood and impact is an important management responsibility. Effective
enterprise risk management requires that risk assessment be done both with respect to inherent risk and also
following risk response, as discussed in the next chapter.
6. Risk Response
Internal Use Only

Chapter Summary: Having assessed relevant risks,
management determines how it will respond.
Responses include risk avoidance, reduction, sharing,
and acceptance. In considering its response,
management assesses the effect on risk likelihood and
impact, as well as costs and benefits, selecting a
response that brings residual risk within desired risk
tolerances. Management identifies any opportunities
that might be available, and takes an entity-wide, or
portfolio, view of risk, determining whether overall
residual risk is within the entity’s risk appetite.
Risk responses fall within the following categories:
 Avoidance– Exiting the activities giving rise to risk. Risk avoidance may involve exiting a product line, declining
expansion to a new geographical market, or selling a division.
 Reduction–Action is taken to reduce risk likelihood or impact, or both. This typically involves any of a myriad of
everyday business decisions.
 Sharing–Reducing risk likelihood or impact by transferring or otherwise sharing a portion of the risk. Common
techniques include purchasing insurance products, engaging in hedging transactions, or outsourcing an activity.
 Acceptance–No action is taken to affect risk likelihood or impact.
Exhibit 6.1 provides examples of how these risk responses are applied.
Exhibit 6.1
Internal Use Only

Avoidance – A not-for-profit organization identified and assessed risks of providing direct medical services to its
members and decided not to accept the associated risks. It decided instead to provide a referral service.
Reduction – A stock-clearing corporation identified and assessed the risk of its systems not being available for
more than three hours and concluded that it would not accept the impact of such an occurrence. The company
invested in technology with enhanced failure self-detecting and back-up systems to reduce the likelihood of
system unavailability.
Sharing – A university identified and assessed the risk associated with managing its student dormitories and
concluded it did not have the requisite in-house capabilities to effectively manage these large residential
properties. The university outsourced the dorm management to a property management company better able to
reduce the impact and likelihood of property-related risks.
Acceptance –A government agency identified and assessed the risks of fire to its infrastructure across diverse
geographical regions and assessed the cost of sharing the impact of its risk through insurance coverage. It
concluded that the incremental cost of insurance and related deductibles exceeded the likely cost of replacement
and decided to accept this risk.
The avoidance response suggests that no response option was identified that would reduce the impact and
likelihood to an acceptable level. Reduction and sharing responses reduce residual risk to a level aligned with
desired risk tolerances, while an acceptance response suggests that inherent risk already is within risk
tolerances.
For many risks, appropriate response options are obvious and well accepted. For instance, for the risk of losing
computing availability, a typical response option is implementation of a business continuity plan. For other risks,
available options might not be readily apparent, requiring investigation and analysis. For example, response
options relevant to mitigating the effect of competitor activities on brand value might require market research and
analysis.
In determining risk response, management should consider such things as:
 Effects of potential responses on risk likelihood and impact – and which response options align with the entity’s
risk tolerances
 Costs versus benefits of potential responses
 Possible opportunities to achieve entity objectives going beyond dealing with the specific risk
For significant risks, an entity typically considers potential responses from a range of response options. This
gives depth to response selection and challenges the “status quo.”
Internal Use Only

Evaluating Possible Responses
Inherent risks are analyzed and responses evaluated with the intent of achieving a residual risk level aligned
with the entity’s risk tolerances. Often, any of several responses will bring residual risk in line with risk
tolerances, and sometimes a combination of responses provides the optimum result. Conversely, sometimes
one response will affect multiple risks, in which case management may decide that additional actions to address
a particular risk are not needed.
Evaluating Effect on Risk Likelihood and Impact

In evaluating response options, management considers the effect on both risk likelihood and impact, recognizing
that a response might affect likelihood and impact differently. For example, a company with a computer center
located in a region with heavy storm activity establishes a business continuity plan, which, while having no effect
on likelihood of a storm, mitigates the impact of building damage or personnel being unable to get to work. On
the other hand, the choice to move the computer center to another region will not reduce the impact of a
comparable storm, but does reduce the likelihood of a storm occurring in the first place.
In analyzing responses, management may consider past events and trends, and potential future scenarios. In
evaluating alternative responses, management typically determines their potential effect using the same, or
congruent, units of measure as those used for the related objective.
Assessing Costs versus Benefits

Resources always have constraints, and entities must consider the relative costs and benefits of alternative risk
response options. Cost and benefit measurements for implementing risk responses are made with varying
levels of precision. Generally, it is easier to deal with the cost side of the equation, which, in many cases, can
be quantified fairly precisely. All direct costs associated with instituting a response, and indirect costs where
practically measurable, usually are considered. Some entities also include opportunity costs associated with use
of resources.
In some cases, however, it is difficult to quantify costs of risk response. Challenges in quantification arise in
estimating time and effort associated with a particular response, as may be the case, for example, in capturing
market intelligence on evolving customer preferences, competitors’ activities, or other externally generated
information.
The benefit side often involves even more subjective valuation. For example, benefits of effective training
programs usually are apparent, but difficult to quantify. In many cases, however, the benefit of a risk response
can be evaluated in the context of the benefit associated with achievement of the related objective.
Internal Use Only

When considering cost–benefit relationships, looking at risks as interrelated allows management to pool the
entity’s risk reduction and risk sharing responses. For instance, when sharing risk via insurance, it may be
beneficial to combine risks under one policy since pricing usually is reduced when combined exposures are
insured under one financing arrangement.
Opportunities in Response Options

The event identification chapter describes how management identifies potential events affecting achievement of
entity objectives, either positively or negatively. Events with positive impacts represent opportunities and are
channeled back to the strategy or objective-setting processes.
Similarly, opportunities may be identified when considering risk response. Risk response considerations should
not be limited solely to reducing identified risks, but also should include consideration of new opportunities for
the entity. Management may identify innovative responses, which, while fitting within the response categories
described earlier in this chapter, may be entirely new to the entity or even an industry. Such opportunities may
surface when existing risk response options are reaching the limit of effectiveness, and when further refinements
likely will provide only marginal changes to a risk impact or likelihood. An example is the creative response by
an automobile insurance company to the high number of accidents at certain road intersections - it decided to
fund enhancements to traffic signal lights, reducing accident claims and improving margins.
Selected Responses
Once the effects of alternative risk responses have been evaluated, management decides how it intends to
manage the risk, selecting a response or combination of responses designed to bring risk likelihood and impact
within risk tolerances. The response need not necessarily result in the least amount of residual risk. But where
a risk response would result in residual risk exceeding risk tolerance, management revisits and revises the
response accordingly or, in certain instances, reconsiders the established risk tolerance. Accordingly, the
balancing of risk and risk tolerance may involve an iterative process.
Evaluating alternative responses to inherent risk requires consideration of additional risks that might result from
a response. This also may prompt an iterative process whereby before management finalizes a decision, it
considers these additional risks, including any that might not be immediately evident.
Once management selects a response, it may need to develop an implementation plan to execute the
response. A critical part of an implementation plan is establishing control activities (discussed in the next
chapter) to ensure the risk response is carried out.
Management recognizes that some level of residual risk will always exist, not only because resources are
limited, but also because of future uncertainty and limitations inherent in all activities.
Internal Use Only

Portfolio View
Enterprise risk management requires that risk be considered from an entity-wide, or portfolio, perspective.
Management typically takes an approach in which risk first is considered for each business unit, department, or
function, with the responsible manager developing a composite assessment of risks for the unit reflecting the
unit’s residual risk profile relative to its objectives and risk tolerances.
With a view of risk for individual units, an enterprise’s senior management is well positioned to take a portfolio
view, to determine whether the entity’s residual risk profile is commensurate with its overall risk appetite relative
to its objectives. Risks in different units may be within the risk tolerances of the individual units, but, taken
together, risks might exceed the risk appetite of the entity as a whole, in which case additional or different risk
response is needed to bring risk within the entity’s risk appetite. Conversely, risks may naturally offset across
the entity where, for example, some individual units have higher risk while others are relatively risk averse, such
that overall risk is within the entity’s risk appetite, obviating the need for a different risk response.
A portfolio view of risk can be depicted in any of a variety of ways. A portfolio view may be gained by focusing
on major risks or event categories across business units, or on risk for the company as a whole, using such
metrics as risk-adjusted capital or capital at risk. Such composite measures are particularly useful when
measuring risk against objectives stated in terms of earnings, growth, and other performance measures,
sometimes relative to allocated or available capital. Such portfolio view measures can provide information useful
in reallocating capital across business units and modifying strategic direction.
One example is a manufacturing company that takes a portfolio view of risk in the context of its operating
earnings objective. Management uses common event categories to capture risks across its business units. It
then develops a graph showing, by category and business unit, the risk likelihood in terms of frequency on a
time horizon, and the relative impacts on earnings. The result is a composite, or portfolio, view of risk the
company faces, with management and the board positioned to consider the nature, likelihood, and relative size
of risks, and how they may affect the company’s earnings.
Another example is a financial institution that calls on business units to establish objectives, risk tolerances, and
performance measures all in terms of risk-adjusted return on capital. This consistently applied metric facilitates
management’s rolling up units’ combined risk assessments into a portfolio view of risk for the institution as a
whole, enabling management to consider the units’ risks, by objective, and determine whether the entity is within
its risk appetite.
When looking at risk from a portfolio perspective, management is positioned to consider whether it remains with
the established risk appetite. Further, it can reevaluate the nature and type of risk it wishes to take. In cases
where the portfolio view shows risks significantly less than the entity’s risk appetite, management may decide to
Internal Use Only

motivate individual business unit managers to accept greater risk in targeted areas, striving to enhance the
entity’s overall growth and return.
Chapter Summary: Control activities are the policies and

procedures that help ensure that management’s risk
responses are carried out. Control activities occur
throughout the organization, at all levels and in all
functions. They include a range of activities - as diverse
as approvals, authorizations, verifications,
reconciliations, reviews of operating performance,
security of assets, and segregation of duties.
Control activities are policies and procedures, which are the actions of people to implement the policies, directly
or through application of technology, to help ensure that management’s risk responses are carried out. Control
activities can be categorized based on the nature of the entity’s objectives to which they relate: strategic,
operations, reporting, and compliance.
Although some control activities relate solely to one category, there often is overlap. Depending on
circumstances, a particular control activity could help satisfy entity objectives in more than one of the
categories. For example, certain operations controls also can help ensure reliable reporting, reporting control
activities can serve to effect compliance, and so on.
Integration with Risk Response

Having selected risk responses, management identifies control activities needed to help ensure that the risk
responses are carried out properly and in a timely manner.
Linkage of objectives, risk responses, and control activities is illustrated in the following example: A company
sets an objective to meet or exceed sales targets, identifying as a risk failing to have sufficient knowledge of
external factors such as current and potential customers’ needs. To reduce the likelihood of occurrence and
impact of the risk, management establishes buying histories of existing customers and undertakes new market
research initiatives. These risk responses serve as focal points for the establishment of control activities,
including tracking progress of development of customer buying histories against established timetables, and
Internal Use Only
taking steps to ensure the accuracy of reported data. In this sense, control activities are built directly into the
management process.
In selecting control activities, management considers how control activities are related to one another. In some
instances, a single control activity addresses multiple risk responses. In other instances, multiple control
activities are needed for one risk response. In still others, management might find that existing control activities
are sufficient to ensure that new risk responses are executed effectively.
While control activities generally are established to ensure risk responses are appropriately carried out, with
respect to certain objectives, control activities themselves are the risk response. For instance, for an objective to
ensure specified transactions are properly authorized, the response will likely be control activities such as
segregation of duties and approvals by supervisory personnel.
Just as selection of risk responses considers their appropriateness and remaining, or residual, risk, selection or
review of control activities should include consideration of their relevance and appropriateness to the risk
response and related objective. This may be accomplished by separate consideration of the propriety of the
control activities, or by considering residual risk in the context of both the risk response and related control
activities.
Control activities are an important part of the process by which an enterprise strives to achieve its business
objectives. Control activities are not performed simply for their own sake or because it seems to be the “right or
proper” thing to do. In the example above, management needs to take steps to ensure that sales targets are
met. Control activities serve as mechanisms for managing the achievement of that objective.

Many different descriptions of types of control activities have been put forth, including preventive, detective,
manual, computer, and management controls. Control activities also can be typed by specified control
objectives, such as ensuring completeness and accuracy of data processing.
Exhibit 7.1 describes commonly used control activities. These are just a few among many procedures
commonly performed by personnel at various organizational levels that serve to enforce adherence to
established action plans and to keep entities on track toward achieving their objectives. They are presented to
illustrate the range and variety of control activities, not to suggest any particular categorization.
Exhibit 7.1
Internal Use Only

 Top-level reviews – Senior management reviews actual performance versus budgets, forecasts, prior periods,
and competitors. Major initiatives are tracked – such as marketing thrusts, improved production processes, and
cost containment or reduction programs – to measure the extent to which targets are being reached.
Implementation of plans is monitored for new product development, joint ventures, or financing.
 Direct functional or activity management – Managers running functions or activities review performance
reports. A manager responsible for a bank’s consumer loansreviews reports by branch, region, and loan
(collateral) type, checking summarizations and identifying trends, and relating results to economic statistics and
targets. In turn, branch managers receive data on new business by loan-officer and local-customer segment.
Branch managers also focus on compliance issues, reviewing reports required by regulators on new deposits over
specified amounts. Reconciliations are made of daily cash flows, with net positions reported centrally for
overnight transfer and investment.
 Information processing – A variety of controls are performed to check accuracy, completeness, and
authorization of transactions. Data entered are subject to on-line edit checks or matching to approved control
files. A customer’s order, for example, is accepted only after reference to an approved customer file and credit
limit. Numerical sequences of transactions are accounted for, with exceptions followed up and reported to
supervisors. Development of new systems and changes to existing ones are controlled, as is access to data,
files, and programs.
 Physical controls – Equipment, inventories, securities, cash, and other assets are physically secured and
periodically counted and compared with amounts shown on control records.
 Performance indicators – Relating different sets of data- operating or financial- to one another, together with
analyses of the relationships and investigative and corrective actions, serves as a control activity. Performance
indicators include, for example, staff turnover rates by unit. By investigating unexpected results or unusual trends,
management identifies circumstances where an insufficient capacity to complete key processes may mean that
objectives have a lower likelihood of being achieved. How managers use this information- for operating decisions
only, or also to follow up on unexpected results in reporting systems- determines whether analysis of performance
indicators serves operational purposes alone or reporting control purposes as well.
 Segregation of duties – Duties are divided, or segregated, among different people to reduce the risk of error or
fraud. For instance, responsibilities for authorizing transactions, recording them, and handling the related asset
are divided. A manager authorizing credit sales would not be responsible for maintaining accounts receivable
records or handling cash receipts. Similarly, salespersons would not have the ability to modify product price files
or commission rates.
Often, a combination of controls is implemented to deal with related risk responses. For example, a company’s
management sets transaction limits to manage risks related to an investment portfolio, and establishes control
Internal Use Only

activities designed to help ensure the trading limits are not exceeded. Control activities include preventive
controls to stop certain transactions before execution, and detective controls to identify other transactions on a
timely basis. The control activities combine computer and manual controls, including automated controls to
ensure all information is correctly captured, and routing procedures enabling responsible individuals to authorize
or approve investment decisions.

Control activities usually involve two elements: a policy establishing what should be done and procedures to
effect the policy. For example, a policy might call for review of customer trading activities by a securities dealer’s
retail branch manager. The procedure is the review itself, performed in a timely manner and with attention to
factors set forth in the policy, such as the nature and volume of securities traded and their relation to customer
net worth and age.
Many times, policies are communicated orally. Unwritten policies can be effective where the policy is a long-
standing and well-understood practice, and in smaller organizations where communications channels involve
few management layers and close interaction with and supervision of personnel. But regardless whether it’s
written, a policy must be implemented thoughtfully, conscientiously, and consistently. A procedure will not be
useful if performed mechanically and without a sharp, continuing focus on conditions to which the policy is
directed. Further, it is essential that conditions identified as a result of the procedure be investigated and
appropriate corrective actions taken. Follow-up actions might vary depending on the size and organizational
structure of an enterprise. They could range from formal reporting processes in a large company - where
business units state why targets were not met and what actions are being taken to prevent recurrence - to an
owner-manager of a small business walking down the hall to speak with the plant manager about what went
wrong and what needs to be done.

With widespread reliance on information systems to operate an enterprise and meet reporting and compliance
objectives, controls are needed over significant systems. Two broad groupings of information systems control
activities can be used. The first is general controls, which apply to many if not all application systems and help
ensure their continued, proper operation. The second is application controls, which include computerized steps
within application software to control the processing. General and application controls, combined with manual
process controls where necessary, work together to ensure completeness, accuracy, and validity of information.
General Controls
Internal Use Only

General controls include controls over information technology management, information technology
infrastructure, security management, and software acquisition, development, and maintenance. They apply to
all systems - from mainframe to client/server to desktop and portable computer environments. Exhibit 7.2
provides examples of common controls within these categories.
Exhibit 7.2
 Information technology management – A steering committee provides oversight, monitoring, and reporting of
information technology activities and improvement initiatives.
 Information technology infrastructure – Controls apply to system definition, acquisition, installation,
configuration, integration, and maintenance. Controls may include service-level agreements that establish and
reinforce system performance, business continuity planning that maintains system availability, tracking network
performance for operational failures, and scheduling computer operations. The system software component of
information technology infrastructure may include such controls as management or steering committee review and
approval of significant new acquisitions, restricting access to system configuration and operating system software,
automated reconciliations of data accessed through middleware software, and parity bit detection for
communications errors. System software controls also include incident tracking, system logging, and review of
reports detailing usage of data-altering utilities.
 Security management – Logical access controls such as secure passwords restrict access at the network,
database, and application levels. User accounts and related access privilege controls help restrict authorized
users to only applications or application functions needed to do their jobs. Internet firewalls and virtual private
networks protect data from unauthorized external access.
 Software acquisition, development, and maintenance – Controls over software acquisition and implementation
are incorporated into an established process for managing change, including documentation requirements, user
acceptance testing, stress testing, and project risk assessments. Access to source codes is controlled via code
library. Software developers work only in segregated development/test environments and do not have access to
the production environment. Controls over system changes include required authorization of change requests,
review of thechanges, approvals, documentation, testing, implications of changes for other information technology
components, stress testing results, and implementation protocols.
Application Controls
Application controls focus directly on completeness, accuracy, authorization, and validity of data capture and
processing. They help ensure data are captured or generated when needed, supporting applications are
available, and interface errors are detected quickly.
Internal Use Only

An important objective of application controls is to prevent errors from entering the system, as well as to detect
and correct errors once they are present. To do this, application controls often involve computerized edit checks
consisting of format, existence, reasonableness, and other data checks built into applications during
development. When properly designed, they can provide control over data entering the system.
Exhibit 7.3 provides examples of application controls. These are just a few among a myriad of controls
performed every day, through calculation and comparison, that serve to prevent and detect inaccurate,
incomplete, inconsistent, or improper data capture and processing.
Exhibit 7.3
 Balancing control activities – Detect data capture errors by reconciling amounts entered, either manually or
automatically, to a control total. A company automatically balances the total number of transactions processed
and passed from its on-line order entry system to the number of transactions received in its billing system.
 Check digits – Validate data by calculations. A company’s part numbers contain a check digit to detect and
correct inaccurate ordering from its suppliers.
 Predefined data listings – Provide the user with predefined lists of acceptable data. A company’s intranet site
includes drop-down lists of products available for purchase.
 Data reasonableness tests – Compare data captured with a present or learned pattern of reasonableness. An
order to a supplier by a home renovation retail store for an unusually large number of board feet of lumber triggers
a review.
 Logic tests – Include use of range limits or value or alphanumeric tests. A government agency detects potential
errors in social security numbers by checking whether all entered numbers contain nine digits.
Entity Specific
Because each entity has its own set of objectives and implementation approaches, there will be differences in
risk responses and related control activities. Even if two entities had identical objectives and made similar
decisions on how they should be achieved, the control activities likely would be different. Each entity is
managed by different people who use individual judgments in effecting control. Moreover, controls reflect the
environment and industry in which an entity operates, as well as the size and complexity of its organization,
nature and scope of its activities, its history, and its culture.
Large, complex organizations with diverse activities may face more difficult control issues than small, simple
organizations with less varied activities. An entity with decentralized operations, and an emphasis on local
autonomy and innovation, presents different control circumstances than a highly centralized one. Other factors
Internal Use Only

that influence an entity’s complexity, and therefore the nature of its controls, include location and geographical
dispersion, extensiveness and sophistication of operations, and information processing methods.
Chapter Summary: Pertinent information is identified, captured, and

communicated in a form and timeframe that enable people to carry out
their responsibilities. Information systems use internally generated
data, and information from external sources, providing information for
managing risks and making informed decisions relative to objectives.
Effective communication also occurs, flowing down, across, and up the
organization. All personnel receive a clear message from top
management that enterprise risk management responsibilities must be
taken seriously. They understand their own role in enterprise risk
management, as well as how individual activities relate to the work of others. They must have a means of
communicating significant information upstream. There is also effective communication with external parties,
such as customers, suppliers, regulators, and shareholders.
Every enterprise identifies and captures a wide range of information, relating to external as well as internal
events and activities, relevant to managing the entity. This information is delivered to personnel in a form and
timeframe that enable them to carry out their enterprise risk management and other responsibilities.
Information
Information is needed at all levels of an organization to identify, assess, and respond to risks, and to otherwise
run the entity and achieve its objectives. An array of information is used, relevant to one or more objectives
categories.
Operating information from internal and external sources, both financial and non-financial, is relevant to multiple
business objectives. Financial information, for instance, is used in developing financial statements for reporting
purposes, and also for operating decisions, such as monitoring performance and allocating resources. Reliable
financial information is fundamental to planning, budgeting, pricing, evaluating vendor performance, assessing
joint ventures and alliances, and a range of other management activities.
Similarly, operating information is essential for developing financial and other reports. This includes the routine
– purchases, sales, and other transactions – as well as information on competitors’ product releases or
Internal Use Only
economic conditions, which can affect inventory and receivables valuations. And information needed for
compliance purposes, such as information on airborne particle emissions or personnel data, also may serve
financial reporting objectives.
Information comes from many sources – internal and external, and in quantitative and qualitative forms – and
facilitates responses to changing conditions. A challenge for management is to process and refine large
volumes of data into actionable information. This challenge is met by establishing an information systems
infrastructure to source, capture, process, analyze, and report relevant information. These information systems
– usually computerized but also involving manual inputs or interfaces – often are viewed in the context of
processing internally generated data. But information systems have a much broader application. They also deal
with information about external events, for example, market- or industry-specific economic data that signals
changes in demand for a company’s products or services, data on goods and services for production processes,
market intelligence on evolving customer preferences or demands, information on competitors’ product
development activities, and legislative or regulatory initiatives.
Information systems can be formal or informal. Conversations with customers, suppliers, regulators, and entity
personnel often provide critical information needed to identify risks and opportunities. Similarly, attendance at
professional or industry seminars and memberships in trade and other associations can provide valuable
information.
Keeping information consistent with needs is particularly important when an entity faces fundamental industry
changes, highly innovative and quick-moving competitors, or significant customer demand shifts. Information
systems change as needed to support new objectives. They identify and capture needed financial and non-
financial information, and also process and report this information in a timeframe and way that are useful in
controlling the entity’s activities.

As enterprises have become more collaborative and integrated with customers, suppliers, and business
partners, the division between an entity’s information systems architecture and that of external parties is
increasingly blurred. As a result, data processing and data management often become a shared responsibility of
multiple entities. In such cases, an organization’s information systems architecture must be sufficiently flexible
and agile to effectively integrate with affiliated external parties.
The design of an information systems architecture and acquisition of technology are important aspects of entity
strategy, and choices regarding technology can be critical to achieving objectives. Decisions about technology
selection and implementation depend on many factors, including organizational goals, marketplace needs, and
competitive requirements. While information systems are fundamental to effective enterprise risk management,
risk management techniques can assist in making technology decisions.
Internal Use Only
Information systems have long been designed and used to support business strategy. This role becomes critical
as business needs change and technology creates new opportunities for strategic advantage. In some cases,
changes in technology have reduced the advantage gained in initial deployment, driving new strategic direction.
For instance, airline reservation systems that gave travel agents easy access to flight information later moved to
customer-facing Internet reservation systems, significantly reducing or eliminating involvement of the traditional
travel agent.
Integration with Operations

Information systems often are fully integrated into most aspects of operations. Web and web-based systems are
common, with many companies having enterprise-wide information systems such as enterprise resource
planning. These applications facilitate access to information previously trapped in functional or departmental
silos, making it available for widespread management use. Transactions are recorded and tracked in real time,
enabling managers to immediately access financial and operating information more effectively to control
business activities. For example, a construction company dealing in multiple large-scale projects uses an
integrated, extranet-based system to meet marketplace and efficiency expectations. The system provides
information that helps managers track customer-supplied inventory and parts, identify over- or short-supply
material at multiple job sites, obtain cost savings with suppliers of common materials or combine with similar
organizations to obtain volume discounts, and oversee the subcontractors’ activities. It also allows employees to
seamlessly share current drawings with architects and engineers, customers, subcontractors, and regulators,
while maintaining drawing version control. Additionally, the system encompasses knowledge management
capabilities that allow company employees to share innovative solutions throughout the organization.
To support effective enterprise risk management, an entity captures and uses historical and present data.
Historical data allows the entity to track actual performance against targets, plans, and expectations. They
provide insights into how the entity performed under varying conditions, allowing management to identify
correlations and trends, and to forecast future performance. Historical data also can provide early warning of
potential events that warrant management attention.
Present or current-state data allows an entity to determine whether it is remaining within established risk
tolerances. Such data allows management to take a real-time view of existing risks within a process, function, or
unit, and to identify variations from expectations.
Developments in information systems have improved the ability of many organizations to measure and monitor
performance and present analytical information at an enterprise level. System complexity and integration
continue, with organizations utilizing new technology capabilities as they emerge. However, the growing
reliance on information systems at the strategic and operational level brings about new risks – such as
Internal Use Only

information security breaches or cyber-crimes – that must be integrated into the entity’s enterprise risk
management.
Depth and Timeliness of Information

The information infrastructure sources and captures data in a timeframe and at a depth consistent with an
entity’s need to identify, assess, and respond to risk, and remain within its risk tolerances. Timeliness of
information flow needs to be consistent with the rate of change in the entity’s internal and external environments.
The importance of depth of data is illustrated by looking at different events affecting a brokerage firm located in a
city susceptible to floods. For business continuity planning, management maintains a general awareness of
potential flood conditions and is positioned to advise personnel when to move to back-up facilities. Information
captured at this high level is sufficient to allow the firm to adequately manage the risk. In contrast, as a broker,
the firm sources and continuously captures changes in stock, bond, and commodity prices to several decimal
points. This level of data timeliness and detail is consistent with the firm’s need to respond immediately to price
changes that may precipitate risks, such as an overexposure to a particular market sector or security
inconsistent with the firm’s risk appetite.
The information infrastructure converts raw data into relevant information that assists personnel in carrying out
their enterprise risk management and other responsibilities. Information is provided in a form and timeframe that
are actionable, readily usable, and linked to defined accountabilities.
Advances in data collection, processing, and storage have resulted in exponential growth in data volume. With
more data available - often in real time - to more people in an organization, the challenge is to avoid “information
overload” by ensuring flow of the right information, in the right form, at the right level of detail, to the right people,
at the right time. In developing the knowledge and information infrastructure, consideration should be given to
the distinct information requirements of individual users and departments, and to summary-level information
needed by different levels of management.
Information Quality
With increasing dependence on sophisticated information systems and data-driven automated decision systems
and processes, data reliability is critical. Inaccurate data can result in unidentified risks or poor assessments
and bad management decisions.
The quality of information includes ascertaining whether:
 Content is appropriate – Is it at the right level of detail?

 Information is timely – Is it there when required?
 Information is current – Is it the latest available?
Internal Use Only

 Information is accurate – Is the data correct?
 Information is accessible – Is it easy to obtain by those who need it?
To drive data quality, entities establish enterprise-wide data management programs, encompassing acquisition,
maintenance, and distribution of relevant information. Without such programs, information systems might not
provide the information that management and other personnel require.
Challenges are many: Conflicting functional needs, system constraints, and non-integrated processes can
inhibit data acquisition and its effective use. To meet these challenges, management establishes a strategic
plan with clear accountability and responsibilities for data integrity, and performs regular data quality
assessments.
Having the right information, on time and at the right place, is essential to effecting enterprise risk management.
That is why information systems, while a component of enterprise risk management, also must be controlled.
Communication
Communication is inherent in information systems. As discussed above, information systems must provide
information to appropriate personnel so that they can carry out their operating, reporting, and compliance
responsibilities. But communication also must take place in a broader sense, dealing with expectations,
responsibilities of individuals and groups, and other important matters.
Internal
Management provides specific and directed communication that addresses behavioral expectations and the
responsibilities of personnel. This includes a clear statement of the entity’s risk management philosophy and
approach and a clear delegation of authority. Communication about processes and procedures should align
with, and underpin, the desired culture.
Communication should effectively convey:
 The importance and relevance of effective enterprise risk management

 The entity’s objectives
 The entity’s risk appetite and risk tolerances
 A common risk language
 The roles and responsibilities of personnel in effecting and supporting the components of enterprise risk
management
Internal Use Only

All personnel, particularly those with important operating or financial management responsibilities, need to
receive a clear message from top management that enterprise risk management must be taken seriously. Both
the clarity of the message and effectiveness with which it is communicated are important.
Personnel also need to know how their activities relate to the work of others. This knowledge is necessary to
recognize a problem or determine its cause and corrective action. And, they need to know what is deemed
acceptable and unacceptable behavior. There have been well-publicized instances of fraudulent reporting in
which managers, under pressure to meet budgets, misrepresented operating results. In a number of these
instances, no one had told these individuals that such misreporting could be illegal or otherwise improper. This
underscores the critical nature of how messages are communicated within an organization. A manager who
instructs subordinates, “Meet the budget – I don’t care how you do it, just do it,” unwittingly can send the wrong
message.
Front-line employees who deal with critical operating issues every day are often in the best position to recognize
problems as they arise, and communications channels should ensure personnel can communicate risk-based
information across business units, processes, or functional silos, as well as upstream. For example, sales
representatives or account managers may learn of important customer product design needs, production
personnel may become aware of costly process deficiencies, and purchasing personnel may be confronted with
improper incentives from suppliers. Communication breakdowns can occur when individuals or units are
discouraged from providing information important to others or do not have a vehicle to provide it. Personnel may
be aware of significant risks, but unwilling or unable to report them.
For such information to be reported, there must be open channels of communication and a clear-cut willingness
to listen. Personnel must believe their superiors truly want to know about problems and will deal with them
effectively. Most managers recognize intellectually that they should avoid “shooting the messenger.” But when
caught up in everyday pressures, they can be unreceptive to people bringing them legitimate problems.
Personnel are quick to pick up on spoken or unspoken signals that a superior doesn’t have the time or interest to
deal with problems they have uncovered. Compounding such problems, the unreceptive manager is the last to
know that the communications channel has been effectively shut down.
In most cases, normal reporting lines in an organization are the appropriate channels of communication. In
some circumstances, however, separate lines of communication are needed to serve as a fail-safe mechanism
in case normal channels are inoperative. Many companies provide, and make employees aware of, a channel
directly to the chief internal auditor or legal counsel or other senior officer having access to the board of
directors, along with board or audit committee oversight, and laws and regulations increasingly call on
companies to establish these mechanisms. Because of its importance, effective enterprise risk management
requires such an alternative communications channel. Without both open communications channels and a
willingness to listen, the upward flow of information might be blocked.
Internal Use Only

It is important that personnel understand that there will be no reprisals for reporting relevant information. A clear
message is sent by the existence of mechanisms that encourage employees to report suspected violations of an
entity’s code of conduct and by the treatment of reporting personnel.
A relevant and comprehensive code of conduct, coupled with employee training sessions, and ongoing
corporate communications and feedback mechanisms, along with the right example set by the actions of senior
management, can reinforce these important messages.
Among the most critical communications channels is that between top management and the board of directors.
Management must keep the board up-to-date on performance, risk, and the functioning of enterprise risk
management, and other relevant events or issues. The better the communications, the more effective a board
will be in carrying out its oversight responsibilities – acting as a sounding board for management on critical
issues, monitoring its activities, and providing advice, counsel, and direction. By the same token, the board
should communicate its information needs to management and provide feedback and direction.
External
There needs to be appropriate communication not only within the entity, but with the outside as well. With open
external communications channels, customers and suppliers can provide highly significant input on the design or
quality of products or services, enabling a company to address evolving customer demands or preferences. For
example, customer or supplier complaints or inquiries about shipments, receipts, billings, or other activities often
point to operating problems, and possibly to fraudulent or other improper practices. Management should be
ready to recognize implications of such circumstances and investigate and take necessary corrective actions,
focusing on the impact on financial reporting and compliance as well as operations objectives.
Open communication about the entity’s risk appetite and risk tolerances is important, particularly for entities
linked with others in supply chains or e-business enterprises. In such instances, management considers how its
risk appetite and risk tolerances align with those of its business partners, ensuring it does not inadvertently
accept too much risk through its partners.
Communication to stakeholders, regulators, financial analysts, and other external parties provides information
relevant to their needs, so they can understand readily the circumstances and risks the entity faces. Such
communication should be meaningful, pertinent, and timely, and conform to legal and regulatory requirements.
Management’s commitment to communication with external parties – whether open and forthcoming and serious
in follow-up, or otherwise – also sends messages throughout the organization.
Means of Communication
Internal Use Only

Communication can take such forms as policy manuals, memoranda, e-mails, bulletin board notices, webcasts,
and videotaped messages. Where messages are transmitted orally – in large groups, smaller meetings, or one-
on-one sessions – tone of voice and body language emphasize what is being said.
The way management deals with personnel can communicate a powerful message. Managers should
remember that actions speak louder than words. Their actions are, in turn, influenced by the entity’s history and
culture, drawing on past observations of how their mentors dealt with similar situations.
An entity with a history of operating with integrity, and whose culture is well understood by people throughout the
organization, will likely find little difficulty communicating its message. An entity without such a tradition will need
to put more effort into the way messages are communicated.
9. Monitoring
Chapter Summary: Enterprise risk management is

monitored – assessing the presence and functioning of
its components over time. This is accomplished through
ongoing monitoring activities, separate evaluations, or a
combination of the two. Ongoing monitoring occurs in
the normal course of management activities. The scope
and frequency of separate evaluations will depend
primarily on an assessment of risks and the
effectiveness of ongoing monitoring procedures.
Enterprise risk management deficiencies are reported
upstream, with serious matters reported to top
management and the board.
An entity’s enterprise risk management changes over time. Risk responses that were once effective may
become irrelevant; control activities may become less effective, or no longer be performed; or entity objectives
may change. This can be due to the arrival of new personnel, changes in entity structure or direction, or the
introduction of new processes. In the face of such changes, management needs to determine whether the
functioning of enterprise risk management continues to be effective.
Monitoring can be done in two ways: through ongoing activities or separate evaluations. Enterprise risk
management mechanisms usually are structured to monitor themselves on an ongoing basis, at least to some
Internal Use Only

degree. The greater the degree and effectiveness of ongoing monitoring, the less need for separate
evaluations. The frequency of separate evaluations necessary for management to have reasonable assurance
about the effectiveness of enterprise risk management is a matter of management’s judgment. In making that
determination, consideration is given to the nature and degree of changes occurring and their associated risks,
the competence and experience of the personnel implementing risk responses and related controls, and the
results of ongoing monitoring. Usually, some combination of ongoing monitoring and separate evaluations will
ensure that enterprise risk management maintains its effectiveness over time.
Ongoing monitoring is built into the normal, recurring operating activities of an entity. Ongoing monitoring is
performed on a real-time basis, reacts dynamically to changing conditions, and is ingrained in the entity. As a
result, it is more effective than separate evaluations. Since separate evaluations take place after the fact,
problems often will be identified more quickly by ongoing monitoring routines. Many entities with sound ongoing
monitoring activities nonetheless conduct separate evaluations of enterprise risk management periodically. An
entity that perceives a need for frequent separate evaluations should focus on enhancing ongoing monitoring
activities.

Many activities serve to monitor the effectiveness of enterprise risk management in the ordinary course of
running the business. These stem from regular management activities, which might involve variance analysis,
comparisons of information from disparate sources, and dealing with unexpected occurrences.
Ongoing monitoring activities generally are performed by line operating or functional support managers, giving
thoughtful consideration to implications of information they receive. By focusing on relationships,
inconsistencies, or other relevant implications, they raise issues and follow up with other personnel as necessary
to determine whether corrective or other action is called for. Ongoing monitoring activities are differentiated from
activities performed as required by policy in business processes. For example, approvals of transactions,
reconciliations of account balances, and verifying the accuracy of changes to master files, performed as required
steps in information systems or accounting processes, are best defined as control activities.
Exhibit 9.1 includes examples of ongoing monitoring activities.
Exhibit 9.1
Internal Use Only

 Managers reviewing operating reports, used to manage operations on an ongoing basis, may spot inaccuracies or
exceptions to anticipated results. For example, managers of sales, purchasing, and production at divisional,
subsidiary, and corporate levels who are in touch with operations can question reports that differ significantly from
their knowledge of operations. Timely and complete reporting and resolution of these exceptions enhance
effectiveness of the process.
 Changes in information reported in value-at-risk models used to evaluate the impacts of potential market
movements on an entity’s financial position are related to reported financial transactions, focusing on expected
relationships.
 Communications from external parties corroborate internally generated information or indicate
problems. Customers implicitly corroborate billing data by paying their invoices. Conversely, customer
complaints about billings could indicate system deficiencies in the processing of sales transactions. Similarly,
reports from investment managers on securities gains, losses, and income can corroborate or signal problems
with the entity’s (or the manager’s) records. An insurance company’s review of safety policies and practices
provides information on operational safety and compliance performance.
 Regulators communicate with management on compliance or other matters that reflect on the functioning of
 Internal and external auditors and advisors regularly provide recommendations to strengthen enterprise risk
management. Auditors may focus considerable attention on key risks and related responses and design of
control activities. Potential weaknesses may be identified, and alternative actions recommended to management,
accompanied by information useful in making cost-benefit determinations. Internal auditors or personnel
performing similar review functions can be particularly effective in monitoring an entity’s activities.
 Training seminars, planning sessions, and other meetings provide important feedback to management on whether
enterprise risk management is effective. In addition to particular problems that may indicate risk issues,
participants’ risk and control consciousness often becomes apparent.
 Managers in the normal course of running the business discuss with personnel such matters as their
understanding of the entity’s code of conduct, how they identify risks, and issues arising in connection with the
operation of control activities. These discussions confirm proper functioning of elements of enterprise risk
management or surface matters needing attention.
While ongoing monitoring procedures usually provide important feedback on the effectiveness of other
enterprise risk management components, it may be useful to take a fresh look from time to time, focusing
Internal Use Only

directly on enterprise risk management effectiveness. This also provides an opportunity to consider the
continued effectiveness of the ongoing monitoring procedures.
Scope and Frequency

Evaluations of enterprise risk management vary in scope and frequency, depending on the significance of risks
and importance of the risk responses and related controls in managing the risks. Higher-priority risk areas and
responses tend to be evaluated more often. Evaluation of the entirety of enterprise risk management – which
generally will be needed less frequently than the assessment of specific parts – may be prompted by a number
of reasons: major strategy or management change, acquisitions or dispositions, changes in economic or political
conditions, or changes in operations or methods of processing information. When a decision is made to
undertake a comprehensive evaluation of an entity’s enterprise risk management, attention should be directed to
addressing its application in strategy setting as well as with respect to significant activities. The evaluation
scope also will depend on which objectives categories – strategic, operations, reporting, and compliance – are to
be addressed.
Who Evaluates
Often, evaluations take the form of self-assessments, where persons responsible for a particular unit or function
determine the effectiveness of enterprise risk management for their activities. For example, the chief executive
of a division directs the evaluation of its enterprise risk management activities. He or she personally assesses
the risk management activities associated with strategic choices and high-level objectives as well as the internal
environment component, and individuals in charge of the division’s various operating activities assess the
effectiveness of enterprise risk management components relative to their spheres of responsibility. Line
managers focus on operations and compliance objectives, and the divisional controller focuses on reporting
objectives. The division’s assessments are then considered by senior management, along with evaluations of
the company’s other divisions.
Internal auditors normally perform evaluations as part of their regular duties, or at the specific request of senior
management, the board, or subsidiary or divisional executives. Similarly, management may utilize input from
external auditors in considering the effectiveness of enterprise risk management. A combination of efforts may
be used in conducting whatever evaluative procedures management deems necessary.

Evaluating enterprise risk management is a process in itself. While approaches or techniques vary, a discipline
should be brought to the process, with certain basics inherent in it.
Internal Use Only

The evaluator must understand each of the entity’s activities and each of the components of enterprise risk
management being addressed. It may be useful to focus first on how enterprise risk management purportedly
functions - sometimes referred to as the system or process design.
The evaluator must determine how the system actually works. Procedures designed to operate in a particular
way may be modified over time to operate differently or may no longer be performed. Sometimes new
procedures are established but are not known to those who described the process and are not included in
available documentation. A determination as to actual functioning can be accomplished by holding discussions
with personnel who perform or are affected by enterprise risk management, by examining records on
performance, or a combination of procedures.
The evaluator analyzes the enterprise risk management process design and the results of tests performed. The
analysis is conducted against the backdrop of management’s established standards for each component, with
the ultimate goal of determining whether the process provides reasonable assurance with respect to the stated
objectives.
Methodology
A variety of evaluation methodologies and tools are available, including checklists, questionnaires, and
flowcharting techniques. As part of their evaluation methodology, some companies compare or benchmark their
enterprise risk management process against those of other entities. An entity may, for example, measure its
enterprise risk management against those companies with reputations for having particularly good enterprise
risk management. Comparisons might be done directly with another company or under the auspices of trade or
industry associations. Other organizations may provide comparative information, and peer review functions in
some industries can help a company evaluate its enterprise risk management against its peers. A word of
caution is needed. When conducting comparisons, consideration must be given to differences that always exist
in objectives, facts, and circumstances. And all eight enterprise risk management components, as well as the
inherent limitations of enterprise risk management, need to be kept in mind.
Documentation
The extent of documentation of an entity’s enterprise risk management varies with the entity’s size, complexity,
and similar factors. Larger organizations usually have written policy manuals, formal organization charts, written
job descriptions, operating instructions, information system flowcharts, and so forth. Smaller entities typically
have considerably less documentation. Many aspects of enterprise risk management are informal and
undocumented, yet are regularly performed and highly effective. These activities may be tested in the same
ways as documented activities. The fact that elements of enterprise risk management are not documented does
Internal Use Only

not mean that they are not effective or that they cannot be evaluated. However, an appropriate level of
documentation usually makes evaluations more effective and efficient.
The evaluator may decide to document the evaluation process itself. He or she usually will draw on existing
documentation of the entity’s enterprise risk management. Typically, this will be supplemented with additional
documentation, along with descriptions of the tests and analyses performed in the evaluation.
Where management intends to make a statement to external parties regarding enterprise risk management
effectiveness, it should consider developing and retaining documentation to support the statement. Such
documentation may be useful if the statement subsequently is challenged.
Deficiencies in an entity’s enterprise risk management may surface from many sources, including the entity’s
ongoing monitoring procedures, separate evaluations, and external parties. A deficiency is a condition within
enterprise risk management worthy of attention that may represent a perceived, potential, or real shortcoming, or
an opportunity to strengthen enterprise risk management to increase the likelihood that the entity’s objectives will
be achieved.
Sources of Information
One of the best sources of information on enterprise risk management deficiencies is enterprise risk
management itself. Ongoing monitoring activities of an enterprise, including managerial activities and everyday
supervision of employees, generate insights from those who are directly involved in the entity’s activities. These
insights are gained in real time and can provide quick identification of deficiencies. Other sources of deficiencies
are the separate evaluations of enterprise risk management. Evaluations performed by management, internal
auditors, or other functions can highlight areas in need of improvement.
External parties frequently provide important information on the functioning of an entity’s enterprise risk
management. These include customers, vendors and others doing business with the entity, external auditors,
and regulators. Reports from external sources should be carefully considered for their implications for enterprise
risk management, and appropriate corrective actions should be taken.
What Is Reported
What should be reported? Although a universal answer is not possible, certain parameters can be drawn.
All identified enterprise risk management deficiencies that affect an entity’s ability to develop and implement its
strategy and to set and achieve its objectives should be reported to those positioned to take necessary action.
The nature of matters to be communicated will vary depending on individuals’ authority to deal with
Internal Use Only
circumstances that arise and on the oversight activities of superiors. In considering what needs to be
communicated, it is necessary to look at the implications of findings. It is essential not only that a particular
transaction or event be reported, but also that related potentially faulty procedures be reevaluated.
It can be argued that no problem is so insignificant as to make investigation of its implications unwarranted. An
employee taking a few dollars from a petty cash fund for personal use, for example, would not be significant in
terms of that particular event, and probably not in terms of the amount of the entire petty cash fund. Thus,
investigating it might not be worthwhile. However, such apparent condoning of personal use of the entity’s
money might send the wrong message to employees.
In addition to deficiencies, identified opportunities to increase the likelihood that the entity’s objectives will be
achieved also should be reported.
To Whom to Report
Information generated in the course of operating activities usually is reported through normal channels to
immediate superiors. They in turn may communicate upstream or laterally in the organization, so that the
information ends up with personnel who can and should act on it. Alternative communications channels also
should exist for reporting sensitive information such as illegal or improper acts. Findings of enterprise risk
management deficiencies usually should be reported not only to the individual responsible for the function or
activity involved, but also to at least one level of management above that person. This higher level of
management provides needed support or oversight for taking corrective action and is positioned to communicate
with others in the organization whose activities may be affected. Where findings cut across organizational
boundaries, the reporting should cross over as well and be directed to a sufficiently high level to ensure
appropriate action.
Reporting Directives
Providing needed information on enterprise risk management deficiencies to the right party is critical. Protocols
should be established to identify what information is needed at a particular level for effective decision making.
Such protocols reflect the general rule that a manager should receive information that affects actions or behavior
of personnel within his or her responsibility, as well as information needed to achieve specific objectives. A chief
executive normally would want to be apprised, for example, of serious infractions of policies and procedures. He
or she also would want supporting information on matters that could have significant financial impacts or
strategic implications or that could affect the entity’s reputation.
Senior managers should be apprised of risk management and control deficiencies affecting their units.
Examples include circumstances where assets with a specified monetary value are not adequately protected,
where the competence of employees is lacking, or where important financial reconciliations are not performed
Internal Use Only
correctly. Managers should be informed of deficiencies in their units in increasing levels of detail, as one moves
down the organizational structure.
Supervisors define reporting protocols for subordinates. The degree of specificity will vary, usually increasing at
lower levels in the organization. While reporting protocols can inhibit effective reporting if too narrowly defined,
they can enhance reporting if sufficient flexibility is provided.
Parties to whom deficiencies are to be communicated sometimes provide specific directives regarding what
should be reported. A board of directors or audit committee, for example, may ask management or internal or
external auditors to communicate only those deficiencies meeting a specified threshold of seriousness or
importance.
10. Roles and Responsibilities
Chapter Summary: Everyone in an entity has some responsibility for enterprise risk management. The chief
executive officer is ultimately responsible and should assume “ownership.” Other managers support the risk
management philosophy, promote compliance with the risk appetite, and manage risks within their spheres of
responsibility consistent with risk tolerances. Other personnel are responsible for executing enterprise risk
management in accordance with established directives and protocols. The board of directors provides important
oversight to enterprise risk management. A number of external parties often provide information useful in
effecting enterprise risk management, but they are not responsible for the effectiveness of the entity’s enterprise
risk management.
Enterprise risk management is effected by a number of parties, each with important responsibilities. The board
of directors (directly or through its committees), management, internal auditors, and other personnel all make
important contributions to risk management. Other parties, such as external auditors and regulatory bodies, are
sometimes associated with risk assessments and internal control. However, a distinction exists between those
who are part of an entity’s enterprise risk management process and those who are not, but whose actions
nonetheless can affect the process or otherwise help the entity achieve its objectives. Directly or indirectly
helping an entity achieve its objectives, however, does not make an external party a part of or responsible for the
entity’s enterprise risk management.
Entity Personnel
The board of directors, management, risk officers, financial officers, internal auditors, and indeed every
individual within an entity contribute to effective enterprise risk management.
Internal Use Only

Board of Directors
Management is accountable to the board of directors or trustees, which provides monitoring, guidance, and
direction. By selecting management, the board has a major role in defining what it expects in integrity and
ethical values, and through its oversight activities can determine whether its expectations are being met.
Similarly, by reserving authority in certain key decisions, the board plays a role in setting strategy, formulating
high-level objectives, and broad-based resource allocation.
The board provides oversight with regard to enterprise risk management by:
 Knowing the extent to which management has established effective enterprise risk management in the
organization
 Being aware of and concurring with the entity’s risk appetite
 Reviewing the entity’s portfolio view of risk and considering it against the entity’s risk appetite
 Being apprised of the most significant risks and whether management is responding appropriately
The board is part of the internal environment component and must have the requisite composition and focus for
enterprise risk management to be effective.
Effective board members are objective, capable, and inquisitive. They have a working knowledge of the entity’s
activities and environment and commit the time necessary to fulfill their board responsibilities. They utilize
resources as needed to conduct special investigations and have open and unrestricted communications with
internal auditors, external auditors, and legal counsel.
Boards of directors may use board committees in carrying out certain of their duties. The use and focus of
committees vary from one entity to another, although common committees are nominating/governance,
compensation, and audit committees, with each focusing attention on elements of enterprise risk management.
The nominating committee, for example, identifies and considers qualifications of prospective board members,
and the compensation committee considers the appropriateness of reward systems, balancing healthy
motivational programs with the need to avoid unnecessary temptation to manipulate compensation drivers. The
audit committee has a direct role in the reliability of external reporting, and must recognize key risks relative to
reliable financial reporting. As such, the board and its committees are an important part of enterprise risk
management.
Management
Management is directly responsible for all activities of an entity, including enterprise risk management.
Naturally, management at different levels has different enterprise risk management responsibilities. These vary,
often considerably, depending on the entity’s characteristics.
Internal Use Only

In any entity, the chief executive officer has ultimate ownership responsibility for enterprise risk management.
One of the most important aspects of this responsibility is ensuring the presence of a positive internal
environment. More than any other individual or function, the CEO sets the tone at the top that influences internal
environmental factors and other components of enterprise risk management. A CEO also can influence the
board of directors, through whatever influence he or she has on identifying new members, and in setting an
example and serving to attract, or deter, candidates for the board. Increasingly, candidates for board seats look
closely at top management’s integrity and ethical values in determining whether to accept a nomination.
Potential directors also focus on whether the entity’s enterprise risk management has the necessary critical
underpinnings of integrity and ethical values to enable its effectiveness.
The chief executive’s responsibilities include seeing that all components of enterprise risk management are in
place. The CEO generally fulfills this duty by:
 Providing leadership and direction to senior managers. Together with them, the CEO shapes the values,
principles, and major operating policies that form the foundation of the entity’s enterprise risk management. The
CEO and key senior managers set strategic objectives, strategy, and related high-level objectives. They also
set broad-based policies and develop the entity’s risk management philosophy, risk appetite, and culture. They
take actions concerning the entity’s organizational structure, content and communication of key policies, and the
type of planning and reporting systems the entity will use.
 Meeting periodically with senior managers responsible for major functional areas – sales, marketing, production,
procurement, finance, human resources – to review their responsibilities, including how they manage risk. The
CEO gains knowledge of risks inherent in operations, risk responses, and control improvements required, and
the status of efforts under way. To discharge this responsibility, the CEO must clearly define the information he
or she needs.
With this knowledge, the CEO is positioned to monitor activities and risks in relation to the entity’s risk appetite.
Where evolving circumstances, emerging risks, strategy implementation, or anticipated actions indicate potential
misalignment with risk appetite, the CEO will take necessary action to reestablish alignment, or discuss with the
board of directors further action to be taken or whether the entity’s risk appetite should be adjusted.
Senior managers in charge of organizational units have responsibility for managing risks related to their units’
objectives. They convert strategy into operations, identify events and assess risks, and effect risk responses.
Managers guide application of enterprise risk management components within their spheres of responsibility,
ensuring application is consistent with risk tolerances. In this sense, a cascading responsibility exists, where
each executive is effectively a CEO for his or her sphere of responsibility.
Senior managers usually assign responsibility for specific enterprise risk management procedures to managers
in specific processes, functions, or departments. Accordingly, these managers usually play a more hands-on
Internal Use Only

role in devising and executing particular risk procedures that address unit objectives, such as techniques for
event identification and risk assessment, and in determining responses, such as developing protocols for
purchasing raw materials or accepting new customers. They also make recommendations on related control
activities, monitor their application, and meet with upper-level managers to report on the control activities’
functioning.
This may involve investigating external events or conditions, data entry errors, or transactions appearing on
exception reports, looking into reasons for departmental expense budget variances and following up on
customer back orders or product inventory positions. Significant matters, whether pertaining to a particular
transaction or an indication of a larger concern, are communicated upward in the organization.
Staff functions, such as human resources, compliance, or legal, also have important supporting roles in
designing or shaping effective enterprise risk management components. The human resources function may
design and help implement training programs on the entity’s code of conduct and other broad policy issues,
often rolled out with business unit leadership. The legal function provides information to line managers on new
laws and regulations that affect operating policies, and it or compliance officers provide critical information on
whether planned transactions or protocols conform to legal and ethical requirements.
Managers’ responsibilities should entail both authority and accountability. Each manager should be accountable
to the next higher level for his or her portion of enterprise risk management, with the CEO ultimately accountable
to the board. Although different management levels have distinct enterprise risk responsibilities and functions,
their actions should coalesce in the entity’s enterprise risk management.
Risk Officer
Some companies have established a centralized coordinating point to facilitate enterprise risk management. A
risk officer – referred to in some organizations as the chief risk officer or risk manager – works with other
managers in establishing effective risk management in their areas of responsibility. Established by and under
direct auspices of the chief executive, the risk officer has the resources to help effect enterprise risk
management across subsidiaries, businesses, departments, functions, and activities. The risk officer may have
responsibility for monitoring progress and for assisting other managers in reporting relevant risk information up,
down, and across the entity. The risk officer also may serve as a supplementary reporting channel.
Some companies assign this role to another senior officer, such as chief financial officer, general counsel, chief
audit executive, or chief compliance officer; others have found that the importance and breadth of scope of this
function require separate assignment and resources.
Companies have found this role most successful when set up with clarity around its responsibility as a staff
function – providing support and facilitation to line management. For enterprise risk management to be effective,
Internal Use Only

line managers must assume primary responsibility and have accountability for managing risk within their
respective areas.
Responsibilities of a risk officer may include:
 Establishing enterprise risk management policies, including defining roles and responsibilities and participating
in setting goals for implementation
 Framing authority and accountability for enterprise risk management in business units
 Promoting an enterprise risk management competence throughout the entity, including facilitating development
of technical enterprise risk management expertise and helping managers align risk responses with the entity’s
risk tolerances and developing appropriate controls
 Guiding integration of enterprise risk management with other business planning and management activities
 Establishing a common risk management language that includes common measures around likelihood and
impact, and common risk categories
 Facilitating managers’ developing of reporting protocols, including quantitative and qualitative thresholds, and
monitoring the reporting process
 Reporting to the chief executive on progress and outliers and recommending action as needed
Of particular significance to enterprise risk management activities are finance and controllership executives and
their staffs, whose activities cut across, up, and down all operating and business units. These financial
executives often are involved in developing entity-wide budgets and plans, and they track and analyze
performance, often from an operations, compliance, and reporting perspective. These activities are usually part
of an entity’s central or “corporate” organization, but commonly they also have “dotted line” responsibility for
monitoring division, subsidiary, or other unit activities. As such, the chief financial officer, chief accounting
officer, controller, and others in the financial function are central to the way management exercises enterprise
risk management. They play an important role in preventing and detecting fraudulent reporting, and as a
member of top management, the chief financial officer helps set the tone of the organization’s ethical conduct;
has a major responsibility for the financial statements, and influences the design, implementation, and
monitoring of the company’s reporting systems.
When looking at the components of enterprise risk management, it is clear that the chief financial officer and his
or her staff play critical roles. This person is a key player when objectives are established, strategies decided,
risks analyzed, and decisions made on how changes affecting the entity will be managed. He or she provides
valuable input and direction and is positioned to focus on monitoring and following up on the actions decided.
Internal Use Only

As such, the chief financial officer should come to the table an equal partner with the other functional heads.
Any attempt by management to have him or her more narrowly focused – limited to principally areas of financial
reporting and treasury, for example – could severely limit the entity’s ability to succeed.
Internal Auditors
Internal auditors play a key role in evaluating the effectiveness of - and recommending improvements to -
enterprise risk management. Standards established by the Institute of Internal Auditors specify that the scope of
internal auditing should encompass risk management and control systems. This includes evaluating the
reliability of reporting, effectiveness and efficiency of operations, and compliance with laws and regulations. In
carrying out their responsibilities, internal auditors assist management and the board of directors or audit
committee by examining, evaluating, reporting on, and recommending improvements to the adequacy and
effectiveness of the entity’s enterprise risk management.
The Institute of Internal Auditors standards also address what roles are appropriate for internal audit, making
clear that internal auditors should be objective with regard to the activities they audit. This objectivity should be
reflected by their position and authority within the entity and appropriate internal auditor staff assignments.
Organizational position and authority involve such matters as a reporting line to an individual who has sufficient
authority to ensure appropriate audit coverage, consideration, and response; selection and dismissal of the chief
audit executive only with concurrence of the board of directors or audit committee; access to the board or audit
committee; and authority to follow up on findings and recommendations.

Enterprise risk management is, to some degree, the responsibility of everyone in an entity and therefore should
be an explicit or implicit part of everyone’s job description. This is true from two perspectives:
 Virtually all personnel play some role in effecting risk management. They may produce information used in
identifying or assessing risks, or take other actions needed to effect enterprise risk management. The care with
which those activities are performed directly affects the effectiveness of an entity’s enterprise risk management.
 All personnel are responsible for supporting information and communication flows inherent in enterprise risk
management. This includes communicating to a higher organizational level any problems in operations, non-
compliance with the code of conduct, or other violations of policy or illegal actions. Enterprise risk management
relies on checks and balances, including segregation of duties, and on personnel not “looking the other way.”
Personnel should understand the need to resist pressure from superiors to participate in improper activities, and
channels outside of normal reporting lines should be available to permit reporting of such circumstances.
Internal Use Only

Enterprise risk management is everyone’s business, and roles and responsibilities of all personnel should be
well defined and effectively communicated.
External Parties
A number of external parties can contribute to achievement of an entity’s objectives, sometimes by actions that
parallel those taken within the entity. In other cases, external parties may provide information useful to the entity
in its enterprise risk management activities.
External Auditors
External auditors provide management and the board of directors a unique, independent, and objective view that
can contribute to an entity’s achievement of its external financial reporting objectives, as well as other objectives.
In a financial statement audit, the auditor expresses an opinion on the fairness of the financial statements in
conformity with generally accepted accounting principles, thereby contributing to the entity’s external financial
reporting objectives. The auditor conducting a financial statement audit may contribute further to those
objectives, by providing information useful to management in carrying out its risk management-related
responsibilities. Such information includes:
 Audit findings, analytical information, and recommendations for actions necessary to achieve established
objectives
 Findings regarding deficiencies in risk management and control that come to the auditor’s attention, and
recommendations for improvement
This information frequently will relate not only to reporting but to strategic, operations, and compliance activities
as well, and can make important contributions to an entity’s achievement of its objectives in each of these
areas. The information is reported to management and, depending on its significance, to the board of directors
or audit committee.
It is important to recognize that a financial statement audit, by itself, normally does not include a significant focus
on enterprise risk management, and in any event does not result in the auditor forming an opinion on the entity’s
enterprise risk management. Where, however, law or regulation requires the auditor to evaluate a company’s
assertions related to internal control over financial reporting and the supporting basis for those assertions, the
scope of the work directed at those areas will be extensive, and additional information and assurance will be
gained.
Internal Use Only

Legislators and regulators affect the enterprise risk management of many entities, either through requirements to
establish risk management mechanisms or internal controls or through examinations of particular entities. Many
of the relevant laws and regulations deal primarily with financial reporting risks and controls. Some, however -
particularly those that apply to government organizations - also can deal with operations and compliance
objectives. Many entities have long been subject to legal requirements for internal control. For example, U.S.
public companies have been required to establish and maintain internal accounting control systems that satisfy
specified objectives. More-recent legislation requires that senior executives of publicly listed companies certify
to the effectiveness of the companies’ internal control over financial reporting, together with auditor attestation.
Several regulatory agencies directly examine entities for which they have oversight responsibility. For example,
federal and state bank examiners conduct examinations of banks and often focus on aspects of the banks’ risk
management and internal control systems. These agencies make recommendations and take enforcement
action.
Therefore, legislators and regulators affect entities’ enterprise risk management in two ways: They establish
rules that provide the impetus for management to ensure that risk management and control systems meet
minimum statutory and regulatory requirements. And, pursuant to examination of a particular entity, they provide
information useful to the entity in applying enterprise risk management, and recommendations and sometimes
directives to management regarding needed improvements.

Customers, vendors, business partners, and others who conduct business with an entity are an important source
of information used in enterprise risk management activities. Information can be as varied as emerging demand
for new product or service, shipment or billing discrepancies, quality issues, or actions by personnel outside
integrity and ethical boundaries. This input can be extremely important to the entity in achieving its strategic,
operations, reporting, and compliance objectives. The entity must have mechanisms in place to receive such
information and to take appropriate action. Needed action includes not only addressing the particular situation
reported, but also investigating the underlying source of the problem and fixing it.
In addition to customers and vendors, other parties, such as creditors, can provide oversight regarding
achievement of an entity’s objectives. A bank, for example, may request reports on an entity’s compliance with
certain debt covenants. It also may recommend performance indicators or other desired targets or controls.
Outsource Service Providers

Many organizations outsource business functions, delegating their day-to-day management to outside
providers. Administrative, finance, and internal operations sometimes are outsourced, with the objective of
obtaining access to enhanced capabilities and lower cost of services. A financial institution may outsource its
Internal Use Only
loan review process to a third party; a technology company may outsource the operation and maintenance of its
information technology processing; and a retail company may outsource its internal audit function. While these
external parties execute activities for or on behalf of the entity, management cannot abdicate its responsibility to
manage the associated risks and should implement a program to monitor those activities.
Financial Analysts, Bond Rating Agencies, News

Media
Financial analysts and bond rating agencies consider many factors relevant to an entity’s worthiness as an
investment. They analyze management’s strategy and objectives, historical financial statements and
prospective financial information, actions taken in response to conditions in the economy and marketplace,
potential for success in the short and long term, and industry performance and peer group comparisons. The
print and broadcast media, particularly financial journalists, also may undertake similar analyses.
The investigative and monitoring activities of these parties can provide insights on how others perceive the
entity’s performance, industry and economic risks the entity faces, innovative operating or financing strategies
that may improve performance, and industry trends. This information sometimes is provided in face-to-face
meetings between the parties and management, or indirectly in analyses for investors, potential investors, and
the public. In either case, management should consider the observations and insights of financial analysts, bond
rating agencies, and the news media that may enhance enterprise risk management.
11. Limitations Of EnterpriseRisk

Management
Chapter Summary: Effective enterprise risk management, no matter how well designed and operated, provides
only reasonable assurance to management and the board of directors regarding achievement of an entity’s
objectives. Achievement of objectives is affected by limitations inherent in all management processes. These
include the realities that human judgment in decision making can be faulty and that breakdowns can occur
because of such human failures as simple error or mistake. Additionally, controls can be circumvented by the
collusion of two or more people, and management has the ability to override the enterprise risk management
process, including risk response decisions and control activities. Another limiting factor is the need to consider
the relative costs and benefits of risk responses.
To some observers, enterprise risk management, with embedded internal control, ensures that an entity will not
fail – that is, the entity will always achieve its objectives. This view is misguided.
Internal Use Only

In considering limitations of enterprise risk management, three distinct concepts must be recognized:
 First, risk relates to the future, which is inherently uncertain.

 Second, enterprise risk management – even effective enterprise risk management – operates at different levels
with respect to different objectives. For strategic and operations objectives, enterprise risk management can
help ensure that management, and the board in its oversight role, is aware, in a timely manner, only of the
extent to which the entity is moving toward achievement of these objectives. But it cannot provide even
reasonable assurance that the objectives themselves will be achieved.
 Third, enterprise risk management cannot provide absolute assurance with respect to any of the objective
categories.
The first limitation acknowledges that no one can predict the future with certainty. The second acknowledges
that certain events are simply outside management’s control. The third has to do with the reality that no process
will always do what it is intended to do.
Reasonable assurance does not imply that enterprise risk management frequently will fail. Many factors,
individually and collectively, reinforce the concept of reasonable assurance. The cumulative effect of risk
responses that satisfy multiple objectives and the multipurpose nature of internal controls reduce the risk that an
entity may not achieve its objectives. Furthermore, the normal everyday operating activities and responsibilities
of people functioning at various levels of an organization are directed at achieving the entity’s objectives.
Indeed, among a cross-section of well-controlled entities, it is likely that most will be apprised regularly of
movement toward their strategic and operations objectives, will achieve compliance objectives regularly, and
consistently will produce – period after period, year after year – reliable reports. However, an uncontrollable
event, a mistake, or an improper reporting incident can occur. In other words, even effective enterprise risk
management can experience a failure. Reasonable assurance is not absolute assurance.
Judgment
The effectiveness of enterprise risk management is limited by the realities of human frailty in making business
decisions. Decisions must be made with human judgment in the time available, based on information at hand,
and under the pressures of the conduct of business. With the clairvoyance of hindsight, some decisions later
may be found to produce less than desirable results and may need to be changed.
Breakdowns
Well-designed enterprise risk management can break down. Personnel may misunderstand instructions. They
may make judgment mistakes. Or, they may commit errors due to carelessness, distraction, or fatigue. An
accounting department supervisor responsible for investigating exceptions simply might forget to follow up or fail
Internal Use Only
to pursue the investigation far enough to be able to make appropriate corrections. Temporary personnel
executing control duties for vacationing or sick employees might not perform correctly. System changes may be
implemented before personnel have been trained to react appropriately to signs of incorrect functioning.
Collusion
The collusive activities of two or more individuals can result in enterprise risk management failures. Individuals
acting collectively to perpetrate and conceal an action from detection often can alter financial data or other
management information in a manner that cannot be identified by the enterprise risk management process. For
example, there may be collusion between an employee performing an important control function and a customer,
a supplier, or another employee. On a different level, several layers of sales or divisional management might
collude in circumventing controls so that reported results meet budgets or incentive targets.
Costs versus Benefits

As discussed in the Risk Assessment chapter, there are always resource constraints, and entities must consider
the relative costs and benefits of decisions, including those related to risk response and control activities.
In determining whether a particular action should be taken or control established, the risk of failure and the
potential effect on the entity are considered along with the related costs. For example, it may not pay for a
company to install sophisticated inventory controls to monitor levels of raw material if the cost of the raw material
used in a production process is low, the material is not perishable, ready supply sources exist, and storage
space is readily available.
Costs and benefits of implementing event identification and risk assessment capabilities and related response
and control activities are measured with different levels of precision, often varying depending on the nature of
the entity. The challenge is to find the right balance. Just as limited resources should not be allocated to less
than significant risks, excessive control is costly and counterproductive. Customers placing telephone orders will
not tolerate order acceptance procedures that are too cumbersome or time-consuming. A bank that makes
creditworthy potential borrowers “jump through hoops” will not book many new loans. Too little control, on the
other hand, presents undue risk of bad debts. An appropriate balance is needed in a highly competitive
environment. And, despite the difficulties, cost-benefit decisions will continue to be made.
Management Override
Enterprise risk management can be only as effective as the people who are responsible for its functioning. Even
in effectively managed and controlled entities - those with generally high levels of integrity and risk and control
consciousness, alternative communications channels, and an active and informed board with an appropriate
Internal Use Only
governance process - a manager still might be able to override enterprise risk management. No management or
control system is infallible, and those with criminal intent will seek to break systems. However, effective
enterprise risk management will improve the entity’s capacity to prevent and detect override activities.
The term “management override” is used here to mean overruling prescribed policies or procedures for
illegitimate purposes - such as personal gain or an enhanced presentation of an entity’s financial condition or
compliance status. A manager of a division or unit, or a member of top management, might override enterprise
risk management for many reasons: to increase reported revenue to cover an unanticipated decrease in market
share; to enhance reported earnings to meet unrealistic budgets; to boost the market value of the entity prior to a
public offering or sale; to meet sales or earnings projections to bolster bonus pay-outs tied to performance or
value of stock options; to appear to cover violations of debt covenant agreements; or to hide lack of compliance
with legal requirements. Override practices include deliberate misrepresentations to bankers, lawyers, auditors,
and vendors, and intentionally issuing false documents such as purchase orders and sales invoices.
Management override should not be confused with management intervention, which represents management’s
actions to depart from prescribed policies or procedures for legitimate purposes. Management intervention is
necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled
inappropriately. Provision for management intervention is necessary because no process can be designed to
anticipate every risk and every condition. Management’s actions to intervene are generally overt and commonly
documented or otherwise disclosed to appropriate personnel. Actions to override usually are not documented or
disclosed, with an intent to cover up the actions.
12. What To Do
Actions that might be taken as a result of this report depend on the position and role of the parties involved.
 Board Members– Members of the board of directors should discuss with senior management the state of the
entity’s enterprise risk management and provide oversight as needed. The board also should ensure that the
entity’s enterprise risk management mechanisms provide it with an assessment of the most significant risks
relative to strategy and objectives, including what actions management is taking and how it is engaged in
monitoring enterprise risk management. The board should seek input from the internal auditors, external
auditors, and advisors.
 Senior Management – This study suggests that the chief executive should assess the entity’s enterprise risk
management capabilities. Using this framework, a CEO, together with key operating and financial executives,
can focus attention where needed. Under one approach, the chief executive brings together business unit
heads and key functional staff to discuss an initial assessment of enterprise risk management capabilities and
effectiveness. Whatever its form, an initial assessment should determine whether there is a need for, and how
Internal Use Only
to proceed with, a broader, more in-depth evaluation. It also should ensure that ongoing monitoring processes
are in place. Time spent in evaluating enterprise risk management represents an investment, but one capable
of providing a high return.
 Other Entity Personnel– Managers and other personnel should consider how their enterprise risk management
responsibilities are being conducted in light of this framework and discuss with more senior personnel ideas for
strengthening enterprise risk management. Internal auditors should consider the breadth of their focus on
 Regulators– Expectations for enterprise risk management vary widely with regard to what it can accomplish, and
about what the “reasonable assurance” concept means and how it should be applied. This framework can
promote a shared view of enterprise risk management, including what it can do and its limitations. Regulators
may refer to this framework in establishing expectations, whether by rule or guidance, or in conducting
examinations, for entities they oversee.
 Professional Organizations– Rule-making and other professional organizations providing guidance on financial
management, auditing, and related topics should consider their standards and guidance in light of this
framework. To the extent diversity in concept and terminology is eliminated, all parties will benefit.
 Educators – This framework should be the subject of academic research and analysis, to see where future
We believe this report offers a number of benefits. With this foundation for mutual understanding, all parties will
be able to speak a common language and communicate more effectively. Business executives will be
positioned to assess enterprise risk management processes against a standard, and strengthen the process and
move their enterprises toward established goals. Future research can be leveraged off an established base.
Legislators and regulators will be able to gain an increased understanding of enterprise risk management, its
benefits, and its limitations. With all parties utilizing a common enterprise risk management framework, these
collective and reinforcing benefits will be realized.
Appendix A. Objectives And Methodology
In Fall 2001, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) initiated a study
designed to help organizations manage risk. Despite an abundance of literature on the subject, COSO
concluded there was a need for this study to design and build a framework and related application techniques.
PricewaterhouseCoopers was engaged to conduct this project, resulting in this report, Enterprise Risk
Management – Integrated Framework.
Internal Use Only

The Framework volume defines risk and enterprise risk management, and provides foundational definitions,
concepts, objectives categories, components, and principles of a comprehensive enterprise risk management
framework. It provides direction for companies and other organizations in determining how to enhance their
enterprise risk management, providing context for and facilitating application in the real world. This document
also is designed to provide a basis for entities’ use in determining whether their enterprise risk management is
effective and, if not, what is needed to make it so.
The Application Techniques volume links directly to the Framework. It provides illustrations of risk management
techniques that can be applied by companies and other organizations at various levels – enterprise, line of
business, and individual process or function – and in support of incremental or transformational enhancement.
Because of readers’ diverse needs, input was obtained from corporate executives of organizations of varying
sizes, including public and private companies in different industries, and government organizations. The
executives included corporate chief executives, chief financial officers, chief risk officers, controllers, internal
auditors, legislators, regulators, lawyers, external auditors, consultants, academicians, and others.
Throughout the project, the project team received advice and counsel from an Advisory Council to the COSO
Board. The Advisory Council, composed of individuals in senior financial management, internal and external
audit, and academia, met periodically with the project team and members of the COSO Board to review the
project plan, progress, and drafts of the framework, and to take up related matters. At important project
milestones, the Advisory Council and the project team communicated with the COSO Board.
The methodology employed in this study was designed to produce a report meeting the stated objectives. The
project consisted of five phases:
I. Assessment
The project team assessed the

current state of risk management
models through literature review,
survey, and workshops, for the
purpose of capturing relevant
information across the full spectrum
of risk management. This phase
encompassed analyzing the
information, comparing and
contrasting conceptual and
practical risk management
philosophies and protocols,
Internal Use Only

understanding user needs, and
identifying critical issues and
concerns.
II. Envisioning
The team created a working

enterprise risk management
framework conceptual model and
developed a preliminary inventory
of tools as a basis for the
application techniques. Using
customized input solicitation
techniques, the team tested the
concepts with key user and
stakeholder groups and, based on
feedback, refined the conceptual
model.
III. Building and Designing
Using the refined conceptual model

as a blueprint, the team developed
the framework, including
definitions, objectives categories,
components, principles,
infrastructure, and management
context, along with related
discussion. This phase also
encompassed designing the
organization and approach to
developing the application
techniques. Both the draft
framework and application
techniques design were reviewed
with key user and stakeholder
groups, and reactions and
Internal Use Only
suggestions for enhancement
obtained.
IV. Preparation for Public Exposure
In this phase the team refined the

framework and further developed
the application techniques, and
reviewed them with executives from
several companies who provided
feedback on their value and utility.
V. Finalization
This phase encompassed issuing

the Framework volume for public
exposure for a 90-day comment
period and field testing the
framework with select companies.
Upon receipt of comments, the
project team reviewed and
analyzed them, and identified
needed modifications. The team
finalized the Framework and
Application Techniques volumes
and provided the final manuscripts
to the COSO Advisory Council and
COSO Board for review and
acceptance.
As part of this process, the project team gave careful consideration to all information received, including other
frameworks already in existence. A listing of some of the published sources referenced is included in Appendix
D – Selected Bibliography. As one might expect, many different and sometimes contradictory opinions were
expressed on fundamental issues – within a project phase and between phases. The project team, with COSO
Advisory Council and Board oversight, carefully considered the merits of the positions put forth, both individually
and in the context of related issues, embracing those that facilitated development of a relevant, logical, and
Internal Use Only

internally consistent framework. The Advisory Council and COSO Board are entirely supportive of, and have
approved, the framework resulting from this process.
Appendix B. Summary Of Key Principles
The following highlights key principles inherent in the eight enterprise risk management components. This
appendix purports neither to precisely or fully describe the principles set forth in the Framework, nor to represent
a complete list of principles.
The entity’s risk management philosophy represents the shared beliefs and attitudes characterizing how the
entity considers risk in all activities
 It reflects the entity’s values, influencing its culture and operating style
 It affects how enterprise risk management components are applied, including how events are identified, the
kinds of risks accepted, and how they are managed
 It is well developed, understood, and embraced by the entity’s personnel
 It is captured in policy statements, oral and written communications, and decision making
 Management reinforces the philosophy not only with words but also with everyday actions
Risk Appetite
 The entity’s risk appetite reflects the entity’s risk management philosophy and influences the culture and
operating style
 It is considered in strategy setting, with strategy aligned with risk appetite
Board of Directors
 The board is active and possesses an appropriate degree of management, technical, and other expertise,
coupled with the mind-set necessary to perform its oversight responsibilities
 It is prepared to question and scrutinize management’s activities, present alternative views, and act in the face
of wrongdoing
 It has at least a majority of independent outside directors
 It provides oversight to enterprise risk management and is aware of and concurs with the entity’s risk appetite
Internal Use Only
 The entity’s standards of behavior reflect integrity and ethical values
 Ethical values not only are communicated but also accompanied by explicit guidance regarding what is right and
wrong
 Integrity and ethical values are communicated through a formal code of conduct
 Upward communications channels exist where employees feel comfortable bringing relevant information
 Penalties are applied to employees who violate the code, mechanisms encourage employee reporting of
suspected violations, and disciplinary actions are taken against employees who knowingly fail to report
violations
 Integrity and ethical values are communicated through management actions and the examples they set
 Competence of the entity’s people reflects the knowledge and skills needed to perform assigned tasks
 Management aligns competence and cost
 The organizational structure defines key areas of responsibility and accountability
 It establishes lines of reporting
 It is developed in consideration of the entity’s size and nature of activities
 It enables effective enterprise risk management

 Assignment of authority and responsibility establishes the degree to which individuals and teams are authorized
and encouraged to use initiative to address issues and solve problems, and provides limits to authority
 The assignments establish reporting relationships and authorization protocols
 Policies describe appropriate business practices, knowledge and experience of key personnel, and associated
resources
 Individuals know how their actions interrelate and contribute to achievement of objectives
Human Resource Standards
Internal Use Only

 Standards address hiring, orientation, training, evaluating, counseling, promoting, compensation, and remedial
actions, driving expected levels of integrity, ethical behavior, and competence
 Disciplinary actions send the message that violations of expected behavior will not be tolerated
Objective Setting
 The entity’s strategic objectives establish high-level goals that align with and support its mission/vision
 They reflect management’s strategic choices as to how the entity will seek to create value for its stakeholders
 Management identifies risks associated with strategy choices and considers their implications
Related Objectives
 Related objectives support and are aligned with selected strategy, relative to all entity activities
 Each level of objectives is linked to more specific objectives that cascade through the organization
 The objectives are readily understood and measurable
 They align with risk appetite
Selected Objectives
 Management has a process that aligns strategic objectives with the entity’s mission and ensures the strategic
and related objectives are consistent with the entity’s risk appetite
Risk Appetite
 The entity’s risk appetite is a guidepost in strategy setting
 It guides resource allocation
 It aligns organization, people, processes, and infrastructure
Risk Tolerances
 Risk tolerances are measurable, preferably in the same units as the related objectives
 They align with risk appetite
Event Identification
Internal Use Only
Events
 Management identifies potential events affecting strategy implementation or achievement of objectives – those
that may have positive or negative impacts, or both
 Even events with a relatively low possibility of occurrence are considered if the impact on achieving an important
objective is great
Influencing Factors
 Management recognizes the importance of understanding external and internal factors and the type of events
that can emanate therefrom
 Events are identified both at the entity and activity levels

 Techniques used look to both the past and future
 Management selects techniques that fit its risk management philosophy and ensures the entity develops needed
event identification capabilities
 Event identification is robust, forming a basis for risk assessment and risk response components
Interdependencies
 Management understands how events relate to one another
Distinguishing Risks and Opportunities

 Events with negative impact represent risks, which management assesses and responds to
 Events representing opportunities are channeled back to management’s strategy or objective-setting processes
Risk Assessment
 In assessing risk, management considers expected and unexpected events

 Management assesses inherent risks
Internal Use Only

 Once risk responses have been developed, management considers residual risk
Estimating Likelihood and Impact

 Potential events are evaluated from two perspectives – likelihood and impact
 In assessing impact, management normally uses the same, or congruent, unit of measure as used for the
objective
 The time horizon used to assess risks should be consistent with the time horizon of the related strategy and
objectives
Assessment Techniques
 Management uses a combination of qualitative and quantitative techniques
 The techniques support development of a composite assessment of risk
Relationships between Events

 Where correlation exists between events, or events combine and interact, management assesses them together
Risk Response
 In responding to risk, management considers among risk avoidance, reduction, sharing, and acceptance
Evaluating Possible Responses

 Responses are evaluated with the intent of achieving residual risk aligned with the entity’s risk tolerances
 In evaluating risk responses, management considers their effects on likelihood and impact
 Management considers their costs versus benefits, as well as new opportunities
Selected Responses
 Responses chosen by management are designed to bring anticipated risk likelihood and impact within risk
tolerances
 Management considers additional risks that might result from a response
Portfolio View
Internal Use Only
 Management considers risk from an entity-wide, or portfolio, perspective
 Management determines whether the entity’s residual risk profile is commensurate with its overall risk appetite
Control Activities
 Management identifies control activities needed to help ensure that risk responses are carried out properly and
in a timely manner
 Selection or review of control activities includes consideration of their relevance and appropriateness to the risk
response and related objective
 In selecting control activities, management considers how control activities interrelate

 Management selects from a variety of types of control activities, including preventive, detective, manual,
computer, and management controls

 Policies are implemented thoughtfully, conscientiously, and consistently
 Procedures are carried out with sharp, continuing focus on conditions to which the policy is directed
 Conditions identified as a result of the procedure are investigated and appropriate corrective actions taken

 Appropriate general and application controls are implemented

Information
 Relevant information is obtained from internal and external sources
 The entity captures and uses historical and present data as needed to support effective enterprise risk
management
 The information infrastructure converts raw data into relevant information that assists personnel in carrying out
their enterprise risk management and other responsibilities; information is provided at a depth and in a form and
Internal Use Only

timeframe that are actionable, readily usable, and linked to defined accountabilities – including the need to
identify, assess, and respond to risk
 Source data and information are reliable, and provided on time at the right place to enable effective decision
making
 Timeliness of information flow is consistent with the rate of change in the entity’s internal and external
environments
 Information systems change as needed to support new objectives
Communication
 Management provides specific and directed communication addressing behavioral expectations and
responsibilities of personnel, including a clear statement of the entity’s risk management philosophy and
approach and clear delegation of authority
 Communication about processes and procedures aligns with, and underpins, the desired culture
 All personnel receive a clear message from top management that enterprise risk management must be taken
seriously
 Personnel know how their activities relate to the work of others, enabling them to recognize problems, determine
cause, and take corrective action
 Personnel know what is deemed acceptable and unacceptable behavior
 There are open channels of communication and a willingness to listen, and personnel believe their superiors
truly want to know about problems and will deal with them effectively
 Communications channels outside normal reporting lines exist, and personnel understand there will be no
reprisals for reporting relevant information
 An open communications channel exists between top management and the board of directors, with appropriate
information communicated on a timely basis
 Open external communications channels exist, where customers and suppliers can provide significant input
 The entity communicates relevant information to regulators, financial analysts, and other external parties
Monitoring
 Management determines, through ongoing monitoring activities or separate evaluations, or a combination,
whether the functioning of enterprise risk management continues to be effective
Internal Use Only

 Monitoring activities are built into the entity’s normal, recurring operations, performed in the ordinary course of
running the business
 They are performed on a real-time basis and react dynamically to changing conditions
 Separate evaluations focus directly on enterprise risk management effectiveness and provide an opportunity to
consider the continued effectiveness of the ongoing monitoring activities
 The evaluator understands each of the entity activities and each enterprise risk management component being
addressed
 The evaluator analyzes enterprise risk management design and the results of tests performed, against the
backdrop of management’s established standards, determining whether enterprise risk management provides
reasonable assurance with respect to the stated objectives
 Deficiencies reported from both internal and external sources are carefully considered for their implications for
enterprise risk management, and appropriate corrective actions are taken
 All identified deficiencies that affect the entity’s ability to develop and implement its strategy and to achieve its
established objectives are reported to those positioned to take necessary action
 Not only are reported transactions or events investigated and corrected, but potentially faulty underlying
procedures also are reevaluated
 Protocols are established to identify what information is needed at a particular level for effective decision making

Board of Directors
 The board knows the extent to which management has established effective risk management in the
organization
 It is aware of and concurs with the entity's risk appetite
 It reviews the portfolio view of risk and considers it against the risk appetite
 Is apprised of the most significant risks and whether management is responding appropriately
Management
 The chief executive has ultimate responsibility for enterprise risk management
Internal Use Only
 He/she ensures the presence of a positive internal environment, and that all enterprise risk management
components are in place
 Senior managers in charge of organizational units have responsibility for managing risks related to their unit's
objectives
 They guide application of enterprise risk management, ensuring application is consistent with risk tolerances
 Each manager is accountable to the next higher level, for his/her portion of enterprise risk management, with the
CEO ultimately accountable to the board

 Enterprise risk management is an explicit or implicit part of everyone's job description
 Personnel understand the need to resist pressure from superiors to participate in improper activities, and
channels outside normal reporting lines are available to permit reporting such circumstances
 The enterprise risk management roles and responsibilities of all personnel are well defined and effectively
communicated

 Mechanisms are in place to receive relevant information from parties interacting with the entity and take
appropriate action
 Action includes not only addressing the particular situation reported, but also investigating the underlying source
of the problem and fixing it
 For outsourced activities, management has implemented a program to monitor those activities
 Management considers the observations and insights of financial analysts, bond rating agencies and the news
media that may enhance enterprise risk management
Appendix C. Relationship Between

Enterprise Risk Management – Integrated
Framework And Internal Control –
Integrated Framework
Internal Use Only

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission issued Internal Control –
Integrated Framework, which establishes a framework for internal control and provides evaluation tools that
business and other entities can use to evaluate their control systems. The framework identifies and describes
five interrelated components necessary for effective internal control.
Internal Control – Integrated Framework defines internal control as a process, effected by an entity’s board of
directors, management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
 Effectiveness and efficiency of operations

 Reliability of financial reporting
 Compliance with applicable laws and regulations
This appendix outlines the relationship between the internal control framework and the enterprise risk
management framework.
Broader than Internal Control

Internal control is encompassed within and an integral part of enterprise risk management. Enterprise risk
management is broader than internal control, expanding and elaborating on internal control to form a more
robust conceptualization focusing more fully on risk. Internal Control – Integrated Framework remains in place
for entities and others looking at internal control by itself.
Internal Control – Integrated Framework specifies three categories of objectives – operations, financial reporting,
and compliance. Enterprise risk management specifies three similar objectives categories – operations,
reporting, and compliance. The reporting category in the internal control framework is defined as relating to the
reliability of published financial statements. In the enterprise risk management framework, the reporting
category is significantly expanded, to cover all reports developed by an entity, disseminated both internally and
externally. These include reports used internally by management and those issued to external parties, including
regulatory filings and reports to other stakeholders. And, the scope expands from financial statements to cover
not just financial information more broadly, but non-financial information as well.
Enterprise Risk Management – Integrated Framework adds another category of objectives, namely, strategic
objectives, which operate at a higher level than the others. Strategic objectives flow from an entity’s mission or
vision, and the operations, reporting, and compliance objectives should be aligned with them. Enterprise risk
Internal Use Only

management is applied in strategy setting, as well as in working toward achievement of objectives in the other
three categories.
The enterprise risk management framework introduces the concepts of risk appetite and risk tolerance. Risk
appetite is the broad-based amount of risk an entity is willing to accept in pursuit of its mission/vision. It serves
as a guidepost in strategy setting and selection of related objectives. Risk tolerances are the acceptable levels
of variation relative to achievement of objectives. In setting risk tolerances, management considers the relative
importance of the related objectives and aligns risk tolerances with risk appetite. Operating within risk
tolerances provides management greater assurance that the entity remains within its risk appetite, which, in turn,
provides a higher degree of comfort that the entity will achieve its objectives.
Portfolio View
A concept not contemplated in the internal control framework is a portfolio view of risk. In addition to focusing on
risk in considering achievement of entity objectives on an individual basis, it is necessary to consider composite
risks from a “portfolio” perspective.
Components
With the enhanced focus on risk, the enterprise risk management framework expands the internal control
framework’s risk assessment component, creating four components – objective setting (which is a prerequisite to
internal control), event identification, risk assessment, and risk response.
In discussing the environment component, the enterprise risk management framework discusses an entity’s risk
management philosophy, which is the set of shared beliefs and attitudes characterizing how an entity considers
risks, reflecting its values and influencing its culture and operating style. As described above, the framework
encompasses the concept of an entity’s risk appetite, which is supported by more specific risk tolerances.
Because of the critical importance of the board of directors and its composition, the enterprise risk management
framework expands on the internal control framework’s call for at least a critical mass of independent directors –
that is, normally at least two independent directors – stating that for enterprise risk management to be effective,
the board must have at least a majority of independent outside directors.
Event Identification
Internal Use Only

The enterprise risk management and internal control frameworks both acknowledge that risks occur at every
level of the entity and result from a variety of internal and external factors. And, both frameworks consider risk
identification in the context of the potential impact on the achievement of objectives.
The enterprise risk management framework discusses the concept of potential events, defining an event as an
incident or occurrence emanating from internal or external sources that affect strategy implementation or
achievement of objectives. Potential events with positive impact represent opportunities, while those with -
negative impact represent risks. Enterprise risk management involves identifying potential events using a
combination of techniques that consider both past as well as emerging trends, and what triggers the events.
Risk Assessment
While both the internal control and enterprise risk management frameworks call for assessment of risk in terms
of the likelihood that a given risk will occur and its potential impact, the enterprise risk management framework
suggests viewing risk assessment through a sharper lens. Risks are considered on an inherent and a residual
basis, preferably expressed in the same unit of measure established for the objectives to which the risks relate.
Time horizons should be consistent with an entity’s strategies and objectives, and, where possible, observable
data. The enterprise risk management framework also calls attention to interrelated risks, describing how a
single event may create multiple risks.
As noted, enterprise risk management encompasses the need for management to develop an entity-level
portfolio view. With managers responsible for business unit, function, process, or other activities having
developed a composite assessment of risk for individual units, entity-level management considers risk from a
“portfolio” perspective.
Risk Response
The enterprise risk management framework identifies four categories of risk response – avoid, reduce, share,
and accept. As part of enterprise risk management, management considers potential responses from these
categories and considers these responses with the intent of achieving a residual risk level aligned with the
entity’s risk tolerances. Having considered responses to risk on an individual or a group basis, management
considers the aggregate effect of its risk responses across the entity.
Control Activities
Both frameworks present control activities as helping ensure that management’s risk responses are carried out.
The enterprise risk management framework explicitly makes the point that in some instances control activities
themselves serve as a risk response.
Internal Use Only
The enterprise risk management framework expands on the information and communication component of
internal control, highlighting consideration of data derived from past, present, and potential future events.
Historical data allows the entity to track actual performance against targets, plans, and expectations, and
provides insights into how the entity performed in past periods under varying conditions. Present or current-
state data provides important additional information, and data on potential future events and underlying factors
completes the information analysis. The information infrastructure sources and captures data in a timeframe
and at a depth of detail consistent with the entity’s need to identify events and assess and respond to risks and
remain within its risk appetite.
The discussion around existence of an alternative communications channel, outside normal reporting lines, in
the internal control framework has greater emphasis in the enterprise risk management framework, which states
that effective risk management requires such a channel.

Both frameworks focus attention on the roles and responsibilities of various parties that are a part of, or provide
important information to, internal control and enterprise risk management. The enterprise risk management
framework describes the role and responsibilities of risk officers and expands on the role of an entity’s board of
directors.
Appendix D. Selected Bibliography
American Institute of Certified Public Accountants and The Canadian Institute of Chartered Accountants.
Managing Risk in the New Economy. New York. AICPA. 2000.
Banham, Russ. A High Level of Intolerance. CFO, The Magazine for Senior Financial Executives. April 2000.
Barton ,Thomas L., William G. Shenkir, and Paul L.Walker. Making Enterprise Risk Management Pay Off: How
Leading Companies Implement Risk Management. Financial Executive. 2001.
Bazerman, Max H. Judgment in Managerial Decision Making. New York. John Wiley & Sons. 2001.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). Internal Control – Integrated
Framework. New York. AICPA. 1992.
Crouhy, Michael, Dan Galai, and Robert Mark. Risk Management. New York. McGraw-Hill. 2001.
Internal Use Only

Davidson, Clive. Lofty Ambitions for Measuring Global Risk. Securities Industry News. June 5, 2000.
DeLoach, James W. Enterprise-Wide Risk Management: Strategies for Linking Risk and Opportunity. London.
Financial Times Prentice Hall. 2000.
DiPiazza, Samuel A., Jr. and Robert G. Eccles. BuildingPublic Trust: The Future of Corporate Reporting. New
York. John Wiley & Sons. 2002.
Everson, Miles. Creating an Operational Risk-Sensitive Culture. The RMA Journal. March 1, 2002.
Economist Intelligence Unit in cooperation with Arthur Andersen & Co. Managing Business Risk – An Integrated
Approach. The Economist Intelligence Unit. 1995.
Economist Intelligence Unit in cooperation with MCC Enterprise Risk. EnterpriseRisk Management –
Implementing New Solutions. The Economist Intelligence Unit. 2001.
FEI Research Foundation in cooperation with Andersen. Risk Management: An Enterprise Perspective.
Financial Executive. 2002.
Haubenstock, Michael and John Gontero. Operational Risk Management: The Next Frontier. New York. RMA.
2001.
Institute of Chartered Accountants in England and Wales. Internal Control Guidance for Directors on the
Combined Code. London. ICAEW. 1999.
Institute of Directors in Southern Africa. King Report on Corporate Governance for South Africa 2001. The
Institute of Directors in Southern Africa. 2001.
International Organization for Standardization. ISO/IEC Guide 73. 2002.
Lam, James. The CRO Is Here to Stay. Risk Management. April 2001.
National Commission on Fraudulent Financial Reporting. Report of the National Commission on Fraudulent
Financial Reporting. 1987.
Nottingham, Lucy. A Conceptual Framework for Integrated Risk Management. Ottawa. Conference Board of
Canada. 1997.
Risk Management Group of the Basel Committee on Banking Supervision. Sound Practices for the Management
and Supervision of Operational Risk. 2001.
Root, Stephen J. Beyond COSO Internal Control to Enhance Corporate Governance. New York. John Wiley &
Sons. 1998.
Standards Australia and Standards New Zealand. Australian/New Zealand Standard 4360:1999: Risk
Management. Standards Australia and Standards New Zealand. 1999.
Internal Use Only

Steinberg, Richard M. The CEO and the Board: Enhancing the Relationship. G100 Insights. April 2003.
Steinberg, Richard M. and Catherine L. Bromilow. Corporate Governance and the Board – What Works Best.
The Institute of Internal Auditors Research Foundation. 2001.
The Institute of Risk Management (IRM), The Association of Insurance and Risk Managers (AIRMIC), and
ALARM The National Forum for Risk Management in the Public Sector. A Risk Management Standard. AIRMIC,
ALARM, and IRM. 2002.
Thiessen, Karen. A Composite Sketch of Chief Risk Officer. Ottawa. Conference Board of Canada. 2001.
Thiessen, Karen. Don’t Gamble with Goodwill – The Value of Effectively Communicating Risks. Ottawa.
Conference Board of Canada. 2000.
Tillinghast–Towers Perrin. EnterpriseRisk Management: Trends and Emerging Practices. New York. Tillinghast–
Towers Perrin, 2001.
Walker, Paul L., William G. Shenkir, and Thomas L. Barton. EnterpriseRisk Management: Pulling It All Together.
The Institute of Internal Auditors Research Foundation. 2002.
Appendix E. Consideration Of Comment

Letters
As noted in Appendix A, a draft of this Framework document was exposed for public comment. The 78
response letters received contain hundreds of individual comments on a wide variety of matters. Each comment
was considered in formulating revisions to the final document. This appendix summarizes the more significant
issues and resulting modifications reflected in this final report. It also provides perspective on why certain views
were accepted over others.
Definition of Enterprise Risk

Management
Realizing Value for Stakeholders
The exposure draft described how enterprise risk management enables an organization to realize value for its
stakeholders, although the concept of value was not explicitly reflected in the definition of enterprise risk
management. Some respondents suggested the definition should make such explicit reference.
Internal Use Only

It was concluded that the definition as presented should be retained. The definition explicitly states that
enterprise risk management involves providing assurance regarding achievement of entity objectives, which
inherently provides value. Further, the text surrounding the definition describes how enterprise risk management
provides value for stakeholders. Because of this existing linkage to and description around value, and to avoid
an unreasonably long definition (as suggested by other respondents), the definition has been retained.
Opportunities
The exposure draft described how enterprise risk management involves identifying and addressing potential
events that have negative impact on an entity, called risks, and events with positive impact, referred to as
opportunities. Some respondents said because of the importance of identifying opportunities, the definition of
risk should be broadened to include that concept. Some argued that not including opportunities in the definition
of risk can lead a reader not to see opportunities as part of enterprise risk management, thereby undermining
the framework’s relevance. On the other hand, some respondents suggested that all reference to opportunities
be eliminated from the final report.
It was concluded that because of the importance of identifying and seizing opportunities, the framework’s
discussion of opportunities should be retained and enhanced, and the final report expands the discussion on
identifying and reacting to opportunities as an integral part of enterprise risk management. Discussions in the
component chapters of the final report further describe the process by which management considers both the
negative and positive – or opportunity side – effects of potential events in managing risk. As to the definition of
risk, it was concluded that adding the concept of opportunity would cloud the concepts and make communication
more difficult. Maintaining the distinction between a negative event and a positive one brings clarity to the
enterprise risk management language.
A Process
The exposure draft defined enterprise risk management as a process and set forth components that can be
viewed as elements of a process. Some respondents said the term “process” inappropriately implies carrying
out predefined, sequential steps or tasks.
The report has been revised to reinforce the concept that enterprise risk management is not necessarily
conducted sequentially, but rather is a continuous and iterative interplay of actions conducted throughout an
entity.
Applied in Strategy Setting

The exposure draft described how objectives must be set and clearly communicated before risks to their
achievement can be identified and addressed. It also stated that enterprise risk management techniques are
Internal Use Only
applied in strategy setting to assist management in evaluating and selecting the entity’s strategy, and linking to
related objectives. Some respondents commented that risk management is secondary to management’s
development of entity strategy, and that the framework places undue focus on risk rather than objective setting.
It was concluded that it is not necessary, or useful, to portray one concept, strategy setting, as necessarily more
important than another, managing risk. Both are important and inherent in enterprise risk management. The
final document does, however, contain enhanced discussion of the strategy and objective-setting process in
effecting enterprise risk management.
Risk Appetite and Tolerance

The exposure draft discussed the concepts of risk appetite and risk tolerance. Some respondents suggested
that additional information should be provided, including guidance on how to express and measure risk appetite.
Others stated there is little difference in these two concepts and that they should be combined.
The final report retains the distinction between risk appetite and risk tolerance, where risk appetite pertains at a
high level to the entity as a whole, while risk tolerance relates to specific objectives. The Application Techniques
volume illustrates application of these concepts.

Some respondents suggested the concept of reasonable assurance should be more precisely defined.
It was concluded that the discussion surrounding the term “reasonable assurance” is appropriate, and further
precision in its definition is beyond the scope of this project.
Some respondents said that setting forth categories of entity objectives is not helpful and unnecessarily
complicates the framework.
The final document retains the categories of entity objectives, on the basis that the categorization allows a focus
on separate aspects of enterprise risk management, facilitates distinguishing between what can be expected
from each category of objectives, and supports use of a common language for enterprise risk management.
Some respondents questioned why reasonable assurance applies only to the extent to which strategic and
operations objectives are being achieved, rather than to their actual achievement.
It was concluded that the distinction between what can be expected of enterprise risk management regarding
achievement of strategic and operations objectives, relative to reporting and compliance objectives, continues to
Internal Use Only
be appropriate for the reasons set forth in the document, centered on whether achievement is within or outside
an entity’s control.
Effectiveness
Several respondents stated that enterprise risk management effectiveness should be defined relative to results
attained, measured in terms of outcomes the process is intended to achieve, rather than as a subjective
judgment of whether the eight components are present and functioning properly.
The criteria for effectiveness – the presence and effective functioning of each component –remain in the final
document. It was concluded that the principle developed in the internal control framework, and carried forward
to the enterprise risk management framework, is logical and best serves users’ needs – that when the eight
components are deemed present and functioning effectively (and no material weaknesses exist), the result or
outcome is that management and the board gain reasonable assurance regarding achievement of the stated
objectives. The final document retains that principle, and also highlights that bringing risk within the entity’s risk
appetite is a necessary element of effective enterprise risk management. The concept of a subjective judgment
as to the presence and functioning of the eight components has been removed, on the grounds that the
judgment can be objective, based on the principles in this framework.

The exposure draft contained some but not all of the text of Internal Control – Integrated Framework, stating that
the entirety of the internal control document was incorporated by reference in the enterprise risk management
framework. The exposure draft included an appendix comparing and contrasting the two frameworks.
Some respondents suggested that the final report should identify more prominently those portions carried
forward from Internal Control – Integrated Framework. Some recommended that the entirety of Internal Control
– Integrated Framework be included as an attachment, with a detailed reconciliation of differences between the
two documents, while others suggested that the document describe in detail in what way Internal Control –
Integrated Framework is expanded on in the enterprise risk management framework. And some respondents
suggested that the document highlight and clarify the intended audience and purpose of each framework.
It was concluded that the description of differences between the frameworks is at the appropriate
level. Appendix C highlights the key differences and identifies which concepts in the enterprise risk
management framework are incorporated directly from Internal Control – Integrated Framework, which concepts
taken from the internal control framework are expanded on, and which are new. It was deemed unnecessary to
include the internal control framework as an attachment, as it is readily available to users. And, the purpose and
intended audiences of each of the frameworks already are described in sufficient depth.
Internal Use Only

Enterprise Risk Management and the
Management Process
Some respondents suggested that the exhibit comparing management activities with enterprise risk
management activities provided little useful information and could cause confusion to readers. Some said
setting forth management activities as distinct from enterprise risk management activities could reduce – rather
than reinforce – the notion of embedding risk management within business and management activities.
The exhibit in the exposure draft has not been carried forward to the final report; instead, relevant messages are
presented in the text.

Some respondents commented on the importance of a communications channel outside normal reporting lines,
suggesting that such a channel is a necessary element of enterprise risk management.
The final report reflects this view, stating that for enterprise risk management to be effective, an entity is required
to maintain such a communications channel.

Some respondents suggested that there is need for greater clarity regarding the different accountabilities for
enterprise risk management of the board of directors, management, other entity personnel, and external parties.
The final report expands the discussion and clarifies the respective roles and responsibilities of these parties.
Form and Presentation
Some respondents commented on the length, format, and style of the exposure draft, and expressed a variety of
views on how the report could be reorganized and streamlined.
It was concluded that the report should be reorganized and streamlined to enhance readability and clarity and
reduce redundancy. The exposure draft’s “Executive Summary” has been replaced by a shorter summary.
Chapter 1 of the exposure draft, “Relevance of Enterprise Risk Management,” has been eliminated, with the
more important concepts incorporated into the final report’s “Definition” chapter. Redundancies have been
reduced, less important discussions deleted or shortened, and the report wording streamlined.
Internal Use Only

Relationship between Enterprise Risk Management
– Integrated Framework and Other Reports and
Legislation
Some respondents said it would be useful to have a discussion of relationships between the enterprise risk
management framework and the Sarbanes-Oxley Act of 2002, the Basel Committee on Banking Supervision’s
New Basel Capital Accord, and risk management legislation in Australia, Canada, Germany, Japan, the United
Kingdom, and other countries. Some respondents recommended that the document state clearly that Internal
Control – Integrated Framework continues to be an acceptable framework for compliance with Section 404 the
Sarbanes-Oxley Act of 2002 and that issuance of Enterprise Risk Management – Integrated Framework does
not require companies to use it for purposes of Section 404 compliance.
It was concluded that reconciling Enterprise Risk Management – Integrated Framework with other documents is
beyond the scope of this project. With regard to complying with Sarbanes-Oxley Section 404 requirements,
COSO is communicating, via the Foreword to this report, that Internal Control – Integrated Framework remains
in place and is appropriately looked to as a basis for reporting under certain legislative requirements such as the
Sarbanes-Oxley Act of 2002.
Application Guidance
Some respondents recommended inclusion of specified content for the application guidance volume. Some
suggested that one or more comprehensive case studies be included in order to help organizations of various
sizes implement the framework. Others suggested that the Framework document and application guidance
contain cross-reference linkages.
It was concluded that the application guidance volume should contain certain suggested content, including
illustrations of how entities may apply specific concepts described in the Framework document. The final report
contains that information, although it was decided that it is not practicable to identify or develop one case study
illustrating application of all of the framework’s concepts, and doing so is beyond the scope of this project. With
the sharpened focus of the content of this volume, it was decided that a more appropriate title is Application
Techniques, and the name has been revised accordingly. Also, directional linkages from the Application
Techniques to the Framework document have been included.
Appendix F. Glossary
Internal Use Only

Application Controls – Programmed procedures in application software, and related manual procedures,
designed to help ensure the completeness and accuracy of information processing. Examples include
computerized edit checks of input data, numerical sequence checks, and manual procedures to follow up on
items listed in exception reports.
Compliance – Used with “objectives”: having to do with conforming with laws and regulations applicable to an
entity.
Component – There are eight enterprise risk management components: the entity’s internal environment,
objective setting, event identification, risk assessment, risk response, control activities, information and
communication, and monitoring.
Control – 1. A noun, denoting an item, e.g., existence of a control – a policy or procedure that is part of internal
control. A control can exist within any of the eight components. 2. A noun, denoting a state or condition, e.g., to
effect control – the result of policies and procedures designed to control; this result may or may not be effective
internal control. 3. A verb, e.g., to control – to regulate; to establish or implement a policy that effects control.
Criteria – A set of standards against which enterprise risk management can be measured in determining
effectiveness. The eight enterprise risk management components, taken in the context of inherent limitations of
enterprise risk management, represent criteria for enterprise risk management effectiveness for each of the four
objectives categories.
Deficiency – A condition within enterprise risk management worthy of attention that may represent a perceived,
potential, or real shortcoming, or an opportunity to strengthen enterprise risk management to provide a greater
likelihood that the entity’s objectives will be achieved.
Design – 1. Intent. As used in the definition, enterprise risk management is intended to identify potential events
that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance as to
achievement of objectives. 2. Plan; the way a process is supposed to work, contrasted with how it actually
works.
Effected – Used with enterprise risk management: devised and maintained.
Enterprise Risk ManagementProcess – A synonym for enterprise risk management applied in an entity.
Entity – An organization of any size established for a particular purpose. An entity, for example, may be a
business enterprise, not-for-profit organization, government body, or academic institution. Terms used as
synonyms include organization and enterprise.
Event – An incident or occurrence, from sources internal or external to an entity, that affects achievement of
objectives.
Internal Use Only

General Controls – Policies and procedures that help ensure the continued, proper operation of computer
information systems. They include controls over information technology management, information technology
infrastructure, security management, and software acquisition, development, and maintenance. General
controls support the functioning of programmed application controls. Other terms sometimes used to describe
general controls are general computer controls and information technology controls.
Impact – Result or effect of an event. There may be a range of possible impacts associated with an event. The
impact of an event can be positive or negative relative to the entity’s related objectives.
Inherent Limitations – Those limitations of enterprise risk management. The limitations relate to the limits of
human judgment; resource constraints, and the need to consider the cost of controls in relation to expected
benefits; the reality that breakdowns can occur; and the possibility of management override and collusion.
Inherent Risk – The risk to an entity in the absence of any actions management might take to alter either the
risk’s likelihood or impact.
Integrity – The quality or state of being of sound moral principle; uprightness, honesty, and sincerity; the desire
Internal Control – A process, effected by an entity’s board of directors, management and other personnel,
 Effectiveness and efficiency of operations

 Reliability of financial reporting
Internal Control System – A synonym for internal control applied in an entity.
Likelihood – The possibility that a given event will occur. Terms sometimes take on more specific connotations,
with “likelihood” indicating the possibility that a given event will occur in qualitative terms such as high, medium,
and low, or other judgmental scales, and “probability” indicating a quantitative measure such as a percentage,
frequency of occurrence, or other numerical metric.
Management Intervention – Management’s actions to overrule prescribed policies or procedures for legitimate
purposes; management intervention is usually necessary to deal with non-recurring and non-standard
transactions or events that otherwise might be handled inappropriately by the system (contrast this term with
Management Override).
Management Override – Management’s overruling of prescribed policies or procedures for illegitimate purposes
with the intent of personal gain or an improperly enhanced presentation of an entity’s financial condition or
compliance status (contrast this term with Management Intervention).
Internal Use Only

Management Process – The series of actions taken by management to run an entity. Enterprise risk
management is a part of and integrated with the management process.
Manual Controls – Controls performed manually, not by computer.
Objectives Category – One of four categories of entity objectives – strategic, effectiveness and efficiency of
operations, reliability of reporting, and compliance with applicable laws and regulations. The categories overlap,
so that a particular objective might fall into more than one category.
Operations – Used with “objectives”: having to do with the effectiveness and efficiency of an entity’s activities,
including performance and profitability goals, and safeguarding resources against loss.
Opportunity – The possibility that an event will occur and positively affect the achievement of objectives.
Policy – Management’s dictate of what should be done to effect control. A policy serves as the basis for
procedures for its implementation.
Procedure – An action that implements a policy.
Reasonable Assurance – The concept that enterprise risk management, no matter how well designed and
operated, cannot provide a guarantee regarding achievement of an entity’s objectives. This is because of
Inherent Limitations in enterprise risk management.
Reporting – Used with “objectives”: having to do with the reliability of the entity’s reporting, including both
internal and external reporting of financial and non-financial information.
Residual Risk – The remaining risk after management has taken action to alter the risk’s likelihood or impact.
Risk – The possibility that an event will occur and adversely affect the achievement of objectives.
Risk Appetite – The broad-based amount of risk a company or other entity is willing to accept in pursuit of its
mission (or vision).
Risk Tolerance – The acceptable variation relative to the achievement of an objective.
Stakeholders – Parties that are affected by the entity, such as shareholders, the communities in which the entity
operates, employees, customers, and suppliers.
Strategic – Used with “objectives”: having to do with high-level goals that are aligned with and support the
entity’s mission (or vision).
Uncertainty– Inability to know in advance the exact likelihood or impact of future events.
Appendix G. Acknowledgments
Internal Use Only
The COSO Board, Advisory Council, and PricewaterhouseCoopers LLP gratefully acknowledge the many
executives, legislators, regulators, auditors, academics, and others who gave their time and energy to
participating in and contributing to various aspects of the study. Also recognized are the considerable efforts of
the COSO organizations and their members who responded to surveys, participated in workshops and meetings,
and provided comments and feedback throughout the development of this framework.
The following PricewaterhouseCoopers partners provided important input to this framework: Dick Anderson,
Jeffrey Boyle, Glenn Brady, Michael Bridge, John Bromfield, Gary Chamblee, Nicholas Chipman, John Copley,
Michael de Crespigny, Stephen Delvecchio, Scott Dillman, P. Gregory Garrison, Bruno Gasser, Susan Kenney,
Brian Kinman, Robert Lamoureux, James LaTorre, Mike Maali, Jorge Manoel, Cathy McKeon, Juan Pujadas,
Richard Reynolds, Mark Stephen, Robert Sullivan, Jeffrey Thompson, and Shyam Venkat.
The following individuals also contributed to this study: Michael Haubenstock, Director, Enterprise Risk
Management, Capital One Finance Corporation; Adrienne Willich, Manager of Operational Risk, Capital One
Finance Corporation; and Daniel Mudge, President and Chief Operating Officer, OpVantage. Richard A. Scott,
William G. Shenkir, and Paul L. Walker from the University of Virginia conducted preliminary research leading to
this study. Thanks also go to Myra Cleary for her editorial guidance.
Special acknowledgment goes to Robert G. Eccles, President, Advisory Capital Partners, Inc. and former
Harvard Business School Professor, for his extensive contributions to this framework.
Finally, we pay tribute to William H. Bishop, III, President of the Institute of Internal Auditors, who until his
passing worked tirelessly to enhance the role and stature of the auditing profession. Bill’s participation in this
project, and indeed in COSO’s internal control framework project, helped make those reports better. As a
colleague and friend, he will be sorely missed.
1. Introduction
Click here for the PDF version of
ERM_Application_Techniques.pdf
Use of This Document

This volume of Enterprise Risk Management – Integrated Framework provides practical illustrations of
techniques used at various levels of an organization in applying enterprise risk management principles. The
Internal Use Only
organization of this volume parallels that of the Framework volume. In order to provide further linkage, passages
from the Framework volume are included here, in italics. Those passages also provide a foundation for the
illustrated techniques. To gain the desired benefit from this material, users should be familiar with the
Framework document.
While it is expected that this material will be useful to those seeking to apply enterprise risk management
techniques, it is not a part of the Framework. Its presentation here in no way suggests that the illustrated
techniques need to be used to effect enterprise risk management, or that their application must be present in
determining whether enterprise risk management is effective. There is no suggestion that these descriptions or
exhibits are a preferred method, or represent “best practices.”
The techniques illustrated in this volume are neither intended to be, nor are they, complete. The exhibits and
accompanying discussions relate to only certain elements presented in the Framework and depicted in Exhibit
1.1. Some of the techniques are applicable to smaller, non-complex organizations, while others are more
relevant to larger, complex entities. A more comprehensive presentation of techniques for applying enterprise
risk management that reflects entity size, diversity, and industry is beyond the scope of this project. Over time,
we believe that additional guidance will evolve as professional organizations, industry groups, academics,
regulators, and others develop material to assist their constituencies.
It is suggested that readers considering enterprise risk management application techniques also refer to the
Evaluation Tools volume of Internal Control – Integrated Framework for additional guidance. It presents tools for
use in conducting an evaluation of an entity’s internal control system, including a set of blank tools, filled-in tools
completed for a hypothetical company, and a reference manual.
Key Elements of Enterprise Risk

Management
To provide ready context, Exhibit 1.1 lists key elements of each of the enterprise risk management components.
Exhibit 1.1 Key Elements of Each Component
Internal Use Only

An Implementation Process
As noted, this volume illustrates a variety of techniques useful in applying specific elements of the enterprise risk
management framework. A higher-level, “up front” issue involves what approach management takes when first
considering how to implement the framework throughout the organization.
An entity’s size, complexity, industry, culture, management style, and other attributes will affect how the
framework’s concepts and principles are most effectively and efficiently implemented. Because of the array of
Internal Use Only

available approaches and choices, even similar organizations implement enterprise risk management differently
– whether applying the framework’s concepts and principles for the first time or considering whether their
existing enterprise risk management process, which may have been developed ad hoc over time, is truly
effective. Experience shows, however, that certain commonalities exist, and provided here is a brief description
of common broad-based steps taken by managements that have successfully completed enterprise risk
management implementation:
 Core Team Preparedness – Establishing a core team, with representation from business units and key support
functions, including strategic planning, is an important first step. This team becomes intimately familiar with the
framework’s components, concepts, and principles. This familiarity provides a common understanding and
language, and a foundational basis needed to design and implement an enterprise risk management process
that effectively addresses the entity’s unique needs.
 Executive Sponsorship – While the timing and form of executive sponsorship vary by organization, it is important
that executive sponsorship be initiated early and solidified as implementation progresses. Executive leadership
articulates the benefits of enterprise risk management, and establishes and communicates the business case for
the related investment of resources. CEO support, and usually at least initial direct and visible involvement,
drives success.
 Implementation Plan Development – An initial plan is created for the next steps, setting out key project phases,
including defined work streams, milestones, resources, and timing. Responsibilities are identified, and a project
management system put in place. The plan serves as a means to consistently communicate and coordinate
with team leadership, and as a basis for communicating and confirming expectations of various units and
personnel, and discussing entity-wide changes anticipated from adopting enterprise risk management.
 Current StateAssessment – This includes an assessment of how enterprise risk management components,
concepts, and principles currently are being applied across the entity. This usually involves ascertaining
whatever risk management philosophy has evolved within the organization and determining whether there is
uniform understanding of the entity’s risk appetite. The core team also identifies formal and informal policies,
processes, practices, and techniques currently in place, as well as existing capabilities in the organization for
applying the framework’s principles and concepts.
 Enterprise Risk Management Vision – The core team develops a vision that sets out how enterprise risk
management will be used going forward and how it will be integrated within the organization to achieve its
objectives – including how the organization focuses its enterprise risk management efforts on aligning risk
appetite and strategy, enhancing risk response decisions, identifying and managing cross-enterprise risks,
seizing opportunities, and improving deployment of capital.
 Capability Development – The current state assessment and the enterprise risk management vision provide
insights needed to determine the people, technology, and process capabilities already in place and functioning,
as well as new capabilities that need to be developed. This includes defining roles and responsibilities, and
Internal Use Only

modifications to the organizational model, policies, processes, methodologies, tools, techniques, information
flows, and technologies.
 Implementation Plan – The initial plan is updated and enhanced, adding depth and breadth to cover further
assessment, design, and deployment. Additional responsibilities are defined, and the project management
system refined as needed. The plan typically embraces general project management disciplines that are a part
of any implementation process.
 Change Management Development and Deployment – Actions are developed as needed to implement and
sustain the enterprise risk management vision and desired capabilities – including deployment plans, training
sessions, reward reinforcement mechanisms, and monitoring the remainder of the implementation process.
 Monitoring – Management will continually review and strengthen risk management capabilities as part of its
ongoing management process.
The following chapters illustrate some of the specific techniques for applying the concepts and principles in each
of the components of the enterprise risk management framework.
2. Internal Environment
Framework Chapter Summary: The internal environment encompasses the tone of an organization, influencing
the risk consciousness of its people, and is the basis for all other components of enterprise risk management,
providing discipline and structure. Internal environment factors include an entity’s risk management philosophy;
its risk appetite; oversight by the board of directors; the integrity, ethical values, and competence of the entity’s
people; and the way management assigns authority and responsibility, and organizes and develops its people.
This application techniques chapter briefly describes the impact internal environment elements can have on an
entity’s success or failure, and illustrates statements of risk management philosophy, techniques to evaluate the
extent to which the philosophy is integrated into an entity’s culture, and tools to promote a culture of integrity and
ethics.
Impact
An organization’s internal environment has a significant impact on how enterprise risk management is
implemented and functions on an ongoing basis. The internal environment is the context in which other
components of enterprise risk management are applied, typically with powerful effect, either positive or
negative. An example of the latter is presented in Exhibit 2.1.
Exhibit 2.1 Impact of the Internal Environment

Internal Use Only
The impact of the internal environment is illustrated in findings from the Columbia Accident Investigation Board
Report. This board, activated by the National Aeronautics and Space Administration (NASA), investigated the
causes of the Columbia Space Shuttle disaster, where the space shuttle broke up on re-entry. The report states:
“The organizational causes of the Columbia accident were rooted in the Space Shuttle Program’s history and
culture. . . . Cultural traits and organizational practices detrimental to safety were allowed to develop, including:
reliance on past success as a substitute for sound engineering practices (such as testing to understand why
systems were not performing in accordance with requirements); organizational barriers that prevented effective
communication of critical safety information and stifled professional differences of opinion; lack of integrated
management across program elements; and the evolution of an informal chain of command and decision-making
processes that operated outside the organization’s rules.”

An entity’s risk management philosophy is the set of shared beliefs and attitudes characterizing how the entity
considers risk in everything it does, from strategy development and implementation to its day-to-day activities. . .
. [It] is reflected in virtually everything management does in running the entity. It is captured in policy
statements, oral and written communications, and decision making. Whether management emphasizes written
policies, standards of behavior, performance indicators, and exception reports, or operates more informally
largely through face-to-face contact with key managers, of critical importance is that management reinforces the
philosophy not only with words but also with everyday actions.
Managements of some companies articulate elements of their risk management philosophy in writing. Examples
of risk management philosophies are presented in Exhibits 2.2 and 2.3.
Exhibit 2.2 Illustrative Statement Describing Risk

Management Philosophy
Internal Use Only

Amidst global growth and cultural expansion, our organization requires a comprehensive approach to corporate
risk management that promotes broad strategic thinking and analysis, while fundamentally integrating the
Organization’s Core Values and Beliefs. To this end, we strive for risk management to become our competitive
advantage.
The starting point for our risk management program is an enterprise risk strategy that respects the needs and
aspirations of all with whom we have relationships. By facilitating the flow of information and stressing
communication across the organization, the risk management program provides a continuous loop risk information
model. This model provides information regarding stakeholder needs and expectations to continuously improve
our enterprise-wide risk strategy.
To ensure that we fulfill our strategy, our risk management program arms our people with the tools and
capabilities to overcome the barriers that arise in striving to exceed expectations. By realizing that risk and control
is everyone’s job, our people will proactively identify risk in delivering products and services to the market in a
more efficient and cost effective manner. Our risk management program allows our people to view the problem
from various angles to identify not only the risk mitigation activities, but also to anticipate and act on potential
opportunities—therefore challenging conventional wisdom to create better solutions.
A fundamental tenet of our organization is respect and integrity for our employees, customers and shareholders.
By incorporating risk management into our daily business practices and by operationalizing the related
performance measures, the risk management program ensures that we maintain our highest ethical standards by
living our core values.
Exhibit 2.3 Illustrative Statement Describing Risk

Management Philosophy
Internal Use Only

Enterprise risk management will provide our organizations with the superior capabilities to identify, assess and
manage the full spectrum of risks and to enable staff at all levels to better understand and manage risk. This will
provide us with:
 Responsible acceptance of risk

 Support for Executive and the Board
 Improved outcomes
 Strengthened accountability
 Enhanced stewardship
All staff are expected to demonstrate appropriate standards of behavior in development of strategy and pursuit of
objectives. This philosophy is supported by following guiding principles. Management and staff shall:
 Consider all forms of risk in decision-making.

 Create and evaluate business-unit level and Company-level risk profile to consider what’s best for their individual
business unit and department and what’s best for the Company as a whole.
 Support executive management’s creation of a Company-level portfolio view of risk.
 Retain ownership and accountability for risk and risk management at the business unit or other point of influence
level. Risk management does not defer accountability to others.
 Strive to achieve best practices in enterprise risk management.
 Monitor compliance with policies and procedures and the state of enterprise risk management.
 Lever existing risk management practices, wherever they exist within the Company.
 Document and report all significant risks and enterprise risk management deficiencies.
 Accept that enterprise risk management is mandatory, not optional.
To gain insight into how well the risk management philosophy is integrated into an entity’s culture, some
companies conduct a risk-related culture survey, which measures the presence and strength of key risk-related
attributes. Some of the attributes typically addressed in these surveys are presented in Exhibit 2.4.
Exhibit 2.4 Attributes Measured in a Risk-Related

Culture Survey
Internal Use Only

1. Leadership and Strategy
• Demonstrate Ethics and Values
• Communicate Mission and Objectives
2. People and Communication
• Commitment to Competency
• Share Information and Knowledge
3. Accountability and Reinforcement
• Organizational Structure
• Measure and Reward Performance
4. Risk Management and Infrastructure
• Assess and Measure Risk
• System Access and Security
Some companies survey all staff periodically, such as annually, and a representative sample of staff more
frequently, based on desired timing and confidence level. One company deploys these surveys quarterly to
allow for greater insight into the ongoing pulse and trends of the organization, especially helpful during times of
change. The results of such surveys provide directional indicators of areas of strength and weakness in an
organization’s culture. An illustration of how results of a risk-related culture survey question are presented and
interpreted is shown, in part, in Exhibit 2.5. The results help the entity identify attributes that need strengthening
to ensure an effective internal environment.
Exhibit 2.5 Illustrative Risk-Related Culture Survey
Internal Use Only

The effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people
who create, administer, and monitor entity activities.
Integrity and commitment to ethical values start with the individual. Value judgments, attitude, and style are
based on individual experiences. Nowhere are integrity and ethical values more important than with the CEO
and the senior management team, who set the “tone at the top” and influence how other entity personnel will
conduct themselves. The “right” tone at the top helps:
 The organization’s people do the right thing, both legally and morally
 Create a compliance-supporting culture, which is committed to enterprise risk management
 Navigate “gray” areas where no specific compliance rules or guidelines exist
 Promote a willingness to seek assistance and report problems before the point of no return
Organizations support a culture of integrity and ethical values with communications such as a credo or core
values statement that sets out the organization’s values and priorities, and a code of conduct. A code of conduct
provides a connection between the organization’s mission or vision and its operating policies and procedures.
Not typically an exhaustive conduct guide, or a legal document outlining in detail key organizational protocols, a
Internal Use Only

code of conduct is a proactive statement of an organization’s positions on ethics and compliance issues. Codes
also can serve as a “user-friendly” guide to the organization’s policies on employee and organizational conduct.
An illustration of topics often addressed in a code of conduct is presented in Exhibit 2.6. This structure is
derived from the Open Compliance and Ethics Group’s pending Foundation Guidelines for an Integrated
Compliance and Ethics Program.
Exhibit 2.6 Illustrative Code of Conduct Structure

Code Section Section Outline
1. Letter from Chief Executive  Presents top management’s message of the importance of integrity and
ethics to the organization
 Introduces the code of conduct: its purpose and how to use it
2. Goals and Philosophy  Considers the entity’s:

 Culture
 Business and industry
 Geographic locations, domestically and internationally
 Commitment to ethical leadership
3. Conflicts of Interest  Addresses conflicts of interest and forms of self-dealing

 Speaks to personnel and other corporate agents and those activities,
investments, or interests that reflect on the entity’s integrity or reputation
4. Gifts and Gratuities  Deals with giving of gifts and gratuities, setting forth the entity’s policy,
typically going well beyond local law
 Sets standards and provides guidance regarding gifts and
entertainment and their proper reporting
5. Transparency  Includes provisions dealing with the organization’s commitment to

complete and understandable social, environmental, and economic
reporting
6. Corporate Resources  Includes provisions dealing with corporate resources, including

intellectual property and proprietary information – whom these belong to
Internal Use Only

Code Section Section Outline
and how they are safeguarded
7. Social Responsibility  Includes the entity’s role as a corporate citizen, including its
commitment to human rights, environmental sustainability, community
involvement, and environmental and economic issues
8. Additional Conduct-Related Topics  Includes provisions regarding adherence to policies established within
specific areas of company activity, for example:
 Employment issues such as fair labor practices and
antidiscrimination
 Governmental dealings such as contracting, lobbying, and political
activity
 Antitrust and other competitive practices
 Good faith and fair dealing with customers/competitors/ suppliers
 Confidentiality and security of information
 Environmental practices
 Product safety/quality
The overview from a professional service firm’s code of conduct is presented in Exhibit 2.7.
Exhibit 2.7 Illustrative Overview from Code of

Conduct
Internal Use Only

Our Values
 The best solutions come from working together with colleagues and clients.
 Effective teamwork requires Relationships, Respect and Sharing.
 Delivering what we promise and adding value beyond what is expected.
 We achieve excellence through Innovation, Learning, and Agility.
 Leading with clients, leading with people and thought leadership.
 Leadership demands Courage, Vision and Integrity.
Upholding the [firm] name
 Our clients and colleagues trust [firm name] based on our professional competence and integrity – qualities that
underpin our reputation. We uphold that reputation.
 We seek to serve only those clients whom we are competent to serve, who value our service and who meet
appropriate standards of legitimacy and integrity.
 When speaking in a forum in which audiences would reasonably expect that we are speaking as a representative
of [firm name], we generally state only [firm name] view and not our own.
 We use all assets belonging to [firm name] and to our clients, including tangible, intellectual and electronic assets,
in a manner both responsible and appropriate to the business and only for legal and authorized purposes.
Behaving Professionally
 We deliver professional services in accordance with [firm name] policies and relevant technical and professional
standards.
 We offer only those services we can deliver and strive to deliver no less than our commitments.
 We compete vigorously, engaging only in practices that are legal and ethical.
 We meet our contractual obligations and report and charge honestly for our services.
 We respect the confidentiality and privacy of our clients, our people and others with whom we do business.
Unless authorized, we do not use confidential information for personal use, [firm name’s] benefit or to benefit a
third party. We disclose confidential information or personal data only when necessary, and when appropriate
approval to do so has been obtained, and/or we are compelled to do so by legal, regulatory or professional
requirements.
 We aim to avoid conflicts of interest. Where potential conflicts are identified and we believe that the respective
parties' interests can be properly safeguarded by the implementation of appropriate procedures, we will implement
such procedures.
 We treasure our independence of mind. We protect our clients' and other stakeholders' trust by adhering to our
regulatory and professional standards, which are designed to enable us to achieve the objectivity necessary in our
Internal Use Only

work. In doing so, we strive to ensure our independence is not compromised or perceived to be compromised. We
address circumstances that impair or could appear to impair our objectivity.
 When faced with difficult issues or issues that place [firm name] at risk, we consult appropriate [firm name]
individuals before taking action. We follow our applicable technical and administrative consultation requirements.
 It is unacceptable for us to receive or pay bribes.
Respecting Others
 We treat our colleagues, clients and others with whom we do business with respect, dignity, fairness and
courtesy.
 We take pride in the diversity of our workforce and view it as a competitive advantage to be nurtured and
expanded.
 We are committed to maintaining a work environment that is free from discrimination or harassment.
 We try to balance work and private life and help others to do the same.
 We invest in the ongoing enhancement of our skills and abilities.
 We provide a safe working environment for our people.
Corporate Citizenship
 We express support for fundamental human rights and avoid participating in business activities that abuse human
rights.
 We act in a socially responsible manner, within the laws, customs and traditions of the countries in which we
operate, and contribute in a responsible manner to the development of communities.
 We aspire to act in a manner that minimizes the detrimental environmental impacts of our business operations.
 We encourage the support of charitable, educational and community service activities.
 We are committed to supporting international and local efforts to eliminate corruption and financial crime.
To monitor the extent to which employees’ actions conform to established standards, some companies
periodically use staff focus groups. This feedback, often employing technology, is used to “validate” core
values. Technology also can be used to enable sharing and updating information and tracking employee
compliance with the code of conduct and related policies, standards, and procedures. Illustrations of how
entities are using technology to foster the desired culture are presented in Exhibit 2.8.
Exhibit 2.8 Technology to Support a Culture of

Integrity and Ethics
Internal Use Only
 A direct link from the organization’s Internet (or intranet) home page to the values statement and code of conduct,
facilitating their use and sending a message about their importance
 Electronically available codes and related information, providing ease of access and eliminating need for paper
copies
 Confirmation that staff received the information
 Training venues and e-learning
 Automatic reference to the code or guidance used during completion of tasks
 Automatic reminder to staff of required actions
 Notification to staff’s immediate supervisor and above if action is not taken in a timely manner
 Method to obtain certification of compliance
 Audit trail of activities
3. Objective Setting
Framework Chapter Summary: Objectives are set at the strategic level, establishing a basis for operations,
reporting, and compliance objectives. Every entity faces a variety of risks from external and internal sources,
and a precondition to effective event identification, risk assessment, and risk response is establishment of
objectives. Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity.
This chapter illustrates linking an entity’s mission with strategic and related objectives, aligning strategic and
related objectives, and depictions of risk appetite and risk tolerances.
In considering alternative ways to achieve its strategic objectives, management identifies risks associated with a
range of strategy choices and considers their implications. Various event identification and risk assessment
techniques, discussed below and in later chapters, can be used in the strategy-setting process.
Exhibit 3.1 illustrates setting strategic objectives, using risk assessment techniques.
Exhibit 3.1 Setting Strategic Objectives
Internal Use Only

A community bank considering its options for enhancing customer services identified three strategies:
 Option A – Expand its branch network into new areas matching its target demographics
 Option B – Scale back the branch network to 50% of its current size, and significantly enhance its Internet and
call-center capabilities
 Option C – Maintain the branch network, and outsource the existing Internet and call-center operations to a lower-
cost company in a foreign country
When considered against the bank’s vision, which encompasses contributing to the communities within which it
operates, Option C was seen as inconsistent with the vision, given the job losses that would result. Management
then focused on Options A and B.
Using scenario analysis, modeling, and stress testing (discussed in the Risk Assessment chapter), management
compared the results of each option in relation to the impact on return on capital employed. Management
identified the distribution of potential return outcomes given their differing credit and operational risk profiles, and
determined that the potential returns on capital employed under the two scenarios, while having similar median
outcomes, have markedly different distributions, as shown below.
Related Objectives
Internal Use Only
Entity-level objectives are linked to and integrated with more specific objectives that cascade through the
organization to sub-objectives established for various activities, such as sales, production, and engineering, and
infrastructure functions.
Linkage of a company’s mission with its strategic objectives, strategies, and related objectives is illustrated in
Exhibit 3.2.
Exhibit 3.2 Linking Mission/Vision with Strategic

and Related Objectives
Internal Use Only

 To provide high-quality, accessible, and affordable community-based
Mission
health care
Strategic  Be the first or second largest, full-service health care provider in mid-size
Objectives metropolitan markets
 Rank in the top quartile in quality for our core medical services
 Be recognized in the local marketplaces as quality/price leaders
 Align with stand-alone hospitals in the target markets in which we do not

currently have a presence
 Acquire high-quality, under-performing medical service providers in target
markets where feasible - otherwise, consider lesser programs to revamp
and rebuild
 Develop ownership participation or profit-sharing programs to attract top
local medical talent
Strategies  Develop tailored, targeted marketing programs for large and middle
market businesses in target markets
 Bring our state-of-the-art infrastructure systems to provide effective
management and cost control
 Achieve leading track record of compliance with all healthcare and other
applicable laws and regulations
Related Objectives
- Operations  Initiate dialogue with leadership of ten top under-performing hospitals

and negotiate agreements with two this year
 Target ten other programs in key target markets and execute agreements
with five this year
 Identify needs and motivations of leading practitioners in major markets
and structure alternative model terms
 Ensure at least one top medical talent is on board in each core discipline
in at least five major markets this year
 Hold focus groups with business leaders in key markets to determine
program needs
 Develop alternative model programs for business customers
Internal Use Only

 Develop methodologies for quick-start implementation of information and
operational systems in acquired/rebuilt hospitals
 Set protocols for migration from existing systems
 Implement new systems in one new location to serve as model going
forward
- Reporting  Install our foundation systems in newly acquired facilities to provide

management reports on key performance measures, with exception and
trend line analysis, within four working days of month-end
 Ensure all facilities report, accurately and on a timely basis, compliance
performance and issues for management review
 Establish uniform reporting system/accounts for assembly of accurate
and complete information required for external reporting
- Compliance  Establish compliance office with charter, leadership, and staffing

centrally, providing support to local units
 Ensure line personnel recognize their primary compliance
responsibilities, building into human resource objectives and
performance assessments
 Develop company-wide protocols for medical procedures, drug storage
and dispensing, staffing assignments and schedules, and all aspects of
patient care
 Review privacy policies and practices and benchmark against federal
requirements and best practices
Another example of linkage is illustrated in Exhibit 3.3. Here, the bank referred to in Exhibit 3.1 aligned its vision
first with strategic objectives and strategies, and then with objectives in its property unit and human resources
function.
Exhibit 3.3 Linking Mission/Vision with Strategic

and Related Objectives
Internal Use Only

Vision Be the leading and most trusted provider of financial
services to families within the region, thereby
contributing to the communities within which we operate
Strategic Objectives  To maintain an annual return on capital employed of

15%
 To grow the customer base by 30% within three
years through expanding the branch network by 50%
over that timeframe
Strategies  Acquire new property leases in areas that match our

target customer demographics
 Maintain the current cost structure for the branch
network
Property Unit Objectives  Develop an outsourcing relationship with a qualified

real estate company to identify and negotiate suitable
leases in accordance with the required growth in the
property portfolio
 Open 15 new branches in the coming year
 Maintain rental cost average of $xx rental per square
foot across the property portfolio
 Recruit two additional in-house property managers
Human Resources Objectives  Annual turnover of customer services staff below

10%
 Recruit and train 100 customer service staff in the
coming year
 Develop negotiating position and plan for upcoming
negotiations with the trade union regarding treatment
of the new employees
Risk Appetite
Internal Use Only
Risk appetite can be expressed in qualitative or quantitative terms. Exhibit 3.4 provides illustrative questions
management might ask when considering its risk appetite.
Exhibit 3.4 Considering Risk Appetite

1. What risks is the company in business to accept and what risks will it not accept – e.g., is the organization
prepared to accept minor losses of physical inventory from pilferage but not willing to accept large losses of
physical inventory from spoilage, obsolescence, or natural disasters?
2. Is the company comfortable with the amount of risk accepted, or to be accepted, by each of its businesses?
3. What levels of risk is the company prepared to accept on new initiatives in order to achieve the company-wide
desired return on invested capital of 15%?
4. Is the entity prepared to accept more risk than it currently is accepting and, if so, what return level would be
required?
5. What level of capital or earnings is the organization willing to put at risk given a particular confidence level –
e.g., will management accept 50% of its capital at risk of loss with 95% confidence in this amount?
6. What percentage of “worst case” risks does the company want to have capital available to cover – based on a
scale of likelihood and impact of major risk potentialities? Is it acceptable that an unlikely event could challenge
the entity’s viability?
7. Are there specific risks that the organization is not prepared to accept, such as risks that could result in non-
compliance with privacy of information laws?
8. To what extent will the company accept risk to competing objectives, such as risk of lower gross profit margin in
return for greater market share?
9. How does the organization’s risk appetite compare with that of peers – how much risk is the organization
prepared to accept to move from following competitors in product innovation to trend-setter status?
10. What are the relative risks, and related comfort levels, in preserving value by maintaining the quality of existing
products and services, versus seeking to create new value through new product development?
11. To what extent is the company prepared to enter into projects with lower likelihood of success but larger
potential returns?
12. Is the organization more comfortable with a qualitative descriptor versus a quantitative one?
Some organizations express risk appetite in terms of a “risk map,” as illustrated in Exhibit 3.5. In this exhibit, any
significant residual risk in the yellow area exceeds the company’s risk appetite, calling for management to take
action to reduce the likelihood and/or impact of the risk to bring it within the company’s risk appetite.
Exhibit 3.5 Forming Risk Appetite

Internal Use Only
Some industries, especially those in financial services and the oil and gas sector, are able to adopt sophisticated
approaches using quantitative techniques to express risk appetite. Advanced entities might express risk
appetite using market measures or risk-based capital. Exhibit 3.6 provides an illustration of a statement of risk
appetite in terms of market measures.
Exhibit 3.6 Risk Appetite in Terms of Market

Measures
A utility company focuses on growing market value capitalization through generating stable cash flows and
earnings, and sets risk appetite in those terms. Therefore, all entity-level risks are expressed in relation to the
effect on earnings and cash flow volatility. When the trend line in volatility approaches risk appetite, management
takes actions as necessary.
Exhibit 3.7 illustrates how a company views capital at risk versus return in relation to risk appetite. The company
strives to diversify its portfolio to earn a return that lines up along the target profile, rather than lower down, in the
interior of the region.
Exhibit 3.7 Risk Appetite, Return, and Capital at

Risk
Internal Use Only
Determine Risk Tolerances
Risk tolerances are the acceptable levels of variation relative to the achievement of objectives. . . . Operating
within risk tolerances provides management greater assurance that the entity remains within its risk appetite,
which, in turn, provides a higher degree of comfort that the entity will achieve its objectives.
Development of risk tolerances by an airline related to on-time service is illustrated in Exhibit 3.8.
Exhibit 3.8 Objectives and Risk Tolerances
Internal Use Only

An airline decided to set an objective around superior on-time service. Management recognized the factors causing
flight delays, some of which are within its control, while others are not, and understood well how the various factors
affected regulators’ public reporting of on-time service. In considering risk tolerances, marketing, customer service, and
operations, personnel determined that:
 85% on-time flight arrival has remained the company’s target for many years, which generally has been achieved
and is in line with messages in its marketing program
 The industry average for on-time arrival on the relevant routes for the past several years has remained at
approximately 80%
 There is minimal effect on the company’s customer flight bookings when arrival times temporarily decrease to as
low as the industry average
 The cost to achieve more than 87% on-time arrival is uneconomical and cannot be passed through in ticket prices
 The company has been criticized by industry analysts for its inability to keep costs down
Based on this information, management maintained the objective of 85% average on-time arrival, with a tolerance of
between 82% and 86%. Looking at the tolerances for other objectives, management is better able to allocate resources
to ensure reasonable likelihood of achieving outcomes across multiple objectives.
Risk tolerances sometimes are set at the entity level and allocated across business units, as illustrated in Exhibit
3.9.
Exhibit 3.9 Risk Tolerances Across Multiple

Business Units
A company set a risk tolerance of no more than 20% of revenue to be derived from alliance partners. When its
two business units developed operating and marketing plans for the coming period, both showed a strong
dependence on alliance partners, and, when aggregated, the plans reflected such sourced revenue exceeding the
20% threshold. Management decided to allow business unit A to generate up to 40% of revenue from its alliance
partner, while business unit B was allowed only 15%, allowing the company's overall plan to retain the 20%
tolerance level.
The way in which one organization depicted the relationship between its mission, objectives, appetite, and
tolerance is illustrated, in part, in Exhibit 3.10.
Internal Use Only

Exhibit 3.10 Relating Mission, Objectives, Appetite,
and Tolerance
4. Event Identification
Internal Use Only

Framework Chapter Summary: Management identifies potential events that, if they occur, will affect the entity,
and determines whether they represent opportunities or whether they might adversely affect the entity’s ability to
successfully implement strategy and achieve objectives. Events with negative impact represent risks, which
require management’s assessment and response. Events with positive impact represent opportunities, which
management channels back into the strategy and objective-setting processes. When identifying events,
management considers a variety of internal and external factors that may give rise to risks and opportunities, in
the context of the full scope of the organization.
This chapter illustrates some of the techniques used in event identification. Included are illustrations of how
events are linked with objectives; techniques enabling personnel to identify events using event inventories,
facilitated workshops, interviews, questionnaires, surveys, and process flow analysis; and identifying events
using leading event indicators, escalation triggers, and loss event data tracking. Also illustrated are
interrelationships between multiple events, and use of event categories to enhance understanding the
relationships.
Linking Events with Objectives

In some circumstances, identifying events related to a specific objective is reasonably straightforward, as
illustrated in Exhibit 4.1. In this illustration, building on Exhibit 3.10, potential events and their impacts are
identified and related to the objective, associated risk tolerance, and measurement unit. In this example,
management determined that increasing staffing levels and maintaining staff costs were two operations
objectives (other operations objectives are not presented).
Exhibit 4.1 Identifying Events

Mission To be the
leading producer
of premium
household
products in the
regions in which
we operate
Strategic Objective To be in the top

quartile of
product sales for
retailers of our
Internal Use Only

products
Related Objectives  Hire 180

new
qualified
staff across
all
manufacturi
ng divisions
to meet
customer
demand
without
overstaffing
 Maintain
22% staff
cost per
dollar order
Objective Unit of Mesaure  Number of

new
qualified
staff hired
 Staff cost
per dollar
order
Tolerance  165 – 200

new
qualified
staff
 Staff cost
between
20% and
23% per
Internal Use Only

dollar order
Potential events/risks and related impact  Unexpected

slowdown
in job
market
causing
more offers
being
accepted
than
planned,
resulting in
excess staff
 Unexpected
heating up
of job
market
causing
fewer offers
being
accepted,
resulting in
too few staff
 Inadequate
needs/speci
fications
descriptions
, resulting in
hiring
unqualified
staff
Internal Use Only

In other circumstances, risk identification is not as immediately evident, and a variety of techniques are used, as
discussed in the following paragraphs.

An entity’s event identification methodology may comprise a combination of techniques, together with supporting
tools. . . . Event identification techniques look to both the past and the future.
Management uses any number of techniques to identify potential events affecting achievement of
objectives. The techniques are used in identifying risks and opportunities, for example, when implementing a
new business process, re-designing an existing one, or evaluating a process. Or, they may be used in
connection with strategic or business unit planning, or when considering new initiatives or organizational
change. They may be used on a periodic or an ongoing basis.
Application of common event identification techniques is illustrated below.
Event Inventories
Managements use listings of potential events common to a specific industry or functional area. The list is
developed by personnel within the entity, or from generic lists generated externally. Such lists of potential
events are used, for example, relative to a specific project, process or activity, and can be useful in ensuring a
consistent view across similar activities within the organization. If externally developed, the inventory is
enhanced and otherwise tailored to the entity’s circumstances, to better relate to the organization’s risks, and to
be consistent with the organization’s common enterprise risk management language. Exhibit 4.2 illustrates use
of an externally produced inventory of events potentially affecting a software development project.
Exhibit 4.2 Event Intentories

Before undertaking a software development project, a company reviews an inventory of generic risks inherent in
software development projects. The inventory provides a useful way to draw on the accumulated risk knowledge
of others experienced in this subject area. Recognizing that the inventory includes risks from companies with
different characteristics, management considers the effect of these risks on its own unique circumstances.
Facilitated Workshops
Event identification facilitated workshops typically bring together cross-functional or multi-level individuals for the
purpose of drawing on the group’s collective knowledge to develop a list of events as they relate, for example, to
the company’s strategic, business unit, or process objectives. The results of workshops usually depend on the
depth and breadth of information the participants bring to the table.
Internal Use Only
Some organizations in connection with strategy setting hold a workshop of senior management to identify events
that could affect achievement of corporate strategic objectives. An approach to the workshop and agenda used
by one company to identify potential events relevant to the achievement of specified objectives is outlined in
Exhibit 4.3.
Exhibit 4.3 Facilitated Workshop Outline
Internal Use Only

Prior to the workshop
 Identify experienced facilitator to lead the session, manage group dynamics, and plan how best to capture
generated ideas in usable form
 Establish and agree on ground rules at the commencement of the workshop
 Recognize the different participant styles and personality types, considering how to optimize their contribution
 Identify which objectives, category of objectives, and categories of events to focus on
 Invite an appropriate number of workshop participants – normally limit to 15 or fewer
 Set realistic expectations up front with respect to what the workshop is intended to achieve
Agenda
1. Introduction
 Explain background of workshop and why each participant has been invited
 Explain ground rules
2. Explain workshop process
 Events are to be considered against corporate objectives per business plan

 For each objective, the facilitator will prompt discussion on events emanating from the following factors, and their
related effects:
External Internal
Economic Infrastructure
Natural Environment Personnel
Political Process
Social Technology
Technological
 Describe how and when voting tools and verbal inputs will be used
Internal Use Only

 Explain how ideas, conclusions will be documented
3. ExploreObjective 1
 Identify the objective, its unit of measure, and the related established targets
 Gain consensus of risk tolerance – the degree of acceptable variation around the unit of measure
 Discuss internal and external factors that drive potential events relative to the objective
 Determine which events represent risks to achieving the objective, and which events represent opportunities
 Consider how multiple risks affecting this objective relate to one another
4. Next steps and close
 Distribute the workshop output to all participants within 48 hours, with action plan for next steps
Interviews
Interviews typically are conducted in a one-on-one setting, or sometimes two-on-one, where the interviewer is
accompanied by a colleague taking notes. The purpose is to ascertain the individual’s candid views and
knowledge of actual past events and potential events. An interview agenda used in focusing on business unit
objectives is illustrated in Exhibit 4.4.
Exhibit 4.4 Interview Agenda
Internal Use Only

Interview Agenda
1. Introduction
2. Provide background on the project and interview process
3. Confirm the person’s position, background, and current responsibilities
4. Confirm they received and read any background material provided in advance
Strategies and Objectives
1. Identify the key objectives within the interviewee’s business unit/division

2. Determine how the objectives align with and support the entity’s strategies and objectives
3. Identify the unit of measure for each objective and the related established targets
4. Determine the established risk tolerances
5. Discuss factors related to potential events relative to the objective
6. Identify potential events creating risks to objectives, and those representing opportunities
7. Consider how the interviewee prioritizes these events, considering likelihood and impact
8. Identify events that have occurred in the past 12 months that impacted the entity that were not identified by
management and staff
9. Consider whether risk identification mechanisms need to be enhanced
Questionnaires and Surveys

Questionnaires address a range of issues to be considered by participants, focusing their thinking on internal
and external factors that have given rise, or may give rise, to events. Questions can be open-ended or closed,
depending on the goal. They can be directed to one or a few individuals, or used in connection with a broader-
based survey, either within an entity or directed to customers, suppliers, or other external parties. Use of these
techniques is illustrated in Exhibit 4.5.
Exhibit 4.5 Illustrative Questionnaire and Survey
Internal Use Only

Targeted Questionnaire
A company requires business unit staff to complete a questionnaire before accepting a new vendor. The
questionnaire requires the staff person to consider a range of questions exploring the potential vendor’s:
 Quality processes
 Risk management processes
 Insurance coverage
 Terms and conditions
In considering the questions, the staff person identified the following potential events to which the company would
be exposed if it were to do business with the vendor:
 The vendor’s history of inconsistent delivery presents a risk of supply chain disruptions.
 The vendor is not certified to an appropriate quality standard. A risk exists that the materials provided might not
meet the company’s quality specifications, resulting in production problems, loss of customers, and reputational
damage.
 The vendor has inadequate insurance coverage for product defects. A risk exists that the company would not be
able to recover associated losses.
 The vendor’s terms require a two-year commitment from the company, with an associated risk of changing needs
and related economic loss.
Survey
A fast-food company regularly surveys its customers in two areas: changes in their consumption
habits/preferences, and satisfaction levels with the service received in its restaurants. A recently completed
survey identified a shift in preference toward organic foods and away from genetically modified foods. With this
information, management assessed the extent to which the shift in preferences called for modification of strategy
and related objectives, including new product offerings and marketing programs. Similarly, management used the
survey results – which showed a declining level of satisfaction with service at particular restaurants – in looking at
underlying issues related to those units.
Process Flow Analysis

Process flow analysis typically involves the diagrammatic representation of a process, with the goal of better
understanding the interrelationships of its component inputs, tasks, outputs, and responsibilities. Once mapped,
events can be identified and considered against process objectives. As with other event identification
techniques, process flow analysis can be used in looking from a high level within the entity, or at a detailed
Internal Use Only
level. Exhibit 4.6 illustrates the latter, depicting how a company mapped its cash receipts process as a basis for
identifying related risks to the objective of depositing and recording all cash receipts on a timely and accurate
basis.
Exhibit 4.6 Process Flow Analysis
Internal Use Only

Tasks Possible events
1. Clerk stamps check with date stamp  Clerk fails to stamp check
2. Check entered into check register  Clerk fails to record check details
 Clerk records incorrect check details
 Clerk misappropriates check
3. Check deposited by Clerk  Check lost en route to bank

 Check deposited to incorrect bank account
 Incorrect amount recorded by bank
 Stamped deposit slip lost
4. Remittance slips and check register  Remittance slips or check register misplaced or lost
sent to AR Clerk
5. AR Clerk posts checks to AR ledger  Checks applied to incorrect accounts

 Incorrect amount recorded against customer
account
 AR Clerk does not post checks
6. Posting report matched to deposit slip  Details do not match
Internal Use Only

Leading Event Indicators and Escalation Triggers
Leading event indicators, often called leading risk indicators, are qualitative or quantitative measures that
provide insight into potential events – such as the price of fuel, turnover in investor securities accounts, and
traffic on an Internet site. To be useful, leading risk indicators must be available to management on a timely
basis, which, depending on the information, might be daily, weekly, monthly, or in real time.
Escalation triggers typically focus on day-to-day operations and are reported, on an exception basis, when a pre-
established threshold is passed. Companies often have escalation triggers established within business units or
departments. To be effective, escalation triggers need to establish when managers are to be notified, with
notification timing based on the manager’s view of how much time is needed to take action.
Leading risk indicators and escalation triggers are illustrated in Exhibit 4.7.
Exhibit 4.7 Leading Risk Indicators and Escalation Triggers

Escalation
Business Unit Target and
Measure Potential Event Leading Indicator Trigger for
Objective Tolerance
Business Unit
Develop product Number of units Target: 1,000 Consumer Consumer Consumer

promotional sold per month units of new confidence confidence confidence
campaign with per store product sold per decreases, indicators decreases by more
supermarket month per store resulting in than 5%
chain in key during decreases in
region promotional purchases of the
campaign company’s
Tolerance: 900– products
1,250 units sold
per month per
store
Create and Number of Target: 0 per Unauthorized Detected New critical

maintain strong successful month individuals access vulnerabilities in vulnerabilities
security against intrusions the company’s the company’s identified by third
Tolerance: 0 per
external systems via core operating parties
month
intrusions on Internet ports systems published
systems by the vendor/third
party; number of
Internal Use Only

Escalation
Business Unit Target and
Measure Potential Event Leading Indicator Trigger for
Objective Tolerance
Business Unit
unauthorized
attempts
Comply with Volume of spills Target: <100 Corrosion on Age of barrels Barrels in use for
standards of hazardous gallons per year barrels causes used to transport more than 85% of
governing the materials material to leak hazardous material their estimated
Tolerance: 0–
movements of transported by from trucks during useful life
125 gallons
hazardous company staff transport
material
Maintain stable Turnover of staff Target: Turnover High performers Staff morale of High performers
high-quality rated as high of high resign high performers responding as
workforce performers performers “very” or
“somewhat”
< 10%
dissatisfied in
Tolerance: 2% –
annual employee
12%
survey
Loss Event Data Tracking

Monitoring relevant data can help an organization identify past events having a negative impact and quantify the
associated losses, in order to predict future occurrences. While event data typically are used in risk assessment
– based on actual experience with likelihood and impact – they also can be useful in event identification by
providing a basis for fact-based discussion, institutionalizing knowledge (particularly helpful where staff turnover
is high), and serving as a source for understanding loss event interdependencies and developing predictive and
causal models.
Loss event databases developed and maintained by third party service providers are available on a subscription
basis. In some industries, such as banking, consortiums have formed to share internal data.
Loss event databases contain information on actual events meeting specified criteria. Information in externally
developed event databases can be useful to supplement internally generated information in estimating future
event likelihood and impact, particularly for potential events with low likelihood (which a company is unlikely to
Internal Use Only

have experienced in the past) but high impact. One such database, for example, contains loss event data,
across industries, on publicly reported operational losses in excess of one million dollars.
Some companies track ranges of external data. Large companies, for example, track a range of leading
economic indicators to identify movements suggesting change in demand for their products and services.
Similarly, financial institutions monitor changes in world politics to identify leading indicators suggesting
modification to future investment strategies and actual events calling for immediate change to investment
portfolios.
Use of internally generated data is illustrated in Exhibit 4.8, and externally developed data in Exhibit 4.9.
Exhibit 4.8 Loss Event Tracking Using Internal Data
Internal Use Only

A manufacturing company tracks production equipment failures, through automated routines that electronically
monitor and capture disparate equipment diagnostic information. By tracking the sequence of events,
management is positioned to assess the underlying cause of a manufacturing process failure and the costs
associated with equipment downtime. Operations managers use the information in real time, diagnosing the
cause and quickly making repair decisions. Future maintenance schedules reflect known past equipment
failures. Periodically operations management is provided reports determining the effect of the equipment failures
on a key unit of measure – production availability – and associated monetized cost.
Negative
Sub-
Downtime Effect on
Equipment Component compone Cause Cost
Duration Production
nt
Availability
Pump #1 Motor Insulation Overheating 1H: 20M 0.4% $24,000

due to
deterioration
in insulation
caused by
excessive
lead cable
lengths
Pump #2 Motor Switch Product 2H: 10M 0.7% $42,000

defect
Conveyor Belting Roller Contaminati 4H: 45M 1.6% $95,000

on in the ball
oil
Exhibit 4.9 Loss Event Tracking Using External Data

A government agency is tasked with controlling the inflow of illegal drugs and other contraband through its ports.
Governments from multiple countries collect and share data, including:
Internal Use Only

 Port of origin  Owner of vessel
 Countries traveled through en route  Owner of goods
 Ship carried on  Receiver of goods
 Type of goods carried  Value of goods
 Traditional cargo carried  Delivery address
 Frequency of trips
The data are measured against predefined threshold triggers in order to more effectively target inspections.
Ongoing Event Identification

The techniques illustrated above typically are applied in particular circumstances, with varying frequency over
time. Potential events also are identified on an ongoing basis in connection with routine business activities.
Exhibit 4.10 illustrates some of those techniques, which are useful in bringing to light risks and opportunities that
may be important to an entity’s achieving its objectives. This exhibit demonstrates how one company matches
its ongoing event identification mechanisms against external and internal factors that give rise to events, to aid in
determining whether there is a need to take further action.
Exhibit 4.10 Illustrative Event Identification

Mechanisms
Internal Use Only

Interrelationship of Events That May
Affect Objectives
In many circumstances multiple events can impact achievement of an objective. To gain an understanding and
insight into interrelationships, some companies use event tree diagrams, also known as fishbone diagrams. An
event tree diagram provides a means by which to identify and graphically represent uncertainty, generally
focusing on one objective and how multiple events affect its achievement. This technique is illustrated in Exhibit
4.11.
Exhibit 4.11 Linking Factors and Potential Events to

Objective Unit of Measure
Internal Use Only

A company that sells mattresses through retail outlets seeks to maintain a 30% margin on sales. It looks to
determine which factors and events affect product demand and cost of production – either of which is likely to
affect achievement of the 30% margin objective. The objective is shown at the right end of the main “bone.” At an
angle to this main bone are sub-bones listing events that directly affect the objective. Sub-bone events that
positively affect achievement of the objective are depicted by an upward pointing arrow, and those with a negative
effect by a downward arrow. The related internal and external factors associated with the sub-bone events are
identified at the left.
Categorizing Events
By grouping similar potential events, management can better determine opportunities and risks.
Some entities categorize potential events to assist in ensuring event identification efforts are complete.
Categorization also can help to subsequently develop a portfolio view of risks. A categorization used by one
company, a hospital, is illustrated in Exhibit 4.12.
Internal Use Only

Exhibit 4.12 Illustrative Event Categorization
5. Risk Assessment
Framework Chapter Summary: Risk assessment allows an entity to consider the extent to which potential
events have an impact on achievement of objectives. Management assesses events from two perspectives -
likelihood and impact - and normally uses a combination of qualitative and quantitative methods. The positive
and negative impacts of potential events should be examined, individually or by category, across the entity.
Risks are assessed on both an inherent and a residual basis.
This chapter illustrates some of the techniques used in risk assessment. Included are illustrations of inherent
and residual risk assessments; qualitative techniques including risk ranking and questionnaires; quantitative
techniques including such probabilistic techniques as value at risk, market value at risk, loss distributions, and
back-testing, and non-probabilistic techniques such as sensitivity analysis, scenario analysis, stress testing, and
benchmarking. Also illustrated are techniques for risk and capital attribution used to estimate the amount of
capital required for accepted risks; how risks may be portrayed in risk maps, heat maps, or numerical
presentations; and techniques for entity-level views of risk.
Internal Use Only
Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s
likelihood or impact.
An example of an inherent risk assessment, linking risks to objectives, is illustrated in Exhibit 5.1 (which builds
on Exhibit 4.1).
Exhibit 5.1 Inherent Risk Assessment

Hire 180 new qualified staff across all manufacturing divisions to meet customer
Operations objective
demand without overstaffing
Objective unit of
Number of new qualified staff hired
measure
Tolerance 165 -200 new qualified staff, with staff cost between 20% and 23% per dollar order
Inherent risk assessment

Risks
Likelihood Impact
Insufficient number of
10% reduction in hiring 18 unfilled
qualified candidates 20%
positions
available
Initial candidate 5% reduction in hiring due to poor

screening filters too 30% candidate screenings 9 unfilled
stringent positions
Residual risk is the risk that remains after management’s response to the risk.
Residual risk reflects the risk remaining after management’s intended actions to mitigate an inherent risk have
been effectively implemented. These may include diversification strategies related to customers, products, or
other concentrations; policies and procedures providing limits, authorizations, and other protocols; supervisory
staff reviewing and acting on performance measures; or automating criteria to standardize and accelerate
recurring decisions or transaction approvals. These actions may reduce the likelihood of occurrence of a
potential event, the impact of such event, or both.
Internal Use Only

In the following example, management assesses the inherent risk in changes in foreign currency exchange
rates, in terms of the effect on revenue generated by the company’s foreign operations. In this case,
management considered foreign exchange hedging as a risk response and reassessed the remaining exposure
after reflecting the effects of the hedges. The result of the risk assessment is illustrated in Exhibit 5.2.
Exhibit 5.2 Inherent and Residual Risk Assessment

Operations objective Operating income from foreign operations of $100 million
Unit of measure Change in operating income from foreign operations
Risk Exchange rate fluctuation adversely affects operating income from foreign operations
Risk tolerance Acceptable variation is +/- $10,000,000
Inherent risk assessment Risk response Residual risk assessment

Risk
Likelihood Impact Likelihood Impact
Foreign exchange rate 10% $5,000,000 No response 10% $5,000,000

moves up 1 percentage in place
point within 90 days
Foreign exchange rate 4% $10,000,000 Obtain foreign 4% $5,000,000

moves up 1.5 exchange
percentage points within hedge
90 days instruments to
limit the
Foreign exchange rate 1% $20,000,000 1% $8,000,000
impact
moves up 3 percentage
points within 90 days
Qualitative and Quantitative Methodology

and Techniques
An entity’s risk assessment methodology comprises a combination of qualitative and quantitative techniques.
Management often uses qualitative assessment techniques where risks do not lend themselves to quantification
or when either sufficient credible data required for quantitative assessments is not practically available or
Internal Use Only
obtaining or analyzing data is not cost-effective. Quantitative techniques typically bring more precision and are
used in more complex and sophisticated activities to supplement qualitative techniques.
Measurement Scales
In estimating likelihood and impact of potential events, whether on an inherent or a residual basis, some form of
measurement is applied. For purposes of illustration, there are four general types of measurement, namely,
nominal, ordinal, interval, and ratio.
 Nominal measurement – This is the simplest form of measurement and involves grouping events by such
categories as economic, technology, or natural environment. It does not involve any kind of ranking where one is
deemed “more” than another. Numbers assigned in nominal measurement are for identification purposes only –
like numbers assigned to baseball players – and items cannot be ordered, ranked, or added.
 Ordinal measurement – In this type of measurement events are listed in order of importance, perhaps with
such tags as high, medium, or low, or otherwise in rank-order along a scale. Management states that item one
is greater than item two. For instance, management may assess the likelihood of a new computer virus
disrupting its systems as greater than the likelihood of staff’s unauthorized transmittals of confidential
information.
 Interval measurement – Interval measures use a scale of numerically equal distances. If, for instance, the
impact of the loss of production of a key machine is measured as a “three,” the impact of a one-hour power
outage as a “six,” and the effect of 100 vacant positions as a “nine,” management can state that the difference in
potential impact between losing a machine and the one-hour power outage is the same as the difference
between the one-hour power outage and having 100 vacant positions. This does not mean, however, that the
impact of the event measured as a “six” is twice as great as the impact of the event measured as a “three.”
 Ratio measurement – A ratio measurement scale allows one to conclude that if the potential impact of one
event is assigned a “three” and another event a “six,” the second event has twice the potential impact as the
first. This is possible because ratio measurement includes the concept of a true zero, whereas interval
measurement does not.
Used here, nominal and ordinal measures are considered “qualitative” techniques, whereas interval and ratio
measures are quantitative.
Qualitative Techniques
While some qualitative risk assessments are put forth in subjective terms, and others in more objective ones, the
quality of the assessments depends largely on the knowledge and judgment of the individuals involved, their
understanding of potential events, and the surrounding context and dynamics.
Internal Use Only

The following exhibits portray qualitative assessments using ordinal measurement scales. Exhibit 5.3 illustrates
a scale of the likelihood of events affecting computer operations. In Exhibit 5.4, rankings are given to the range
of potential impacts of the risk of a hazardous materials release.
Exhibit 5.3 Likelihood Risk Ranking Affecting Computer Operations

(Next Quarter Timeframe)
Level Descriptor Likelihood of Occurrence Risk
1 Rare Very low Technology systems shut down for

prolonged periods by terrorist or other
intentional action
2 Unlikely Low A natural disaster or third party (e.g.,

utility) event requires invoking the
business continuity plan
3 Possible Moderate Hackers penetrate our computer security
4 Likely High Internal staff use company resources to

access inappropriate information from
the Internet
5 Almost certain Very high Internal staff use company resources for
personal messaging
Exhibit 5.4 Impact Risk Ranking of Hazardous Materials Release

(One Year Timeframe)
Objective To manage hazardous materials in accordance with state and federal requirements
Risk Units of Measure
Production hours lost
Containment costs
Unplanned release of hazardous material
Lost time injuries
Compensation and related costs
Level Relative Impact Measures
Internal Use Only

1 Insignificant  No reportable incidents
 Minimal loss of production hours
 No injuries
2 Minor  1–2 reportable incidents

 Materials contained on-site by staff
 Effect less than 5% of day’s production hours
 No or minor injuries
3 Moderate  Several reportable incidents

 Material contained on-site with outside assistance
 Effect between 5% and 20% of day’s production hours
 Out-patient medical treatment required
4 Major  Major reportable event

 Material released into environment, but without real or perceived detrimental
effects
 Significant loss of production – between 20% and 100% of day’s production
hours
 Limited in-patient care required
5 Catastrophic  Multiple major reportable events or a single catastrophic event

 Release into environment with significant detrimental effect, requiring significant
third party resources
 Substantial loss of production capability – more than two days’ production hours
 Significant injuries
The questionnaire in Exhibit 5.5 is used by a company in a regulated industry in assessing risks related to
implementing new information systems, using categorization and risk ranking of low (green), moderate (yellow),
and high (red).
Exhibit 5.5 Risk Assessment for New Systems Implementation
Internal Use Only

Quantitative Techniques
Quantitative techniques can be used when enough information exists to estimate risk likelihood or impact using
interval or ratio measures. Quantitative methods include probabilistic, non-probabilistic, and benchmarking
techniques. An important consideration in quantitative assessment is availability of accurate data, either
internally or externally sourced, and one of the challenges in using these techniques is obtaining enough valid
data points.
Probabilistic Techniques
Probability-based techniques measure the likelihood and impact of a range of outcomes based on distributional
assumptions of the behavior of events. Probabilistic techniques include “at-risk” models (including value at risk,
cash flow at risk, and earnings at risk), assessment of loss events, and back-testing.
Value at Risk
Internal Use Only

Value-at-risk (VaR) models are based on distributional assumptions about change in the value of an item or
group of items, which is not expected to be exceeded with a given confidence level over a defined time
period. These models are used to estimate extreme ranges of value change expected to occur infrequently,
such as the estimated level of loss that would not be expected to be exceeded with 95% or 99% confidence.
Management chooses both the desired confidence and the time horizon over which the risk is assessed, based,
in part, on established risk tolerances.
Value-at-risk measures sometimes are usedto rationalize capital required for business units by estimating, with
high confidence over a specified time horizon, the capital required to cover possible losses. The period for
capital measurement is set to coincide with the period of performance assessment.
One application of value at risk is market value at risk, which is used by trading institutions to assess exposures
to price changes affecting financial instruments and by some non-trading institutions as well. Market value at
risk is defined as the estimated maximum loss on an instrument or portfolio that can be expected over a given
time horizon with specified confidence. Exhibit 5.6 provides an example of a market-value-at-risk measure.
Exhibit 5.6 Market-Value-at-Risk Analysis
A financial services company assesses the risk of change in the value of its trading portfolio. It estimates the
maximum loss during any one day with 95% confidence, assuming portfolio value changes are represented by a
normal distribution, which takes into account all possible scenarios. Value at risk is depicted as follows:
The light blue area represents an estimate of losses that exceed the maximum loss estimated over one day with
95% confidence.
Cash Flow at Risk

This measure is similar to value at risk, except that it estimates a change in the cash flows of an organization or
business unit relative to a targeted cash flow expectation with a given confidence over a defined time horizon.
This is based on distributional assumptions about the behavior of changes in cash flows. Cash flow at risk is
Internal Use Only

used for businesses whose results are sensitive to changes in cash flows related to non-market-price factors.
For example, a computer manufacturer desiring to measure risk to its net cash flows may use a cash-flow-at-risk
technique that includes either one variable such as a foreign currency rate, or multiple variables such as
changes in gross domestic product, supply and demand for computer components, and corporate research and
development budgets. These measures would allow the company to assess its foreign currency risk in relation
to cash flows, or its broader cash flow performance.
Earnings at Risk
Similar to cash flow at risk, earnings at risk estimates a change in the accounting earnings of an organization or
business unit, the amount of which is not expected to be exceeded with given confidence over a defined time
period, based on distributional assumptions about the behavior of accounting earnings. Exhibit 5.7 provides an
example of an earnings-at-risk analysis.
Exhibit 5.7 Earnings-at-Risk Analysis
Management of a pharmaceutical company determines the company’s earnings at risk by
performing a Monte Carlo simulation on the revenue from sales of prescription drugs,
research spending, and other income/expenses. In this example, management is 95% sure that earnings will be at
least $1.10 per share.
Loss Distributions
Certain operational or credit loss distribution estimations use statistical techniques, generally based on non-
normal distributions, to calculate maximum losses resulting from operational risks with a given confidence level.
These analyses require collection of operational loss data categorized by root cause of the loss, such as criminal
activity, human resources, sales practices, unauthorized activity, management process, and technology. Using
these loss data and reflecting data on related insurance costs and proceeds, a preliminary loss distribution is
developed and then refined to take into account the organization’s risk responses.
Back-Testing
Internal Use Only

In this context, back-testing typically consists of periodic comparison of an entity’s at-risk measures with
subsequent profit or loss. Back-testing commonly is used by financial institutions. Some organizations,
including many banks, routinely compare daily profits and losses with their risk model-generated outputs to
gauge the quality and accuracy of their risk assessment systems, as illustrated in Exhibit 5.8.
Exhibit 5.8 Back-Testing Analysis
Non-Probabilistic Techniques
Non-probabilistic techniques are used to quantify the impact of a potential event, based on distributional
assumptions, but without assigning likelihood of event occurrence. Thus, these techniques require that
management determine likelihood separately. Commonly used non-probabilistic techniques are sensitivity
analysis, scenario analysis, and stress testing.
Sensitivity Analysis
Sensitivity analysis is used to assess the impact of normal, or routine, changes in potential events. Due to
relative ease of calculation, sensitivity measures sometimes are used to complement a probabilistic approach.
Sensitivity analysis is used with:
 Operational measures, such as the effect of changes in sales volume on call center response time or number of
manufacturing defects.
 Equity securities, using beta. For equities, beta represents the ratio of the movements of an individual stock
relative to the movements of an overall market portfolio or a proxy such as the S&P 500 index.
Exhibit 5.9 illustrates use of a linear approximation to estimate changes in the value of a fixed income security.
This approximation (represented by the lighter line in the illustration) is constructed by using a fixed income
sensitivity measure, which measures the change in value for a small change in interest rate (between 4½% and
5½% in the illustration), and uses that measure to approximate change in value for large changes (outside the
Internal Use Only

4½% to 5½% range). The difference between the actual value (represented by the heavier line) and
approximated value is due to convexity.
Exhibit 5.9 Sensitivity Analysis of Fixed Income Instruments
Scenario Analysis
Scenario analysis assesses the effect on an objective of one or more events. Scenario analysis may be used in
connection with business continuity planning or estimating the impact of a system failure or network failure, and
reflects the effects across the business. Scenario analysis may be performed in strategic planning as
management seeks to link growth, risk, and return, as shown in Exhibit 5.10, where risks are assessed in terms
of shareholder value added.
Exhibit 5.10 Analysis of Various Scenarios Across Multiple Business Units on Total Shareholder Value
Added
Impact of Key Potential Business Scenarios on Shareholder Value Added
by Business Unit ($ Millions)
Unit Potential Business Scenario Increase (Decrease)
in SVA
1  Risk rating deteriorates by 20% $ (150)

 Consumer loans decrease by 10%
(120)
 Increased competition – one new market entrant
(100)
 Revenue in the banking group decreases by 15%
 Loss of a top-tier customer
Internal Use Only
Impact of Key Potential Business Scenarios on Shareholder Value Added
by Business Unit ($ Millions)
 … (80)
(50)
2  Increased competition – one new market entrant $ (50)

 Revenue declines by 10% due to customer service
(30)
(20)
 Unsuccessful new product launch
 One new pending “large” (but not “mega”) lawsuit (20)
 …
(20)
3  Increased competition – one new market entrant $ (40)

(30)
 Reduction of asset base by 10%
(20)
 …
…
Stress Testing
Stress testing assesses the impact of events having extreme impact. Stress testing differs from scenario
analysis in that it focuses on the direct impact of a change in only one event or activity under extreme
circumstances, as opposed to focusing on changes on a more normal scale as in scenario analysis. Stress
testing generally is used as a complement to probabilistic measures to examine the results of low likelihood, high
impact events that might not be captured adequately by distributional assumptions used with probabilistic
techniques. Similar to sensitivity analysis, stress testing often is used to assess the impact of changes in
operational events or financial market movements in order to avoid big surprises and losses. Stress tests
include, for example, estimation of the effect of a rapid and large:
 Increase in product manufacturing defects

 Movement in a foreign exchange rate
 Movement in price of an underlying factor on which a derivative instrument is based
 Increase in interest rates on the value of a fixed income investment portfolio
Internal Use Only

 Increase in energy prices affecting the cost to run a manufacturing plant
Benchmarking
Some companies use benchmarking techniques to assess a specific risk in terms of likelihood and impact,
where management seeks to enhance its risk response decisions to reduce either likelihood or impact.
Benchmark data can provide management insight into the likelihood or impact of risks based on experiences of
other organizations. Benchmarking also is used with respect to activities in a business process to identify
opportunities for process improvement.
Benchmarks include:
 Internal – Compare measures of one department or division with others of the same entity
 Competitive/industry – Compare measures among direct competitors or broader groups of companies with
similar characteristics
 Best-in-class – Look at like measures among companies across industries
An example of a competitive/industry benchmark is presented in Exhibit 5.11, which depicts the effect of events
related to shrinkage within a peer group.
Exhibit 5.11 Comparison of Inventory Losses
Risk and Capital Attribution

Some organizations, particularly financial institutions, estimate economic capital. Some
Internal Use Only

companies use this term to refer to the amount of capital required to cover financial
exposures. Others use it somewhat differently, as a measure of capital needed to run the
business as planned. It is used by management in strategy setting, resource allocation, and
performance measurement. An illustration is shown in Exhibit 5.12.
Exhibit 5.12 Using Economic Capital
Internal Use Only

A bank uses “economic capital” to estimate the amount of equity required. It represents the level of equity capital
required within a given time period, at a given confidence level. For example, the bank adopts a 95% confidence
level and two-year time period to determine its economic capital requirements. After modeling its expected
earnings distribution taking into account market, credit, operational, and fixed asset risk, management identifies its
economic capital requirement as $120,638,000, as follows:
Recognizing the lack of precision in operational risk measurement methodology, and recognizing exposure
beyond the 95% confidence level, the bank’s policy is to create an additional “capital cushion” on top of its
economic capital requirement to provide additional confidence that the calculated economic capital balance is
sufficient.
The bank also uses the relationship of economic capital to book capital as a guidepost in strategic direction. When
book capital minus the capital cushion is less than required economic capital, management looks to whether it
should:
 Scale back certain business activities

 Raise additional equity
 Lower its risk positions in its lending, investing, or operational activities
When book capital minus the capital cushion is greater than required economic capital, management considers
opportunities to:
 Expand its business into new products or markets

 Take higher-risk positions in its lending, investing, or operational activities
 Return capital to shareholders
Internal Use Only

Portraying Risk Assessments
Organizations use any of a number of different methods to portray risk assessments. Portraying risks in a clear
and concise manner is especially important with qualitative assessment because risks are not summarized in
one number or range of numbers as with quantitative techniques. Techniques include risk maps and numerical
representations.
Risk Maps
A risk map is a graphic representation of likelihood and impact of one or more risks. Risk maps may take the
form of heat maps or process charts that plot quantitative or qualitative estimates of risk likelihood and impact.
Risks are depicted in a way that highlights which risks are more significant (higher likelihood and/or impact) and
which are less significant (lower likelihood and/or impact). Depending on the level of detail and depth of
analysis, risk maps either can present the overall expected likelihood and/or impact or can incorporate an
element of variability of likelihood and/or impact. The following examples of risk maps depict assessment of
risks relating to the objective of retaining high-performing employees.
Exhibit 5.13 illustrates a heat map, presenting risk levels (likelihood and impact) by color, where red represents
high risk, yellow moderate risk, and green low risk.
Exhibit 5.13 Heat Map
Internal Use Only

A company assesses risks to its objective of maintaining a quality workforce. Likelihood is considered in terms of
percentage turnover within a specified period and impact in terms of cost of operational inefficiency and cost to
replace, retrain, and develop employees. Color coding highlights those risks that are most likely to occur and most
likely to have a significant effect on objectives.
Risk
Topic Liklihood Impact
Description
A Compensation Employee
dissatisfaction
with
Possible Moderate
compensation
leads to higher
staff turnover.
B Recognition Employees feel

unrecognized,
resulting in
Unlikely Minor
reduced focus on
tasks and higher
error rates.
C Downsizing Employees are

over-utilized and
work
considerable
overtime. Staff
leave to pursue Likely Moderate
work in
other organizatio
ns that offer a
better work/life
balance.
Internal Use Only

D Demographics Changing
demographic
composition of
the employee Almost Certain Moderate
group causes
increased
turnover.
E Employment Increased
market demand for
company Unlikely Moderate
employees by
recruiting firms.
F Performance Employee
evaluation dissatisfaction
with performance
appraisal
measures and
processes
causes low
morale, staff to Possible Moderate
focus on non-
critical objectives,
and loss of staff
to companies
perceived to be
employers of
choice.
G Communication Ineffective Possible Moderate

communication
between
employees and
Internal Use Only

management
results in mixed
messages being
heard and in the
pursuit of
alternative
employment.
H Workplace Unsafe
safety workplace
causes employee
injury and
resignations by Unlikely Major
injured staff and
by others
concerned over
safety issues.
I Career Employees
development perceive limited
control over their
career Possible Moderate
development,
causing higher
turnover.
J Work diversity Employee Possible Moderate

dissatisfaction
with job variety
results in rote
performance,
higher errors in
key processes,
and pursuit of
Internal Use Only

more interesting
job opportunities
outside the
company.
These same risks can be depicted in a matrix risk map with likelihood on the horizontal axis and impact on the
vertical, as illustrated in Exhibit 5.14. Because this provides more information, management can more readily
prioritize where attention is needed.
Exhibit 5.14 Risk Map of Mean Values for Likelihood and Impact
Exhibit 5.15 provides the same basic information, but in still further depth. It presents information on variability
around risk likelihood and impact, providing management with an additional perspective on the risks.
Exhibit 5.15 Risk Map Showing Variability for Likelihood and Impact
Internal Use Only

Numerical Representations
Depending on the business context, quantitative measures of risk can be presented in monetary or percentage
terms, and can be presented with a specified confidence interval, for example, 95% or 99% confidence. One
example of a numerical representation is shown in Exhibit 5.6, with a value-at-risk measure. Another is shown in
Exhibit 5.10, with a shareholder-value-added measure using scenario analysis. Another example is shown in
Exhibit 5.16, illustrating risks related to customer concentrations. In this exhibit, the largest customer is
segmented by geographical region, providing information on regional exposure.
Exhibit 5.16 Revenue Analysis by Customer
Entity-Level Views
Internal Use Only

As part of risk assessment, management may leverage business unit risk assessments or conduct a separate
assessment using techniques illustrated earlier to form an entity-level risk profile. Overall risk assessments may
take the form of an aggregate risk measure where underlying risk measures are of like types and where
correlations between risks are considered. Another aggregation approach is to translate related but unlike risk
measures to a common unit of measure, as shown in Exhibit 5.17.
Exhibit 5.17 Analysis of the Effect of Multiple

Business Unit Measures on a Single Entity-Level
Measure (EPS)
This company assesses the risk impact within its

respective departments using the units of
measure established for the department:
equipment availability, customer payment default,
and staffing levels. These are portrayed in the
following diagrams. At the entity level,
management assesses risk in terms of entity
earnings per share (EPS) as shown in the first
diagram, where the effect of each business unit
measure is converted to the entity-level measure
based on the budgeted contribution or loss from
each activity. The dashed lines in the first
diagram represent the upper and lower EPS risk
tolerances.
Internal Use Only

When direct aggregation of risk measures is not possible, some managements find it useful to compile
measures in a summary report in order to facilitate drawing conclusions and making decisions. In these cases,
even though measures are not directly aggregated, management subjectively places the risks on the same
qualitative or quantitative scale to assess likelihood and impact of multiple risks to a single objective, or the
effect of one risk on multiple objectives.
For example, management of one company estimates the impact on EPS of several different events, as
illustrated in Exhibit 5.18. In this exhibit the effects on business units of a 100 basis point decrease in foreign
exchange rate naturally offset at the entity level, so that any actions taken by one or more of the business units
to manage foreign exchange exposures could adversely affect the entity as a whole. A 100 basis point increase
in interest rate would only partially offset on an entity-wide basis, and management might respond to this risk
either within one or more of the business units or at the entity level. Similarly, for the risks related to movements
Internal Use Only
in the price of raw material and pending union negotiations, management would decide where and how to
respond, to keep within entity-level risk tolerances.
Exhibit 5.18 Analysis of the Effect of Multiple Risks

Across Business Units (Dollar Amounts in
Thousands Except EPS)
Objective: To achieve consistent earnings growth
Risk Corp Div 1 Div 2 Div 3 Entity
Business Unit Business Unit Business Unit Business Unit Earnings per
Contribution Contribution Contribution Contribution Share
Decrease in local Impact $(1,000) $600 $300 $100 $ 0.00

currency in
relation to U.S.
dollar by 100 Likelihood 20%
basis points
Increase in Impact $ (750) $1,600 $800 $100 $ (0.035)

interest rate by
100 basis points Likelihood 20%
Increase in raw Impact - $10,000 $5,000 $5,000 $ (0.40)

materials price of
10% Likelihood - 20% 30% 15%
Pending union Impact - $5,000 $0 $1,000 $ (0.12)

negotiations halt
production for >
Likelihood - 10% 0% 25%
10 days
Management of another company assesses the effect of a single event on multiple objectives, illustrated in
Exhibit 5.19. Using one of the risks addressed in Exhibit 5.18 – union negotiations halting production for more
than 10 days – management assesses its effect on multiple objectives.
Internal Use Only

Exhibit 5.19 Analysis of the Effect of a Single Risk
Across Business Units
Risk: Pending union negotiations halt production for > 10 days
Div 1 Div 2 Div 3 Entity
Objective Likelihood 10% 0% 25%
Unit of Earnings per

Production Hrs Production Hrs Production Hrs
Maintain a return on Measure Share
equity of 15%
Impact -50,000 0 -10,000 $ -.80
Unit of BU Earnings per

- -
Increase our market Measure Share
Contribution
share in Europe
Impact - -500 - -.45
Unit of Earnings per

Units Sold Units Sold Units Sold
Increase annual sales per Measure Share
sales representative
Impact -50,000 0 -10,000 -.30
Increase employee Unit of Earnings per

Production Units Production Units Production Units
productivity Measure Share
Impact -25,000 0 -5,000 -.05
6. Risk Response
Framework Chapter Summary: Having assessed relevant risks, management determines how it will respond.
Responses include risk avoidance, reduction, sharing, and acceptance. In considering its response,
management assesses the effect on risk likelihood and impact, as well as costs and benefits, selecting a
response that brings residual risk within desired risk tolerances. Management identifies any opportunities that
might be available, and takes an entity-wide, or portfolio, view of risk, determining whether overall residual risk is
within the entity’s risk appetite.
Internal Use Only
This chapter illustrates some of the techniques used in risk response. Included are illustrations of techniques
used in evaluating risk response alternatives in relation to risk tolerance, evaluating costs and benefits of
alternative responses, and considering the portfolio view.
Risk Responses: Avoid, Reduce, Share,

Accept
For significant risks, an entity typically considers potential responses from a range of response options.
Examples of risk responses for avoidance, sharing, reduction, and acceptance are presented in Exhibit 6.1.
Exhibit 6.1 Illustrative Risk Responses by Response

Type
Avoidance Sharing
 Disposing of a business unit, product line,  Insuring significant unexpected loss

geographical segment  Entering into joint venture/partnership
 Deciding not to engage in new initiatives/activities  Entering into syndication agreements
that would give rise to the risks  Hedging risks through capital market instruments
 Outsourcing business processes
 Sharing risk through contractual agreements with
customers, vendors, or other business partners
Reduction Acceptance
 Diversifying product offerings  “Self-insuring” against loss

 Establishing operational limits  Relying on natural offsets within a portfolio
 Establishing effective business processes  Accepting risk as already conforming to risk
 Enhancing management involvement in decision tolerances
making, monitoring
 Rebalancing portfolio of assets to reduce exposure to
certain types of losses
 Reallocating capital among operating units
Internal Use Only

At the completion of its risk response actions, management may have a view of individual risks and responses
and their alignment with associated tolerances, as illustrated in Exhibit 6.2 (which builds on Exhibit 5.1).
Exhibit 6.2 Linking Objectives, Events, Risk

Assessment, and Risk Response
Operations  Hire 180 new qualified staff across all manufacturing divisions to meet customer demand without
objective overstaffing
 Maintain 22% staff cost per dollar order
Ojective unit
Number of new qualified staff hired
of mesaure
Tolerance 165–200 new qualified staff, with staff cost between 20% and 23% per dollar order
Inherent risk assessment Residual risk assessment

Risk
Risks
Response
Contract in
place with
Decreasing
a third
number of 10% reduction in 10% reduction in
party
qualified 20% hiring 18 10% hiring 18
hiring age
candidates unfilled positions unfilled positions
ncy to
available
source
candidates
Review of
5% reduction in 2% reduction in
Unacceptable hiring
hiring due to poor hiring due to poor
variability in o process
30% candidate 20% candidate
ur hiring conducted
screenings 9 screenings 4
process every two
unfilled positions unfilled positions
years
Alignment
Response expected to bring company within risk tolerance
with risk
Internal Use Only

tolerance
Considering Risk Responses

As with assessing inherent risk, residual risk may be assessed qualitatively or quantitatively. Generally, the
same measures used in assessing inherent risk are used in assessing residual risk. The approach taken by one
company is illustrated in Exhibit 6.3.
Exhibit 6.3 Effect of Risk Response on Residual

Risk
Strategic objective Expand product offerings related to health-based cat foods
Operations objective Generate $30 million in “year-one” revenue by introducing one new “healthy-cat ” product
Unit of measure Revenue from new products
Risk tolerance $25–35 million in new revenue
Risks Inherent Risk Residual Risk
Risk Response
Impact on
Alternatives
Likelihood Revenue from Likelihood Impact
New Product
A – Provide additional
15% less
funding to the R&D and
revenue from
Production divisions to 20%
new products
reach market within the
Competitor reaches ($4,500,000)
40% ($10,000,000) next 90 days
market first
B – Take no specific
action to be first to 40% ($10,000,000)
market
Market acceptance of C – Co-brand product 10% less

this new product is 25% ($15,000,000) with an established 20% revenue from
slower than market third party new product
Internal Use Only
research suggests ($3,000,000)
15% less
D – Pilot in test market;
revenue from
modify marketing 15%
new product
approach accordingly
($4,500,000)
E – Take no action to
ensure market 25% ($15,000,000)
acceptance
For some risks, management may rely on multiple techniques to reduce the overall residual risk in order to meet
its risk tolerance. Exhibit 6.4 illustrates how a company uses multiple risk response techniques to reduce the
risk of non-compliance with local environmental laws and regulations. In this example, management has not
evaluated the effect of each risk response selected but has evaluated them together to establish residual risk.
Exhibit 6.4 Multiple Risk Responses

Compliance objective Pesticides are used at the company premises in accordance with all relevant
environmental laws and regulations
Unit of measure Rate of compliance
Target 100% compliance
Risk tolerance 98%–100%
Risks Inherent Risk Residual Risk

Selected Risk
Response
Distribution of all
pesticides for use on
Fines, Fines,
company grounds is
Pesticides are sprayed sanctions, sanctions,
Moderate coordinated through Low
in prohibited areas reputational reputational
the Facilities
damage damage
Department
A web-based
Internal Use Only

notification form is
completed by all
grounds persons
setting out key
details 72 hours
before pesticides are
applied
All prohibited areas

are clearly marked
Costs versus Benefits

Virtually every risk response will incur some direct or indirect cost that is weighed against the benefits it creates.
The initial cost to design and implement a response (processes, people, and technology) is considered, as is the
cost to maintain the response on an ongoing basis. The costs, and associated benefits, can be measured
quantitatively or qualitatively,
with the unit of measure typically consistent with that used in establishing the related objective and risk
tolerance. A cost–benefit analysis is illustrated in Exhibit 6.5.
Exhibit 6.5 Evaluating the Costs and Benefits of

Alternative Risk Responses
Internal Use Only

A supplier to the automotive industry manufactures aluminum suspension modules. The supplier is in a “tandem”
relationship with an original equipment manufacturer (OEM), where the vast majority of revenue is generated with
the OEM. This OEM traditionally revises its forecasted demand by an average of 20%, always late in the cycle,
creating a high degree of uncertainty for the supplier’s production and scheduling activities. If the OEM were not
to significantly revise demand late in the cycle, the supplier would be able to increase plant utilization by
increasing its manufacturing of products for other customers, thereby increasing profitability. The supplier seeks
to optimize scheduling and capacity planning for plant utilization to achieve 95% average monthly utilization.
Management assessed the most significant risk to this objective – that is, the high level of uncertainty regarding
actual demand from the OEM – and assessed costs and benefits of the following risk responses:
A Accept – Absorb the

cost of having to
respond to late
changes in OEM
demand, and consider
the extent to which it
can produce and sell
product to other
customers within the
constraints of the OEM
relationship
B Avoid – Exit the

relationship with the
OEM, and establish
relationships with new
customers offering
more stable demand
C Share – Negotiate a
revision to the current
contract, stipulating a
“take or pay” clause to
ensure a certain rate of
Internal Use Only

return
D Reduce – Install a
more sophisticated
forecasting system,
which analyzes
external factors (e.g.,
public information on
consumer budgets,
OEM and dealership
inventories) and
internal factors
(historical orders from
various sources) to
better project actual
demand from all
customers
The following table compares the costs and benefits of these responses. Costs relate predominantly to supply
chain management, marketing, information technology, and legal functions. Benefits are expressed using the unit
of measure for the objective – plant utilization – and the resulting effect on targeted earnings before interest and
taxes (EBIT).
Response Cost D B
e e
sc n
ri ef
pt its
io
n
A Accept $750,000 M M
ar a
Internal Use Only

k n
et a
in g
g/ e
s m
al e
e nt
s pr
ef e
fo di
rt ct
s s
re it
q c
ui a
re n
d s
to ell
g a
e n
n a
er d
at di
e ti
a o
d n
di al
ti 2
o %
n to
al ot
c h
u er
st c
Internal Use Only

o u
m st
er o
s, m
a er
n s,
d br
a in
d gi
di n
ti g
o ut
n ili
al z
tr at
a io
n n
s u
p p
or to
ta 8
ti 2
o %
n
Ef
c
fe
o
ct
st
o
s,
n
$
E
7
BI
5
T:
0,
0
in
0
cr
Internal Use Only

0 e
a
s
e
of
$
1,
2
5
0,
0
0
0
B Avoid $1,500,000 U M
ni ar
t k
pr et
ic in
e g
dr ef
o fo
p rt
s s
2 all
% o
d w
u ut
e ili
to z
s at
m io
all n
er of
Internal Use Only

c 9
u 7
st %
o
Ef
m
fe
er
ct
s
o
p
n
a
E
yi
BI
n
T:
g
le
in
ss
cr
th
e
a
a
n
s
pr
e
e
of
m
$
iu
1,
m
5
pr
6
ic
0,
e
0
0
$
0
7
5
0,
0
0
0
in
Internal Use Only

in
cr
e
a
s
e
d
s
al
ar
y
c
o
st
s
fo
r
p
er
s
o
n
n
el
re
q
ui
re
d
to
id
e
nt
ify
Internal Use Only

,
wi
n,
a
n
d
s
u
st
ai
n
n
e
w
c
u
st
o
m
er
s
$
2
5
0,
0
0
0
in
in
cr
e
a
Internal Use Only

s
e
d
o
ut
b
o
u
n
d
lo
gi
sti
cs
c
o
st
s
d
u
e
to
la
rg
er
n
u
m
b
er
of
s
u
p
Internal Use Only

pli
er
s
$
5
0
0,
0
0
0
in
le
g
al
fe
e
s
to
n
e
g
ot
ia
te
a
n
d
fi
n
ali
z
e
n
Internal Use Only

e
w
a
gr
e
e
m
e
nt
s
C Share $350,000 U N
ni e
t w
pr c
ic o
e nt
dr ra
o ct
p all
s o
5 w
% s
d ut
u ili
e z
to at
in io
cr n
e of
a 9
s 9
e %
d
Ef
Internal Use Only

pr fe
e ct
ss o
ur n
e E
fr BI
o T:
m
O in
E cr
M e
in a
re s
s e
p of
o $
n 1
s 0
e 0,
to 0
“t 0
a 0
k
e
or
p
a
y”
n
at
ur
e
of
re
Internal Use Only

la
ti
o
n
s
hi
p
$
2
5
0,
0
0
0
in
le
g
al
fe
e
s
to
n
e
g
ot
ia
te
a
n
d
re
vi
Internal Use Only

s
e
c
o
nt
ra
ct
a
gr
e
e
m
e
nt
$
1
0
0,
0
0
0
to
i
m
pr
o
v
e
d
at
a
s
h
Internal Use Only

ar
in
g,
fo
re
c
a
sti
n
g,
a
n
d
pl
a
n
ni
n
g
D Reduce $1,050,000 A I
v m
er pr
a o
g v
e e
u d
ni fo
t re
pr c
ic a
e sti
dr n
o g
Internal Use Only

p pr
s o
1 vi
% d
d e
u s
e s
to uf
s fic
m ie
all nt
er ti
c m
u e
st to
o wi
m n
er al
s te
n rn
ot at
p iv
a e
yi c
n u
g st
pr o
e m
m er
iu s
m fo
pr r
ic a
e ut
Internal Use Only

$ ili
5 z
0 at
0, io
0 n
0 of
0 9
fo 8
r %
p
Ef
ur
fe
c
ct
h
o
a
n
si
E
n
BI
g
T:
n
e
in
w
cr
s
e
of
a
tw
s
ar
e
e
of
$
$
3,
5
1
0,
7
0
0,
0
0
0
0
fo
0
r
Internal Use Only

n
e
w
s
of
tw
ar
e
tr
ai
ni
n
g
$
5
0
0,
0
0
0
fo
r
in
cr
e
a
s
e
d
fo
re
c
a
Internal Use Only

sti
n
g
a
n
d
a
n
al
ys
is
With this analysis, and considering the likelihood of each alternative and sustainability of results, management
decided on response D.
Portfolio View of Residual Risk

With a view of risk for individual units, an enterprise’s senior management is well positioned to take a portfolio
view, to determine whether the entity’s residual risk profile is commensurate with its overall risk appetite relative
to its objectives.
A portfolio view of risk can be depicted in any of a number of ways. Exhibit 6.6 illustrates how a company
assesses risks from across the organization. The likelihood of events is presented in the context of frequency of
occurrence, and the potential impact using a single entity unit of measure – operating earnings.
Exhibit 6.6 Portfolio View of Residual Risk
Internal Use Only

Exhibit 6.7 illustrates how managers of a company’s business units establish objectives, risk tolerances, and
performance measures relevant to their operations in terms of business unit contribution. The business units’
risk assessments then are presented as a portfolio view, enabling entity-level management to consider the units’
risks, by objective, in terms of an earnings per share measure relative to the entity as a whole.
Exhibit 6.7 Portfolio View of Residual Risk

A company that manufactures and distributes inflatable rafts for personal recreational use has its corporate
headquarters in southern California, and two business units, one in South Carolina and the other in Oregon. The
company assessed its key risks, which are changes in interest rates, which correlate directly to customer demand
for its product; unexpected increases in the price of raw materials; and the potential of a work stoppage.
Management assessed the risks, developed risk responses, and formed a portfolio view in terms of earnings per
share. Some risk responses, such as the hedging program to reduce the effect of changing interest rates and the
negotiating strategy to reduce the likelihood of a work stoppage, are coordinated and executed at the entity level.
Other responses, such as the decision to enter into long-term contracts to reduce the likelihood and impact of
unexpected raw materials price increases, and the redistribution of production scheduling to other regions to
reduce the impact of a work stoppage, are executed at the regional level.
Internal Use Only

Framework Chapter Summary: Control activities are the policies and procedures that help ensure that
management’s risk responses are carried out. Control activities occur throughout the organization, at all levels
and in all functions. They include a range of activities - as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets, and segregation of duties.
This chapter illustrates how control activities support risk responses, and how control activities themselves may
serve as a risk response.

Having selected risk responses, management identifies control activities needed to help ensure that the risk
responses are carried out properly and in a timely manner.
Exhibit 7.1 provides illustrations of how control activities align with each of the response types of avoidance,
reduction, sharing, and acceptance.
Internal Use Only

Exhibit 7.1 Risk Responses and Control Activities
 Risk Avoidance – In looking to improve operating margins, a software company’s management considered
moving programming activities to a country with lower labor costs. After assessing the associated risks,
management decided such a move is outside the company’s risk appetite, and that contracting of programming
activities will be done only within the company’s home country. To help ensure the policy decision is properly
implemented, the “New Programmer” form was amended to include the country of vendor operations, which
information is reviewed and (electronically) signed by senior management as the basis of programmer selection.
 Risk Reduction – A hospital’s management recognized that its ability to protect the health and well-being of its
patients would be adversely affected by disruption in electrical power supply. Management responded by
installing back-up electrical generators. To help ensure that the generators operate when needed, the company’s
engineering department conducts routine maintenance, with maintenance logs reviewed monthly by the head of
the engineering department.
 Risk Sharing – A manufacturing company determined that a prolonged disruption to its plant would significantly
impact its ability to meet its production targets. Based on assessment of the company’s capital position, its risk
tolerance, and cost of sharing the risk with an insurer, management approved purchasing insurance coverage for
the value of lost production for a period of up to six months. To help ensure that the response is implemented, the
Chief Risk Manager periodically reviews the company’s coverage, as well as compliance with all negotiated terms
and conditions of the agreement with the insurer, and reports to the Chief Operating Officer on compliance.
 Risk Acceptance - A company's management identified changes in world commodity prices as a risk. After
assessing the risk likelihood and impact and considering the company's risk tolerance, management decided to
accept the risk. Management instituted a policy whereby the Treasury Department formally reassesses the
exposure every three months and reports to the management committee its recommendation on whether a
hedging strategy should be adopted.
Control Activities Serving as Risk

Response
While control activities generally are established to ensure risk responses are appropriately carried out, with
respect to certain objectives, control activities themselves are the risk response.
In some circumstances control activities themselves serve as the risk response. This frequently is the case with
respect to risks related to reporting objectives. Exhibit 7.2 provides an illustration.
Internal Use Only

Exhibit 7.2 Relationship Between Objectives, Risks,
Responses, and Control Activities
Reporting objective Asset acquisitions and expenses incurred are
entered for processing completely (C) and accurately
(A), and are valid/occurred (V)
Unit of measure Financial reporting errors detected, measured in

dollars
Target Errors in monthly financial statements are less than

$100,000
Tolerance Errors less than $110,000
Inherent risk Residual risk

assessment Risk assessment
Risks respons
Likeliho Impact e Likeliho Impact
od od
Minor See Minor
Vendor invoice amounts are captured incorrectly Possible $5,000– below for Unlikely $2,500–
$15,000 control $7,500
activities
Moderate that Minor
Vendor invoices are not received prior to the month-end Almost
$10,000– serve as Possible $2,500–
cutoff Certain
$25,000 the $7,500
response
Minor s to Minor
Vendors are paid from statements as well as invoices,
Possible $5,000– these Unlikely $5,000–
resulting in duplicate payments
$15,000 risks $7,500
Internal Use Only

Control Activities  Asset acquisition and expense transactions are
subjected to programmed edit/validation checks
which include:
 Purchasing data (PO number, amount, etc.)
are validated against specified files or
tables (A)
 Key fields are tested for blanks, alphas,
values within a specified range (e.g.,
purchase amounts), missing data elements
(e.g., payment due date), and programmed
check digits (e.g., vendor number) (A)
 Reasonableness tests are performed,
comparing data input in two or more
different fields based on specified criteria
(e.g., sales tax rate is compared with the
state tax rate based on the vendor’s zip
code) (A)
 Edit checks compare key amounts with
tables to ensure input data are within limits
established for each user or of user (e.g.,
payment amounts are compared with
approval limits for electronic payment) (A)
 Edit checks compare vendor name/number
and invoice numbers with those on file to
ensure valid vendor and to detect duplicate
payments (V)
 All payment transactions input are matched to the

original purchase order details before further
processing may occur (A)
 Payment amounts, including electronic payment
transactions, are verified on screen by someone
other than the staff member responsible for the
original payment information (A,V)
 Staff reconcile each batch or series of on-line
transactions with system edit or processing
Internal Use Only
Exported on 23/02/2022 10:29 pm reports (A,C) Page 1555
© All rights are reserved.
 Exception reports are produced listing large or
unusual items (e.g., amounts exceeding
$100,000), which are then individually compared
Exhibit 7.3 provides additional illustrations of control activities that also may be the risk response.
Exhibit 7.3 Control Activities as a Risk Response

 To ensure that pension obligations and costs are reported properly in the financial statements, management
reviews the company’s demographic data and the methods and assumptions used by the actuary, and compares
amounts in the actuary’s report with those in the financial statements and related footnotes.
 To help ensure that a company’s monthly income tax remittances are made in compliance with regulations, an
electronic tickler file prompts staff with due dates for tax filings, and a supervisor verifies timely remittance.
 To help ensure that computer interfaces between general ledger systems operate to effect complete and accurate
processing, transaction totals from subsidiary systems are compared with the balance in the general ledger
control account, with any differences reported and followed up.
 To help minimize inventory losses, transfer documents are reviewed and approved by the warehouse supervisor
before goods are released.
 To help ensure that only tested and accepted programs are transferred from test to production libraries, transfers
are made only based on completion of testing and related approvals and authorization of the IT and user
line/department managers.
Framework Chapter Summary: Pertinent information is identified, captured, and communicated in a form and
timeframe that enable people to carry out their responsibilities. Information systems use internally generated
data, and information from external sources, providing information for managing risks and making informed
decisions relative to objectives. Effective communication also occurs, flowing down, across, and up the
organization. All personnel receive a clear message from top management that enterprise risk management
Internal Use Only

responsibilities must be taken seriously. They understand their own role in enterprise risk management, as well
as how individual activities relate to the work of others. They must have a means of communicating significant
information upstream. There is also effective communication with external parties, such as customers,
suppliers, regulators, and shareholders.
This chapter illustrates how information is obtained and flows in an organization and is used and presented to
support enterprise risk management. Also illustrated are techniques that facilitate communication supporting
effective enterprise risk management.
Information
Information is needed at all levels of an organization to identify, assess, and respond to risks, and to otherwise
run the entity and achieve its objectives.
Information both from external sources and internally generated is obtained and analyzed in setting strategy and
objectives, identifying events, analyzing risks, determining risk responses, and otherwise effecting enterprise risk
management and carrying out other management activities. A broad-based, generic depiction of information
flows into, out of, and within an entity to support its ongoing management is shown in Exhibit 8.1 (taken from the
Internal Control – Integrated FrameworkEvaluation Tools Reference Manual, and drawn from Competitive
Advantage, M. E. Porter). Further detail on information flows is shown in the Internal Control – Integrated
FrameworkEvaluation Tools Reference Manual.
Exhibit 8.1 Generic Business Model—Context Level
Internal Use Only

In addition to information flows into and within an organization, there are flows among activities inherent in the
enterprise risk management components. Exhibit 8.2 illustrates how these information flows may be
conceptualized.
Exhibit 8.2 Information Flows Within Enterprise Risk

Management
Internal Use Only

Technology is applied to improve the effectiveness and efficiency of information processes. Exhibit 8.3
illustrates how a company may utilize information technology to support the timely use of information in an event
identification process.
Exhibit 8.3 Use of Information Technology in Event

Identification
Internal Use Only
As part of the event identification process, a chain of automotive dealerships regularly reviews leading
newspapers, business publications, and trade journals to keep track of changes in the competitor
landscape. Initially done manually, as described in the first bulleted item below, the process was automated, as
described in the second.
 A researcher reviewed hard copy of selected publications on a daily, weekly, and monthly basis, provided the
information to applicable managers for analysis, and developed related reports. The reports were distributed to
unit leaders and others for consideration in the risk assessment process. This process normally took 24–48 hours
to complete each week, month, and quarter.
 The company now subscribes to Internet libraries, and the researcher uses web-based search engines to identify
relevant information, and attaches “relevance” ratings to the information. The captured information is analyzed,
and reports are distributed electronically to the responsible managers. Including the manual analysis, the process
now takes only several hours to complete, and garners a broader array of relevant information.

The design of an information systems architecture and acquisition of technology are important aspects of entity
strategy, and choices regarding technology can be critical to achieving objectives.
Technology plays a critical role in enabling the flow of information in an organization, including information
directly relevant to enterprise risk management. The selection of specific technologies to support enterprise risk
management for an organization typically is a reflection of the:
 Entity’s approach to enterprise risk management and its degree of sophistication

 Types of events affecting the entity
 Entity’s overall information technology architecture
 Degree of centralization of supporting technology
In some organizations, information is managed separately by unit or function, whereas others have integrated
systems. Exhibit 8.4 illustrates the loan origination and risk management functions of a corporate bank, where
information is developed by functional unit and shared as needed with others in the organization.
Exhibit 8.4 Loan Origination Information Flows
Internal Use Only

Individual functions – marketing, risk management, legal, and operations – are each supported by their own
technology, which captures, maintains, and reports relevant information, which then is shared across the
organization.
With added focus on information needed for risk management, some organizations have enhanced their
technology architectures to allow greater connectivity and usability of data, with some using the Internet and
data interchange capabilities. Web services-based information strategies enable real-time information capture,
maintenance, and distribution across units and functions, often enhancing information capture, better controlling
multiple sources of data, minimizing manual processing of the data, and enabling automated analysis, retrieval,
and reporting.
Under an open architecture, technologies such as XBRL, XML, and Web services are used to facilitate data
aggregation, transfer, and connectivity between disparate or stand-alone systems. XBRL, the acronym for
eXtensible Business Reporting Language, is derived from XML (eXtensible Markup Language). XBRL is an
open, royalty-free, Internet-based information standard for business reporting of all kinds. XBRL labels data so
that they are provided with context that remains with them and brings conformity to the names by which they are
recognized by disparate software.
Web services is an Internet protocol for transporting data between disparate applications, within a company’s
boundaries or across companies. XBRL, used with Web services, facilitates automated information exchange
across diverse platforms and different applications and automates business reporting processes. Exhibit 8.5
Internal Use Only
illustrates how XBRL and Web services can improve the efficiency of the reporting processes for the loan
processing activities identified in Exhibit 8.4.
Exhibit 8.5 Integration of Systems
Exhibit 8.6 illustrates how two organizations address the requirements of multiple constituents and leverage
information across functions using XBRL and Web services.
Exhibit 8.6 Data, Systems Integration
Internal Use Only

 A telecommunications company uses XBRL and Web services to automate its billing process. Using an XBRL
telecom billing taxonomy, transaction-level data are passed from ordering systems to provisioning and billing
systems, and positioned for creating customer invoices. XBRL enables the billing system to feed information
directly to company reporting systems via the XBRL general ledger standards-based platform. That platform
provides predefined data tags for elements of financial transactions, enabling the company to represent, for
example, all parties to a transaction, all resources that are part of the transaction (such as supplies, inventory, and
other resources), and all related events (such as when the transaction was created, sent, received, and entered
into the system). This audit trail allows managers and auditors to quickly verify information at any consolidation
level in an installation, in an operating unit, or at the entity level. The process reduces the cost of compliance by
providing a more efficient platform for communication with regulators, creditors, and other third parties. And,
systems changes on either side of the XBRL integration point can proceed with less disruption to the information
transfer cycle because the new system can readily understand and use the XBRL-enriched information.
 Another company uses XBRL technology to obtain more complete information on exposures in its accounts
receivable. Previously, business units reported receivables from individual customers exceeding a monetary
threshold, but the composite reports did not include exposures slightly under the threshold. With XBRL, the
company's reports include all exposures to a particular customer, enabling quicker and more relevant
management action.
Some organizations, rather than using open architectures, develop customized systems encompassing data
warehouses, which generate key metrics and measures to support enterprise risk management.
Integration with Operations

Many organizations have highly complex information technology infrastructures developed over time to support
operations, reporting, and compliance objectives. In many instances the information generated by these
systems in the regular course of business is integral to the enterprise risk management process.
Exhibit 8.7 illustrates how information used in enterprise risk management is an inherent part of and integrated
with business processes – in this instance, the sales process (items listed under the component headings
include only examples of relevant information).
Exhibit 8.7 Information Flows Across a Sales Process

apptech_graphic26.pdf
Internal Use Only

Depth and Timeliness of Information
Advances in data collection, processing, and storage have resulted in exponential growth in data volume. With
more data available - often in real time - to more people in an organization, the challenge is to avoid “information
overload” by ensuring flow of the right information, in the right form, at the right level of detail, to the right people,
at the right time.
Exhibit 8.8 illustrates information needs that management may consider when planning and implementing
technological infrastructures.
Exhibit 8.8 Considerations in Determining Information Requirements

 What are the key performance indicators for the business?
 What key risk indicators provide a top-down perspective of potential risks?
 What performance metrics are required for monitoring?
 What data are required for the performance metrics?
 What level of granularity of information is needed?
 How frequently does the information need to be collected?
 What level of accuracy or rigor is needed?
 What are the criteria for data collection?
 Where and how should data be obtained (e.g., from business units or operating areas, electronically or
manually)?
 What data/information are present from existing processes?
 How should data repositories be structured?
 What data recovery mechanisms are needed?
Many organizations have established a structured approach to information management. Such approaches
enable management to identify the value and rank the importance of information, and develop effective
processes and appropriate tools and methods to reliably collect, store, and distribute data. Exhibit 8.9 illustrates
elements of an information management program used by a large retail bank to support management of market
risk exposures.
Exhibit 8.9 Managing Market Risk Exposures
Internal Use Only

The Market Risk Function of a large retail bank tracks the organization’s actual and potential exposures to
movements in interest rates each day. In identifying the information needed to perform risk assessments, and
ensure the bank remains within its risk tolerances, management views information in the context of the following
elements:
Prim
ary
 S
o
u
r
c
e
a
n
d
C
a
p
t
u
r
e
d
e
f
i
n
e
Internal Use Only

s
h
o
w
i
n
f
o
r
m
a
t
i
o
n
i
s
t
o
b
e
p
r
o
d
u
c
e
Internal Use Only

d
o
r
a
c
q
u
i
r
e
d
,
f
r
o
m
i
n
t
e
r
n
a
l
o
r
e
x
Internal Use Only

t
e
r
n
a
l
s
o
u
r
c
e
s
.
R
u
l
e
s
f
o
r
m
o
d
i
f
y
i
Internal Use Only

n
g
o
r
t
r
a
n
s
f
o
r
m
i
n
g
d
a
t
a
,
m
e
t
h
o
d
s
Internal Use Only

f
e
x
t
r
a
c
t
i
o
n
,
a
n
d
s
e
l
e
c
t
i
o
n
c
r
i
t
e
r
Internal Use Only

i
a
a
r
e
a
d
d
r
e
s
s
e
d
a
t
t
h
i
s
l
e
v
e
l
.
Internal Use Only

o
r
t
h
e
M
a
r
k
e
t
R
i
s
k
F
u
n
c
t
i
o
n
,
d
a
t
a
Internal Use Only

a
r
e
s
o
u
r
c
e
d
f
r
o
m
m
u
l
t
i
p
l
e
i
n
t
e
r
n
a
l
Internal Use Only

s
y
s
t
e
m
s
,
i
n
c
l
u
d
i
n
g
b
a
c
k
o
f
f
i
c
e
t
r
Internal Use Only

a
d
e
p
r
o
c
e
s
s
i
n
g
s
y
s
t
e
m
s
a
n
d
m
a
r
k
e
t
Internal Use Only

r
i
s
k
l
i
m
i
t
s
y
s
t
e
m
s
,
a
n
d
f
r
o
m
e
x
t
e
r
Internal Use Only

n
a
l
s
o
u
r
c
e
s
,
i
n
c
l
u
d
i
n
g
r
a
t
e
s
f
r
o
m
Internal Use Only

a
m
a
r
k
e
t
d
a
t
a
p
r
o
v
i
d
e
r
.
D
a
t
a
a
r
e
Internal Use Only

a
p
t
u
r
e
d
b
y
a
u
t
o
m
a
t
e
d
i
n
t
e
r
f
a
c
e
s
f
r
Internal Use Only

o
m
e
a
c
h
o
f
t
h
e
s
o
u
r
c
e
s
.
 P
r
o
c
e
s
s
a
n
d
Internal Use Only

A
n
a
l
y
z
e
d
e
f
i
n
e
s
h
o
w
i
n
f
o
r
m
a
t
i
o
n
Internal Use Only

i
s
m
a
i
n
t
a
i
n
e
d
o
n
c
e
i
t
i
s
i
n
p
r
o
d
u
Internal Use Only

c
t
i
o
n
.
D
a
t
a
i
n
t
e
g
r
i
t
y
,
d
a
t
a
q
u
a
l
i
Internal Use Only

t
y
,
a
n
d
d
a
t
a
c
l
e
a
n
s
i
n
g
e
x
e
r
c
i
s
e
s
Internal Use Only

r
e
p
e
r
f
o
r
m
e
d
a
t
t
h
i
s
l
e
v
e
l
.
D
a
t
a
Internal Use Only

f
o
r
t
h
e
M
a
r
k
e
t
R
i
s
k
F
u
n
c
t
i
o
n
a
r
e
Internal Use Only

r
o
c
e
s
s
e
d
u
s
i
n
g
m
a
r
k
e
t
r
i
s
k
m
o
d
e
l
s
Internal Use Only

t
o
c
a
l
c
u
l
a
t
e
e
x
p
o
s
u
r
e
.
M
a
n
a
g
e
m
e
n
t
Internal Use Only

a
n
a
l
y
z
e
s
r
e
s
u
l
t
i
n
g
i
n
f
o
r
m
a
t
i
o
n
t
o
Internal Use Only

e
v
a
l
u
a
t
e
t
h
e
o
r
g
a
n
i
z
a
t
i
o
n
'
s
e
x
p
o
s
Internal Use Only

u
r
e
a
g
a
i
n
s
t
p
r
e
-
s
e
t
t
o
l
e
r
a
n
c
e
s
a
n
d
Internal Use Only

m
a
r
k
e
t
r
i
s
k
l
i
m
i
t
s
.
 Report - defines how information is distributed to end-users. Data aggregation criteria, authorization
considerations, and whether information is distributed in raw form or standard or customizable reports,
are addressed at this level. In this instance, systems report exceptions in real time to line managers
and summarize the daily overall position to senior management.
Secondary
 Governance – defines the policy, organizational structure, and mandate supporting the primary
characteristics.
 Policies – define the general principles, standards, and framework.
 Processes – define the procedures and standards employed to support the primary characteristics.
 Technology – defines the architecture, applications, databases, security, and controls that support
the primary characteristics.
Internal Use Only

Having the right information, on time and at the right place, is essential to effecting enterprise risk management.
Exhibit 8.10 illustrates information sources and flows in a common reporting process. Each of the four zones
captures information used in the management process, including risk management. When these disparate
systems, such as operational systems (Zone 1), financial reporting systems (Zone 2), performance management
systems (Zone 3), and formal and informal data management systems (Zone 4), are integrated, management is
able to obtain enhanced risk management reporting on a real-time basis.
Exhibit 8.10 Overview of Data Flows Within a Reporting Process
“Dashboard”-style reports are used by organizations to present information necessary for enterprise risk
management. These dashboard reports enable management to quickly determine the extent to which the
entity’s risk profile is aligned with risk tolerances. Where misalignment occurs, which suggests existing risk
responses or controls are not performing as expected, management can take corrective action. These
dashboard reports are generated from information obtained from any or all of the four zones depicted in Exhibit
8.10 and from information external to the company.
A risk profile dashboard used by a large bank is illustrated in Exhibit 8.11, which allows management to view risk
relative to both the entity as a whole and individual business units.
Exhibit 8.11 Dashboard Reporting
Internal Use Only

The arrows provide two pieces of information:
 Arrow direction indicates quarter-to-quarter trend in expected loss from the underlying risks, with a down arrow
indicating a decline in expected loss trend, and an up arrow an increase.
 Arrow color indicates residual risk in relation to tolerances, where green indicates expected loss safely within risk
tolerance, yellow indicates expected loss near or at risk tolerance, and red indicates risk tolerance is exceeded.
Looking at the Capital Markets business unit, for example, the up arrow shows a quarter-to-quarter increase in
expected loss, and the color green indicates that the unit’s expected loss remains safely within the established risk
tolerance.
Many of these dashboard reporting systems allow users to “drill down” to examine the underlying data. For
example, Exhibit 8.12 illustrates how the same bank shows the details behind the operational risk arrow in
Exhibit 8.11.
Exhibit 8.12 Drilldown to Operational Risk
Internal Use Only

The data depicted in the charts at the right feed the first two entries in the color-coded graphic at the left, and the
data from that graphic in turn feed the entity-level measure in the dashboard in Exhibit 8.11 – in this illustration,
supporting the measure for operational risk. The bank established that if none of the business unit measures are
coded red (that is, none exceed risk tolerance), then the entity-level measure will be coded green; if one business
unit measure is red, the entity-level measure will be coded yellow; and if two or more are red, the entity-level
measure will be coded red. While the color scheme at the entity level does not provide precise information, it
allows management to quickly focus on those risks not within its tolerances and to drill down for more precise
information and to identify areas where action may be required.
Communication
Management provides specific and directed communication that addresses behavioral expectations and the
responsibilities of personnel. This includes a clear statement of the entity’s risk management philosophy and
approach and a clear delegation of authority. Communication about processes and procedures should align
with, and underpin, the desired culture.
Communications are key to creating the “right” internal environment and to supporting the other components of
enterprise risk management. For example, embedding the risk management philosophy into an organization’s
culture is facilitated by top-down communications on what the philosophy is and what is expected of the
organization’s people, and supported by bottom-up information flows. Similarly, management reinforces or
changes an organization’s cultures with words and everyday actions. One company adopted an internal
Internal Use Only

communications program, as illustrated in Exhibit 8.13, specifically to support the integration of its risk
management philosophy and to help reinforce an ethical internal environment.
Exhibit 8.13 Communicating Risk Management

Philosophy
 Management discusses risks and associated risk responses in regular briefings with employees.
 Management regularly communicates entity-wide risks in employee communications.
 Enterprise risk management policies, standards, and procedures are made readily available to employees along
with clear statements requiring compliance.
 Management requires employees to consult with others across the organization as appropriate when new events
are identified.
 New hire orientation sessions include information and literature on the company's risk management philosophy
and enterprise risk management program.
 Tenured employees are required to take workshops and/or refresher courses on the organization's enterprise risk
management initiatives.
 The risk management philosophy is reinforced in regular and ongoing internal communication programs and
through specific communication programs to reinforce tenets of the company's culture.
Exhibit 8.14 is an example of a letter from the CEO of one company to employees, emphasizing the importance
of enterprise risk management.
Exhibit 8.14 Message from CEO
Internal Use Only

Our overall objective is to maximize shareholder value.
To achieve this goal we must have superior risk management capabilities, which address the full spectrum of risks
facing our businesses. A structured and disciplined approach to risk management will ensure that our strategic
efforts are not diminished through avoidable loss, or hampered by change and uncertainty. Additionally, we must
harness our ability to cope with emerging risks and opportunities in an increasingly competitive environment.
Everyone has a role to play in our enterprise risk management. This entails understanding the risks and
opportunities facing our business, assessing exposure, and taking action to effectively respond to preserve and
maximize value.
We have developed a framework document as a tool to guide our efforts to manage the risks, uncertainties, and
opportunities of our businesses to support the achievement of organizational objectives and maximize shareholder
value.
We look to all our employees to participate in applying this framework on a daily basis to help ensure we fulfill our
objectives.
In addition to “top-down” information flows, communications channels should enable personnel to communicate
risk-based information across business units, processes, or functional silos. Exhibit 8.15 includes examples of
vehicles managements use to communicate such information.
Exhibit 8.15 Communications Vehicles
Internal Use Only

 Broadcast e-mails
 Broadcast voice mails
 Corporate newsletters
 Databases supporting specific risk issues
 Letters from the CEO
 E-mail discussion groups
 Intranet sites capturing information regarding enterprise risk management for easy access by personnel
 Messages integrated into ongoing corporate communications
 Organization, function, or location-wide webcasts or conference calls
 Posters or signs reinforcing key aspects of enterprise risk management
 Regular face-to-face meetings of “risk champions” or other employees from a range of functions and business
units with responsibility for aspects of enterprise risk management
 Regular risk management conference calls among a network of risk champions and other employees
 Regularly issued newsletters from the chief risk officer and associated staff
 “Town-hall” meetings
A desirable goal is, over time, to embed communications on enterprise risk management into an entity’s broad-
based, ongoing communications programs, consistent with the concept of building enterprise risk management
into the fabric of the organization.
Many organizations use technology to facilitate ongoing communication for enterprise risk
management. Technology, such as an intranet site, can put enterprise risk management information within easy
and constant access of all staff. Exhibit 8.16 illustrates information typically provided and made readily
available.
Exhibit 8.16 Intranet Site Information on Enterprise

Risk Management
Internal Use Only

 “Ask anything” links
 CEO’s message stating the entity’s risk management philosophy, risk appetite, and basic objectives of its
enterprise risk management approach
 Discussion forum
 Enterprise risk management policies and procedures
 Frequently asked questions regarding the organization’s enterprise risk management program
 Relevant enterprise risk management reports and reporting activities
 Readily accessible information on and links to corporate whistle-blower channels or hotlines
 Links to other organizations’ websites providing information on risk management within key functions and
processes, such as human resources policies, procurement, travel, vendor relations, etc.
 List of responsibilities and contact information for chief risk officer and key staff supporting the enterprise risk
management program
In some circumstances . . . separate lines of communication are needed to serve as a fail-safe mechanism in
case normal channels are inoperative.
In the event regular communications channels are not effective or appropriate, many organizations have set up
supplemental employee communications channels. These channels, which may be called “whistle-blower”
programs or “ethics hotlines,” may be voluntary or legally mandated. Their purpose is to provide a ready means
whereby employees at any organizational level can confidentially discuss or report perceived or actual illegal,
unethical, or otherwise inappropriate behavior.
Exhibit 8.17 provides questions that might be considered when establishing an ethics hotline.
Exhibit 8.17 Considerations for Ethics Hotlines
Internal Use Only

 Are reporting mechanisms and protocols such that personnel will feel comfortable using the channel?
 What procedures will be used to ensure personnel trust the communications channel, with no concern about
potential reprisal?
 Will the system be managed internally or by an external third party?
 How will incidents be prioritized?
 How will appropriate follow-up resources be identified?
 What is target response time?
 What are documentation standards?
 What monitoring processes should be in place?
 Are technology and security resources sufficient to manage the system?
 Who will perform any necessary investigations?
 How will complaints be documented and tracked?
 How will the employee reporting the information be advised of conclusions and actions taken?
 What kinds of summary reports are needed, and with what frequency?
 What mechanisms will be in place to ensure needed broad-based corrective and future preventive actions are
taken?
Exhibit 8.18 provides an illustrative work flow diagram for a supplemental reporting process.
Exhibit 8.18 Alternative Reporting Process

apptech_graphic31_wide.pdf
9. Monitoring
Framework Chapter Summary: Enterpriserisk management is monitored – assessing the presence and
functioning of its components over time. This is accomplished through ongoing monitoring activities, separate
evaluations, or a combination of the two. Ongoing monitoring occurs in the normal course of management
activities. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and
Internal Use Only
the effectiveness of ongoing monitoring procedures. Enterprise risk management deficiencies are reported
upstream, with serious matters reported to top management and the board.
This chapter illustrates some the techniques used in ongoing monitoring and separate evaluations, and provides
an overview of methodology, tools, documentation, and considerations for reporting deficiencies. In addition to
the techniques illustrated here, readers are referred to the evaluation tools provided in Internal Control –
Integrated Framework, which may serve as a useful reference for separate evaluations of enterprise risk
management.

Many different activities performed in the ordinary course of running a business serve to monitor the
effectiveness of enterprise risk management components. These include day-to-day review of information in
carrying out normal business activities, as illustrated in Exhibit 9.1.
Exhibit 9.1 Examples of Ongoing Monitoring

Activities
 Management reviews reports of key business activity indicators such as flash reports of new sales or cash
position, and information on backlog, gross margins, and other key financial and operational statistics.
 Operating management compares production, inventory, quality measures, sales, and other information obtained
in the course of daily activities to systems-generated information and to budget or plan.
 Management reviews performance against limits established for risk exposures, such as acceptable error rates,
items in suspense, reconciling items, foreign currency exposure balances, or exposure to counterparties.
 Management reviews transactions reported through escalation triggers.
 Management reviews key performance indicators such as trends in direction and magnitude of risks, status of
strategic and tactical initiatives, trends or variances in actual results to budget or prior periods, and event triggers,
as described in the Event Identification chapter.
While ongoing monitoring procedures usually provide important feedback on the effectiveness of other
enterprise risk management components, it may be useful to take a fresh look from time to time, focusing
directly on enterprise risk management effectiveness.
Internal Use Only

Separate evaluations of enterprise risk management typically are conducted periodically. In some cases, they
are prompted by change in strategy, key processes, or entity structure. Separate evaluations are conducted by
management, the internal audit function, external specialists, or a combination thereof.
Separate evaluations sometimes are broad-based, with scope including the entirety of the entity and all
enterprise risk management components. In some cases, the evaluation is limited to a specific business unit,
process, or department, with other areas of the business addressed over time. Exhibit 9.2 describes how a
manufacturer designed an evaluation of its new inventory control system.
Exhibit 9.2 Separate Monitoring of a New Process

Management of a large manufacturing company installed new modules for its enterprise resource planning
system, to enhance its global supply chain processes. Objectives included reducing inventory costs, improving
tracking capabilities, and providing better information on inventory availability. Given the critical importance of the
system to achieving customer service goals, and the scale of the changes to the processes, it was decided that a
separate evaluation of the process would be conducted on a monthly basis for four months following the “go-live”
date, and every six months thereafter for two years.
The evaluations were conducted by a team comprising individuals from the information technology function, the
internal audit function, and outside consultants. The first evaluation focused on:
 System change controls

 Organizational change readiness
 Security
 Data quality
 Interfaces with legacy systems
Subsequent evaluations addressed accuracy and completeness of processing, including transfers and handoffs,
related control activities, changes to and control over access, manual interfaces, and use and usefulness of
information outputs.
Internal Audit Reviews

Internal audit functions typically provide an assessment of risks and control activities of a business unit, process,
or department. These assessments provide an objective perspective on any or all elements of enterprise risk
management, from the company’s internal environment through monitoring. In some cases particular attention
is given to risk identification, analysis of likelihood and impact, risk response, control activities, and information
and communication. Internal audit, based on its knowledge of the business, may be positioned to consider how
Internal Use Only
new company initiatives and circumstances might affect application of enterprise risk management, and to take
that into account in its review and testing of relevant information. Further information is available in The Institute
of Internal Auditors’ Practice Advisories, which set out guidance for evaluating and reporting on risk
management effectiveness.

Evaluating enterprise risk management is a process in itself. While approaches or techniques vary, a discipline
should be brought to the process, with certain basics inherent in it.
A disciplined process provides a sound basis for an evaluation. Any of a number of approaches and techniques
are used, generally depending on the circumstances of the company and nature and scope of the evaluation to
be performed. Exhibit 9.3 illustrates one company’s basic approach.
Exhibit 9.3 Steps in a Separate Evaluation

Planning
 Define the objectives and scope of the evaluation

 Identify an executive with requisite authority to manage the evaluation
 Identify the evaluation team, support personnel, and key business unit contacts
 Define the evaluation methodology, timeline, and steps to be conducted
 Agree on evaluation plan
Performance
 Gain an understanding of the business unit’s/process’s activities

 Understand how the unit’s/process’s risk management process is designed to work
 Apply the agreed-on methods to evaluate the risk management process
 Analyze results by comparison to the Company’s internal audit standards and follow up as necessary
 Document deficiencies and proposed remediation, if applicable
 Review and validate findings with appropriate personnel
Reporting and Corrective Actions
 Review results with business unit/process and other management as appropriate

 Obtain comments and remediation plans from unit/business process management
 Incorporate management feedback into final evaluation report
Internal Use Only

Methodology
A variety of evaluation methodologies and tools are available, including checklists, questionnaires, and
flowcharting techniques.
Evaluators identify methodologies and tools needed to support the evaluation process. A number of structured
methodologies and tools exist that are used to document and assess specific aspects of enterprise risk
management. Factors in selecting evaluation methodologies and tools include whether they can be readily used
by assigned staff, are relevant to the given scope, and are appropriate to the nature and expected frequency of
the evaluation. For example, where the scope involves understanding and documenting differences between
business process design and actual performance, the evaluation team might review or develop process
flowcharts and control matrices, whereas a scope limited to addressing whether specific mandated control
activities are present might suggest using a pre-established questionnaire. Exhibit 9.4 lists tools used, either
individually or in conjunction with one another.
Exhibit 9.4 Methodologies and Tools

 Process flowcharting
 Risk and control matrices
 Risk and control reference manuals
 Benchmarking using internal, industry, or peer information
 Computer assisted audit techniques
 Risk and control self-assessment workshops
 Questionnaires
 Facilitated sessions
Exhibit 9.5 contains an excerpt of a risk and control self-assessment questionnaire for a payroll process, serving
as a diagnostic reference point focusing on the extent to which controls related to payroll processing risks
actually are being applied. The results form a basis for needed corrective action.
Exhibit 9.5 Risk and Control Self-Assessment Questionnaire

Excerpts
Pay
roll
Questionnaire Response Options Policy Reference
Que
stio
Internal Use Only

ns
 M
y
d
e
p
a
r
t
m
e
n
t
r
e
v
Yes No Don’t know N/A N/A Payroll policy #1
i
e
w
s
t
h
e
b
u
d
g
e
t
s
Internal Use Only
u
m
m
a
r
i
e
s
p
r
e
p
a
r
e
d
b
y
t
h
e
B
u
d
g
e
t
i
n
g
Internal Use Only

D
e
p
a
r
t
m
e
n
t
 M
y
d
e
p
a
r
t
m
e
n
Yes No Don’t know N/A N/A Payroll policy #2
t
m
o
n
i
t
o
r
s
Internal Use Only

h
e
n
u
m
b
e
r
o
f
e
m
p
l
o
y
e
e
s
p
a
i
d
f
r
o
m
y
o
Internal Use Only

u
r
b
u
d
g
e
t
 M
y
d
e
p
a
r
t
m
e
n
t Never Seldom Usually Always N/A Payroll policy #3
r
e
v
i
e
w
s
t
h
e
Internal Use Only

m
o
n
t
h
l
y
r
e
p
o
r
t
o
f
s
a
l
a
r
i
e
s
a
n
d
w
a
g
Internal Use Only

e
s
p
o
s
t
e
d
t
o
o
u
r
d
e
p
a
r
t
m
e
n
t
 W
h
e
n 10–20 20–30 30–40 > 40 Don’t know No payroll policy
r
e
Internal Use Only

v
i
e
w
i
n
g
t
h
i
s
p
a
y
r
o
l
l
r
e
p
o
r
t
,
w
h
a
t
Internal Use Only

o
u
l
d
y
o
u
c
o
n
s
i
d
e
r
t
o
b
e
a
n
e
x
c
e
e
d
i
n
Internal Use Only

g
l
y
h
i
g
h
n
u
m
b
e
r
o
f
o
v
e
r
t
i
m
e
p
a
y
r
o
l
l
Internal Use Only

h
o
u
r
s
p
e
r
p
e
r
s
o
n
t
h
a
t
y
o
u
w
o
u
l
d
r
e
Internal Use Only

v
i
e
w
i
n
d
e
t
a
i
l
t
o
d
e
t
e
r
m
i
n
e
t
h
e
u
n
d
Internal Use Only

e
r
l
y
i
n
g
c
a
u
s
e
?
Summary of Findings
1. 95% of respondents review budget summaries prepared by the Budgeting Department

2. 93% review the number of people paid from their budget
3. 70% always review payroll reports; 18% usually do, and 12% seldom review these reports
4. See graph at right
Documentation
The extent of documentation of an entity’s enterprise risk management varies with the entity’s size, complexity,
and similar factors.
The desired level of enterprise risk management documentation varies by company, often based on size,
complexity, and management style. In addition to scale and depth of documentation, considerations include
whether it will be paper- or electronic-based, centralized or distributed, and means of access for update and
review.
Internal Use Only

In evaluating enterprise risk management, existing documentation of processes and other activities are
reviewed, or may be created, to allow the evaluation team to readily understand the unit, process, or
department’s risks and responses. Documentation considered in an evaluation may include:
 Organization charts
 Description of key roles, authorities, and responsibilities
 Policy manuals
 Operating procedures
 Process flowcharts
 Relevant controls and associated responsibilities
 Key performance indicators
 Key identified risks
 Key risk measures
Such documentation may form the basis for developing review processes that include tests to determine
whether the processes and related policies and procedures represented to have been established are both
appropriate to address the entity’s risks and being followed.
With regard to what documentation of the evaluation process itself is to be developed, the evaluation team might
consider the extent to which documentation is expected to achieve the objectives of:
 Providing an “audit trail” of the evaluation team’s assessments and testing

 Communicating the results of the evaluation – findings, conclusions, and recommendations
 Facilitating review by supervisory personnel
 Facilitating evaluations in subsequent periods
 Identifying and reporting broader issues
 Identifying individual roles and responsibilities in the evaluation process
 Supplementing existing enterprise risk management documentation that may be deficient
All identified enterprise risk management deficiencies that affect an entity’s ability to develop and implement its
strategy and to set and achieve its objectives should be reported to those positioned to take necessary action.
Some companies have developed guidelines regarding to whom deficiencies are to be reported, as illustrated in
Exhibit 9.6.
Internal Use Only

Exhibt 9.6 Illustrative Deficiency Reporting
Guidelines
 Deficiencies are reported to persons directly responsible for achieving business objectives affected by the
deficiency
 Deficiencies are reported to the person directly responsible for the activity and a person at least one level higher
 Alternative reporting channels exist for reporting sensitive information such as illegal or improper acts
 Specified types of deficiencies are reported to more senior management
 Protocols are established for what is reported to the board of directors or a specified board committee
 Information on corrective actions taken or to be taken is communicated back to relevant personnel involved in the
reporting process
Another company established criteria for deciding which deficiencies are to be reported to senior management
(and depending on significance, to the board of directors), as illustrated in Exhibit 9.7.
Exhibit 9.7 Illustrative Criteria for Reporting to

Senior Management
Deficiencies will be reported where the likelihood of an event occurring is not insignificant, and the impact is such
that there could be a resulting:
 Adverse impact on safety of staff or others

 Illegal or improper act
 Significant loss of assets
 Failure to achieve key objectives
 Negative effect on the entity's reputation
 Improper external reporting
10. Roles and Responsibilities
Internal Use Only

Framework Chapter Summary: Everyone in an entity has some responsibility for enterprise risk management.
The chief executive officer is ultimately responsible and should assume “ownership.” Other managers support
the risk management philosophy, promote compliance with the risk appetite, and manage risks within their
spheres of responsibility consistent with risk tolerances. Other personnel are responsible for executing
enterprise risk management in accordance with established directives and protocols. The board of directors
provides important oversight to enterprise risk management. A number of external parties often provide
information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of
the entity’s enterprise risk management.
This chapter illustrates organizational approaches for assigning roles and responsibilities for enterprise risk
management, and provides guidance on the roles and responsibilities of the board of directors, chief executive
officer, chief risk officer, business unit management, and internal audit, as well as relevant board and
management committees.
A defining characteristic of how enterprise risk management is implemented is the extent to which roles and
responsibilities are clearly defined, and whether they are assigned on a centralized or decentralized basis.
While how this is done varies widely by entity, commonalities can be observed. Exhibit 10.1 depicts three
approaches, each with a different degree to which roles and responsibilities are or are not centralized for
identifying, assessing, responding to, and reporting on risks.
Exhibit 10.1 Organizational Approaches
Internal Use Only

Approach 1 depicts a model where event identification and risk assessment occur in the business lines or
departmental management, but authority to determine risk response and related control activities rests with the
center, and the center also reports risks upstream. This approach may work for smaller entities where central
management has clear sight lines into the business activities, and key decision authorities remain with the
center. Approach 2 depicts a model where event identification, risk assessment, risk response, control activities,
and reporting are primarily the responsibility of the business lines. The center is involved in monitoring the
process and might have a broad-based role in reporting as well. Approach 3 is a variation on Approach 2,
illustrating that certain risks may be addressed at the center, such as entity-wide risks of commodity or foreign
currency price movements that are tracked and managed at the entity level. Each of these approaches has
benefits and challenges, described in Exhibit 10.2.
Approach
1 2 3
Benefits
 Effective event identification and  Ownership of risk response and  More significant risks addressed
risk assessment by those closest control activities by managers by higher-level managers
Internal Use Only
Approach
1 2 3
Benefits
to emerging issues closest to emerging issues  Facilitates managing risks on

 Risk responses determined by  Ability to generate more entity-wide basis
higher- level managers complete management
information
 Enhanced ability to manage risk-
based activities
Challenges
 Might be disconnect between  Potential for less- consistent risk  Requires effective
risk assessment and response management (but this potentiality communication and coordination
 Lack of ownership by risk takers is reduced by an effective central with business units
in risk response support/monitoring function)
Many companies find that as they expand in size and complexity, they can most effectively apply enterprise risk
management principles and disciplines by pushing much, if not all, responsibility to the lines of business and
functional support units. At the same time, a small central supporting infrastructure deals with more pervasive,
entity-wide risks.
Board of Directors
The board provides oversight with regard to enterprise risk management.
The board has a key role in the oversight of enterprise risk management. The board should be apprised on a
timely basis of the most significant risks, management’s assessment, and its planned response. Importantly, the
board should feel comfortable that appropriate processes are in place and that management is positioned to
identify, assess, and respond to risk, and to bring relevant information to the board level.
The types of questions directors ask in performing this oversight role are illustrated in Exhibit 10.3.
Internal Use Only

Exhibit 10.3 Questions Raised by Boards Regarding
 What information about the risks facing the organization do we receive to fulfill our fiduciary and advisory
governance responsibilities?
 When and how does senior management report risk information to us?
 How do we know that the information we receive on risks and risk management is accurate and complete for our
purposes?
 Have we effectively communicated our expectations to senior management concerning the company's risk
management process, and is there a clear understanding of those expectations, including what information we
expect to receive?
 How do we ensure that the organization is performing according to established risk tolerance limits and overall
risk appetite?
 How do we as a board help establish the right "tone at the top" that reinforces the organization's values and
promotes a "risk aware culture"?
 Are we effectively carrying out our responsibilities as a board in overseeing risk management?
Boards may choose to delegate responsibilities and accountabilities for specified aspects of enterprise risk
management to one or more board committees to help ensure a clear focus on the risk areas.
Audit Committee
It is not uncommon for oversight responsibility for enterprise risk management to be assigned to the audit
committee. In many cases it is believed that with its focus on internal control over financial reporting, and
possibly a broader focus on internal control, the audit committee already is well positioned to expand its
responsibility to overseeing enterprise risk management. Some observers point to certain regulatory standards
as providing support for placing responsibility with this committee. See Exhibit 10.4 for an excerpt from the New
York Stock Exchange’s rules.
Exhibit 10.4 Audit Committee Role
Internal Use Only

The New York Stock Exchange’s Corporate Governance Rules require that a listed company’s audit committee
have a written charter that addresses the committee’s duties and responsibilities, which must include discussing
policies with respect to risk assessment and risk management. The rules’ commentary notes:
While it is the job of the CEO and senior management to assess and manage the company’s exposure to risk, the
audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit
committee should discuss the company’s major financial risk exposures and the steps management has taken to
monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk
assessment and management, but, as stated above, the committee must discuss guidelines and policies to
govern the process by which risk assessment and management is undertaken. Many companies, particularly
financial companies, manage and assess their risk through mechanisms other than the audit committee. The
processes these companies have in place should be reviewed in a general manner by the audit committee, but
they need not be replaced by the audit committee.
Risk Committee
The New York Stock Exchange rule commentary states that some companies assign board-level risk
management oversight responsibility to other than the audit committee, and some organizations indeed have
determined that tasking the audit committee with oversight of entity-wide risks in non-financial areas (e.g.,
operational, compliance) exceeds the intended authority of the audit committee and its available resources.
Some boards have established a risk committee to focus directly on enterprise risk management. A description
of one company’s board risk committee is provided in Exhibit 10.5. In this case, senior members of
management attend the committee’s meetings, and the committee’s responsibilities reflect that it works with
management in dealing with such matters as developing and refining the enterprise-wide risk appetite and risk
tolerances.
Exhibit 10.5 Risk Committee Description
Internal Use Only

Objectives
The Board of Directors (exercised through the Risk Committee) recognizes its responsibility for ensuring that a
comprehensive Risk Management system which includes policies, programs, measures and competencies for
identifying, assessing and managing risk needs to be in place to assist senior management in managing growth in
a rapidly changing environment.
In this regard, the specific objectives of the Committee include ensuring that:
 Management understands and accepts its responsibility for identifying, assessing and managing risk
 Senior Management and business unit management are strategically focused on the enterprise-wide risk strategy
 Leading tools and processes are provided to the businesses to facilitate achievement of their Risk Management
responsibilities
 Business unit risk assessments are performed periodically and completely
 Business unit risk mitigation activities are successful in:
 safeguarding assets
 maintaining appropriate standards regarding the environment and health and safety issues
 meeting legal and regulatory obligations
 reinforcing the values of the organization by focusing on stakeholder needs
 Proper accounting records are being maintained, appropriate accounting policies have been adopted and financial
information is comprehensive and accurate
 Effective risk mitigation/control testing programs are in place and the results evaluated and acted upon
Responsibilities
The Risk Committee's responsibilities include the following:
 Oversee development of and participation in an annual enterprise-wide risk strategy analysis

 Develop and refine the enterprise-wide appetite/tolerance for risk
 Provide direction and oversight to the Chief Risk Officer and the Global Risk Leaders
 Evaluate material risk exposures and report to Board
 Evaluate enterprise-wide risk exposure report
 Evaluate enterprise-wide risk trending report and ensure corporate strategy is responsive to issues raised
 Oversee the role and responsibilities of the Internal Audit Team
 Review semi-annual and annual consolidated accounts
Materiality and Focus
Internal Use Only

The Committee is charged with ensuring that the competency for identifying, assessing and managing risk
continues to evolve in relation to the growing risk appetite of the organization. To that end, it will focus primarily
on the effectiveness of enterprise risk management.
The Committee should review those risks which may be deemed material through agreement between the
Committee and the Chief Risk Officer. Materiality considerations will be based upon both immediate financial
exposure to the organization's shareholders and long term material financial exposure to the organization's
shareholders.
The goal of the Committee is to encourage broader thinking by management in relation to risks so that greater
focus is applied to continue to evolve the organization's competencies along their risk management vision.
Structure and Membership
 Members of the Committee will be appointed by resolution of the Board

 The Committee will comprise four non-executive Board directors, one of whom will be appointed to chair the
Committee
Meetings
 Meetings will be held quarterly prior to Board meetings

 The General Counsel & Secretary will attend all Committee meetings and will act as Committee Secretary. The
Chief Risk Officer and the CFO will also attend all Committee meetings
A report of the meeting will be presented to the next Board meeting following each Committee meeting
Management
Management is directly responsible for all activities of an entity, including enterprise risk management.

The chief executive's responsibilities include seeing that all components of enterprise risk management are in
place.
The chief executive has ultimate ownership responsibility for enterprise risk management. The CEO generally
fulfills these responsibilities by providing leadership and direction to senior managers and by setting broad-
based policies reflecting the entity’s risk management philosophy and risk appetite.
Internal Use Only

A number of chief executive officers have identified a senior executive to provide direction, under the auspices of
the CEO, to the organization on enterprise risk management implementation. Some CEOs have established a
committee to provide this direction. Another approach, which is being used by an increasing number of
companies, is to establish a chief risk officer to provide direction, guidance, and support to and monitoring of line
managers in effecting enterprise risk management.
Enterprise Risk Management Executive Committee

In some large organizations, the CEO has established an enterprise risk management committee of senior
executives, consisting of a subset of senior management, including functional managers such as the chief
financial officer, chief audit executive, chief information officer, and others.
Functions and responsibilities of the committee include such matters as:
 Overall responsibility for the enterprise risk management process, including the processes used to identify,
assess, respond to, and report on risk
 Defining roles, responsibilities, and accountabilities at the executive and senior management level
 Providing policies, frameworks, methodologies, and tools to business units for the identification, assessment,
and management of risks
 Reviewing the company’s risk profile
 Reviewing performance measures against tolerances and recommending corrective action where appropriate
 Communicating the risk management process to the CEO and the board
The responsibilities of one enterprise risk management committee are outlined in an excerpt from a sample
charter, shown in Exhibit 10.6.
Exhibit 10.6 Enterprise Risk Management Committee Charter

The Enterprise Risk Management Committee determines the corporate objectives, risk appetite and aggregate
risk tolerance levels. It oversees the process by which business unit management identifies and assesses risks
and determines appropriate responses. It addresses enterprise-wide risks, and sets performance measure goals
and key risk indicators for those risks. It is responsible for capital allocations, capital planning, and risk capital
allocation and overrides. The committee also reviews capital usage and actual risk management performance
versus plan.
Chief Risk Officer
Internal Use Only

Some companies have established a centralized coordinating point to facilitate enterprise risk management. A
risk officer – referred to in some organizations as the chief risk officer or risk manager – works with other
managers in establishing effective risk management in their areas of responsibility.
Companies that have a chief risk officer (CRO) position tend to be larger and more complex enterprises. An
alternative to creating this position is to assign this role to a senior officer, such as chief financial officer, general
counsel, or chief compliance officer. Some companies that initially chose this approach found over time that the
breadth and scope of dealing effectively with risk require more time and effort than senior officers have available,
and have moved to establishing a CRO resource.
A model for the CRO that a number of companies have found successful begins with establishing clarity around
the risk officer’s responsibilities and accountabilities. While some companies assign direct responsibility for
effective risk management to the CRO, many others have found success by maintaining responsibility for risk
management with line and functional unit leaders, with the risk officer having important directional, support, and
monitoring responsibilities. Experience shows that success also depends on the CRO having the appropriately
high stature within the organization, as well as necessary resources. Some companies provide CRO staff within
subsidiaries, business units, and departments, to ensure CRO staff support is close to the entity’s operating
activities.
One company’s CRO job description, which outlines key responsibilities, is illustrated in Exhibit 10.7.
Exhibit 10.7 Chief Risk Officer Job Description
Internal Use Only

Reports to:
Chairman – Risk Committee of the Board, and CEO
Direct Reports:
 Global Risk Leaders, Group-wide Risk Specialists (pertaining to risk matters)

 Business Unit Risk Coordinators, Internal Audit
Responsibilities:
 Enable the Risk Committee of the Board to fulfill its responsibilities as stated in its Charter
 Communicate and manage the establishment and ongoing maintenance of enterprise risk management pursuant
to the Corporation’s risk management vision
 Ensure proper risk management ownership by Business Unit CEOs and effective oversight by the
Regional/Business Boards
 Validate that enterprise risk management is functioning in each Business Unit and that all significant risks are
being recognized and effectively managed in a timely manner
 Communicate with the Risk Committee regarding the status of enterprise risk management
 Promote the enterprise risk management model to the CEO and Business Unit heads and assist in integrating into
their business plans and ongoing reporting
 Ensure a risk management capability is developed and maintained in all Business Units and enterprises, including
new acquisitions and joint venture investments
Specific Activities:
 Develop integrated procedures to report major risks

 Regularly visit business units and meet with senior executives to promote imbedding risk management into culture
and daily activities
 Develop a standardized risk information model and automated process and ensure it is usable across the
organization
 Maintain a cost–benefit focus on enterprise risk management
 Ensure employees are educated about risk management. Transfer knowledge and information and generally
assist in the efficient management of risk and help maintain an appropriate risk culture
 Work with business unit leaders to ensure business plans and budgets include risk identification and management
 Work with Business Units to ensure monitoring and reporting to ensure compliance with the organization’s
standards and reporting of the most significant risks
 Report to the Risk Committee regarding the:
Internal Use Only

 Progression of enterprise risk management and its implementation
 Identified significant and material risk exposures and recommendations across the organization
 Consolidated enterprise risk management plan encompassing analysis and recommendations
Professional Attributes:
 Foundation in enterprise risk management

 Ability to clearly demonstrate grasp of tenets of the organization’s enterprise risk management infrastructure
 Creative, "out of the box" thinker
 Experience globally with differing cultures
 Good executive presence
 Exceptional interpersonal communication skills
 Able to demand respect from Board and Business Units
 Senior management experience, i.e., member of executive team responsible for a large group of people, or CFO
or COO experience
 Excellent presentation skills, articulate
 Superior facilitation competencies
 Large project management experience
 Strong analytical capabilities
 Exceptional problem-solving skills
The CRO job description for a financial services company, with a somewhat more operational focus, is illustrated
in Exhibit 10.8.
Exhibit 10.8 Chief Risk Officer Job Description, Financial Services

Company
Internal Use Only

Responsibilities:
 Establish the corporate-wide risk limits

 Approve risk taking authority, capital allocation and limit setting based on a business unit’s:
 Absolute and risk-adjusted performance
 Risk profile and strategy
 Earnings quality/consistency
 Efficiency of capital usage
 Diversification benefits or disadvantages
 Reliability and competence of management
 Establish and maintain corporate-wide risk management standards, such as standards for:
 Business unit policies and limit frameworks
 Corporate risk data requirements
 Reporting to business managers, senior management and the Board
 Valuation and risk measurement methodology
 Review and approve policy exceptions

 Establish a risk reporting framework including consistent risk-adjusted profitability measurement, analysis and
decision-making tools
 Aggregate and analyze common risk factors across business lines (e.g., stress testing/scenario analysis)
 Conduct macro assessments of the risk profile and the drivers of change
 Support management of stakeholder relations
Required Skills:
 Ability to serve as an advisor to and partner of the CEO, CFO and COO
 In-depth industry experience
 Integrity and credibility necessary to communicate with business leaders, regulators and other stakeholders
 Comprehensive risk management experience with an excellent grasp of market risk, credit risk and operational
risk issues
 Excellent managerial skills able to motivate and lead a diverse group of professionals with varying backgrounds
 Excellent oral communication skills able to interact with Board members and business leaders
 Quick thinker with polished presentation skills able to communicate with external stakeholders such as regulators,
investors and the financial press
 Strong and effective negotiating skills necessary to arbitrate/adjudicate business unit demands for corporate
capital (financial and human)
Internal Use Only
 Strategic thinker able to navigate rapidly changing technology and competitive landscape
 Firsthand experience in lending and/or credit approval extremely desirable
 Ability to effectively formulate policy necessary to meet strategic objectives
Management
Senior managers in charge of organizational units have responsibility for managing risks related to their units'
objectives.
Heads of line business units, business processes, and functional departments are responsible for identifying,
assessing, and responding to risk relative to meeting the unit’s objectives. They ensure that processes utilized
are in compliance with the entity’s enterprise risk management policies and that their unit’s activities are within
established risk tolerance levels.
In some companies the job descriptions of these leaders explicitly outline their enterprise risk management
responsibilities, as well as associated performance measures. Unit leaders typically report on progress and
issues to the CRO and/or another executive.
Unit leaders naturally delegate responsibility for specific business unit enterprise risk management activities to
managers in their units, with responsibilities addressing such matters as:
 Complying with enterprise risk management policies and developing techniques tailored to the unit’s activities
 Applying enterprise risk management techniques and methodologies to ensure risks are appropriately identified,
assessed, responded to, reported on, and monitored
 Ensuring risks are managed on a daily basis
 Providing unit leadership with complete and accurate reports regarding the nature and extent of risks in the
business activities
As with unit leaders, some companies’ staff job descriptions outline their enterprise risk management
responsibilities and associated performance measures.
Internal Auditors
In many companies, internal auditors play a key role in the ongoing functioning of enterprise risk management
by providing objective monitoring of its application and effectiveness. Internal auditors may conduct
examinations for the purpose of providing an objective assessment of the entire enterprise risk management
process or subsets thereof. In this role, internal auditors may support management by providing assurance on
the:
Internal Use Only
 Enterprise risk management processes – both design and function
 Effectiveness and efficiency of risk responses and related control activities
 Completeness and accuracy of enterprise risk management reporting
Internal auditors sometimes act in a consulting role, where they serve to facilitate improvements in the
organization’s enterprise risk management process. In this capacity, internal auditors may, among other
activities, promote development of a common understanding of enterprise risk management, coach
management on enterprise risk management concepts, facilitate risk-based workshops, and provide tools and
techniques to help managers analyze risks and design control activities.
Acknowledgments
The COSO Board, Advisory Council, and PricewaterhouseCoopers LLP gratefully acknowledge the many
individuals who gave their time and energy to participating in and contributing to various aspects of the
application techniques. Also recognized are the considerable efforts of the COSO organizations and their
members who responded to surveys, participated in workshops and meetings, and provided comments and
feedback throughout the development of these application techniques.
The following PricewaterhouseCoopers partners and staff provided important input to these application
techniques: Dick Anderson, Jeffrey Boyle, Glenn Brady, Michael Bridge, John Bromfield, Gary Chamblee,
Nicholas Chipman, John Copley, Michael de Crespigny, Stephen Delvecchio, Carlo di Florio, Scott Dillman, P.
Gregory Garrison, Bruno Gasser, Suzanne Holifield, Susan Kenney, Brian Kinman, Robert Lamoureux, James
LaTorre, Mike Maali, Jorge Manoel, Cathy McKeon, Juan Pujadas, Richard Reynolds, Sonny Sonnenstein, Mark
Stephen, Robert Sullivan, Jeffrey Thompson, John Tomac, and Shyam Venkat. Thanks go to Myra Cleary for
her editorial guidance.
Also making an important contribution to this document is Kathleen H.J. Leibfried, Senior Global Operational
Risk Director, Citigroup Private Bank.
Volume I: Executive Summary
COSO_vol01_screen.pdf
Internal Use Only

Volume II: Guidance
Volume III: Evaluation Tools
Frequently Asked Questions
COSO_faq_screen.pdf
Enterprise Risk Management - Aligning

Risk with Strategy and Performance
June 2016 Edition
COSO-ERM-Public-Exposure.pdf

Risk with Strategy and Performance -
Internal Use Only
Executive Summary
June 2016 edition
COSO-ERM-Public-Exposure-Executive-Summary.pdf

Risk with Strategy and Performance -
Feedback Survey on the Public Comment
Draft
June 2016 edition
COSO-ERM-Survey.pdf
Content coming soon
Internal Use Only


Committee of Sponsor... 23-02-2022 10.29 PM

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Committee of Sponsor... 23-02-2022 10.29 PM

Uploaded by

Copyright:

Available Formats

Committee of Sponsoring Organizations

of the Treadway Commission (COSO)

Committee of Sponsoring Organizations of the Treadway Commission

David L. Landsittel Mark S. Beasley Richard F. Chambers

COSO Chair Douglas F. Prawitt The Institute of Internal Auditors

American Accounting Association

Charles E. Landes Marie N. Hollein Sandra Richtermeyer

American Institute of Certified Public Financial Executives International Jeffrey C. Thomson

Miles E.A. Everson Stephen E. Soske Frank J. Martens

Internal Use Only

New York, USA Boston, USA Vancouver, Canada

Cara M. Beston Charles E. Harris J. Aaron Garcia

Partner Partner Director

San Jose, USA Florham Park, USA San Diego, USA

Catherine I. Jourdan Jay A. Posklensky Sallie Jo Perraglia

Director Director Manager

Paris, France Florham Park, USA New York, USA

Sponsoring Organizations Representatives

Audrey A. Gramling Steven E. Jameson J. Stephen McNally

Bellarmine University Community Trust Bank Campbell Soup Company Finance

Endowed Chair Internal Audit & Risk Officer

Internal Use Only

Director of Financial Controls Director of Accounting

Jennifer Burns James DeLoach Trent Gazzaway

Deloitte Protiviti Grant Thornton

Deloitte Managing Director Partner

Cees Klumper Thomas Montminy Alan Paulus

The Global Fund to Fight AIDS, PwC Ernst & Young

Thomas Ray Dr. Larry E. Rittenberg Sharon Todd

Baruch College University of Wisconsin KPMG

Baruch College University of Wisconsin KPMG

Emeritus Professor of Accounting Partner

Internal Use Only

Kenneth L. Vander Wal

Regulatory Observers and Other Observers

James Dalkin Harrison E. Greene Jr. Federal Christian Peo

Government Accountability Office Securities and Exchange

(Through June 2012)

Amy Steele Vincent Tophoff Keith Wilson

Securities and Exchange International Federation of Public Company Accounting

Internal Use Only

Commission Oversight Board

Associate Chief Accountant Deputy Chief Auditor

(Commencing July 2012)

 Expectations for governance oversight

Internal Use Only

For management and boards of directors, the Framework provides:

Internal Use Only

 Greater confidence in the board of directors' oversight of internal control systems

Defining Internal Control

Internal Use Only

This definition reflects certain fundamental concepts. Internal control is:

Components of Internal Control

Information and Communication

Internal Use Only

Relationship of Objectives and Components

Internal Use Only

1. The organization2 demonstrates a commitment to integrity and ethical values.

development and performance of internal control.

and responsibilities in the pursuit of objectives.

alignment with objectives.

of risks relating to objectives.

risks as a basis for determining how the risks should be managed.