Internal Control Strategies: A Mid to Small Business Guide

By Julie Harrer
Copyright © 2008 by Hamlet Auditing Corp.

Appendix A

Simplified Sample
Entity-Level Control Matrices

Control Environment

Possible Performed Oversight

Subcomponents Controls by by Examples of Evidence

Integrity and Code of conduct is HR Audit Code of conduct

ethical values approved by the board committee document approved
and communicated to by the board of
all employees. Code is directors; copies of
updated annually. employee signoff
forms confirming
acceptance; emails
or memos of code
to employees;
presentations to
employees that
include slides on
ethics or code

Commitment Accounting, tax, and IT HR Internal Finance, IT, tax

to personnel perform tasks audit training manuals,
competence according to training desktop procedures,
manuals, desktop or company policies;
procedures, or policies. samples of continuing
They receive ongoing education or
training to keep skills credential certificates
current. for key employees

(Continued)

271
272    Appendix A

Possible Performed Oversight

Subcomponents Controls by by Examples of Evidence

Management’s Audit committee Senior Board of Board of directors,

philosophy and is independent of management directors audit committee
operating style management; CFO minutes; financial
attends board and expert biography
executive meetings; for audit committee;
turnover in senior assessment of audit
executive positions committee; statement
is monitored; audit of independence
committee has at least of board/audit
one financial expert; committee
effectiveness of audit
committee is assessed
and monitored by board
of directors.
Organizational Organizational charts Senior Board of Current organization
structure are maintained management directors chart
depicting titles and
reporting structure.
Assignment of Assignment of Senior Board of Signature
authority responsibility follows management directors authorization policy;
organizational charts; purchase authority
management has levels
documented levels of
authority in areas such as
capital expenditures, cash
management, purchases,
and credit approvals.
Human resource Company has an HR HR and Board of Copy of HR manual;
policies and manual that covers department directors samples of employee
procedures procedures for heads signatures showing
training, promoting, they received a copy
and compensating of HR manual; listing
employees; formal of job descriptions;
job descriptions exist; performance
company has a well- evaluation policy and
established performance examples; evidence
evaluation process with that bonuses and
all employees evaluated promotions are based
at least annually; on performance
employee retention
and promotion criteria
are linked to the
performance evaluation
process.
 Appendix A    273

Board of Audit committee Audit Board of Audit committee

directors and charter is in place; committee directors charter; strategic plan
committees board approved a and board of approved by board
3-year strategic plan; directors of directors; listing
board has several active of board committees
committees. and minutes; relevant
board minutes;
audit committee
assessments
Information IT strategic plan aligns IT Board of IT strategic plan or IT
technology with company’s business management directors section of company
plan; IT management strategic plan; emails
understands its roles from IT management
and responsibilities as on access, security, or
it relates to internal other internal control
controls. topics

Information and Communication

Oversight
Subcomponents Possible Controls Performed by by Examples of Evidence

Financial Financial reporting Department Board of Emails or

reporting policies and heads/regional directors presentations to
policies procedures exist and managers financial reporting
are communicated to staff; Edgar
relevant employees/ procedures; reporting
management. procedures
Accounting Accounting policies Internal audit Board of Emails or
and internal exist and are directors presentations to
control communicated to accounting staff of
policies relevant employees/ policies
management.
Lines of Financial results Senior Board of Presentations to
communication are communicated management directors board of directors or
at least quarterly to committees
senior management,
board of directors,
and audit committee;
relevant information
on ethics and policies
is communicated
to employees and
management.
Distribution of Company has a policy Senior Board of Procedures or policy
information for the distribution of management directors for reporting info to
critical information to public; emails; board
the public. of directors meeting
minutes

(Continued)
274    Appendix A

Oversight
Subcomponents Possible Controls Performed by by Examples of Evidence

Section 16 Company has a policy Senior Board of Procedures or

for Section 16/insider management directors policy for reporting
purchases of company information to public;
stock. Policy has emails; board of
been communicated directors meeting
to employees and minutes
management.
IT Data integrity, IT Board of Procedures or policy
information management directors for reporting info to
classification, and public; emails; board
security ownership of directors meeting
and responsibilities minutes
have been defined
and communicated
to management and
employees.

Risk Assessment
Oversight Examples of
Subcomponents Possible Controls Performed by by Evidence
Company-wide Board of directors Senior Board of Board minutes
objectives and/or strategy management directors
committee oversees the
risk assessment process
and takes action to
address the significant
risks identified.
Business risk Management creates Senior Board of Strategic plan
Identification and follows a 3-year management directors
strategic plan.
Inherent risk Management performs Internal audit Board of Annual Business
identification annual risk assessment or senior directors Unit planning/
and presents to board management strategy meetings;
of directors. risk assessment;
board presentation
of risk assessment
Information and Management’s Senior Board of Board of directors
communication budget, forecast, and management directors presentations and
strategic plans are emails or memos
communicated to to employees
board of directors and of budgets and
employees. forecasts
 Appendix A    275

Managing Management Senior Board of Board of directors

change communicates changes management directors minutes, company
that may have a presentations,
significant effect on emails, memos
the entity to board
of directors or audit
committee.
Managing Accounting Controller or Chief Legal and
change department has a chief financial financial accounting
process in place officer officer practices; meeting
to identify and or audit agendas and
address changes in committee presentations;
GAAP, the operating continuing
and regulatory education for
environment, accountants
and related party
transactions.
Information Information and Internal audit Board of IT risk or strategy
technology systems risks are part of or senior directors meeting agenda/
the company’s annual management minutes/
risk assessment. presentation

Monitoring
Performed Oversight Examples of
Subcomponents Possible Controls by by Evidence
Separate Self-assessment reviews. Business unit Board of Self-assessment
evaluations managers directors questionnaires and
documentation

Reporting Internal audits Internal Board of Internal audit

deficiencies or investigations audit directors reports or
performed to evaluate or audit presentations
compliance and committee
deficiencies. Results
reported to the audit
committee.
Ongoing Board of directors Senior Board of Presentations or
monitoring monitors company’s management directors minutes to board
performance, risk, and of directors or
operations. committees
Ongoing Audit committee Controller Audit Presentations
monitoring monitors financial or chief committee or minutes for
results and reviews financial audit committee
financial statements officer meetings
before filing with SEC.

(Continued)
 276    Appendix A

Performed Oversight Examples of

Subcomponents Possible Controls by by Evidence
Information IT management IT Board of Monitoring reports
technology monitors adherence to management directors (backups/help
IT policies, procedures, desk); monthly/
and standards. quarterly IT
meeting minutes/
presentations/
agendas

Anti-Fraud

COSO Possible Performed Oversight Examples

Component Subcomponents Controls by: by: of Evidence
Control Code of Code of conduct Human Audit Board of directors
environment conduct is approved by the resources committee minutes
board and distrib-
uted to new employ-
ees. Code is updated
annually.
Control Whistleblower Whistleblower Audit Board of Hotline
environment program program is in place committee directors information,
and is monitored by reports on hotline
audit committee. complaints,
procedures
for resolving
complaints, logs of
reporting incidents
Control Hiring and Background Human Board of Hiring and
environment promotion and references resources directors promotion
are checked for policies; reference
new hires. Job and background
descriptions and check forms or
qualifications are examples
prepared and
followed for each
open position.
Monitoring Monitoring Audit committee Board of Board of Relevant audit
effectively oversees directors directors committee or
the company’s anti- board of directors
fraud program and meeting minutes
meets at least once or emails
a year to discuss the
anti-fraud program
and fraud risks.
 Appendix A    277

Risk Fraud Fraud risk assess- Internal Board of Fraud risk

assessment scenarios ment including audit directors assessment to
fraud scenarios include listing of
is prepared by scenarios, analysis,
management and and controls in
presented to the place to mitigate
audit committee or risks
board of directors at
least annually.
Information and Information Code of conduct Senior Audit Emails, presenta-
communication and and ethical tone manage- committee tions, intranet
communication at the top is ment addresses where
communicated to code of conduct,
management and HR policies, and
employees. other fraud-related
matters have been
communicated to
management or
employees
Control activities Control activities Specific fraud- Internal Audit Listing of control
related control audit committee activities that
activities are mitigate fraud risks
identified.