Professional Documents
Culture Documents
CONTROL
FRAMEWORKS
The COSO Frameworks: ICF and ERM
• contains 17 principles
representing the
fundamental concepts
associated with each
component.
• typically represented in the
form of a cube.
1. CONTROL ENVIRONMENT
refers to the workplace environment, characterized by the way the organization is structured,
the manner of leadership, the degree of openness, management’s operating style, having and
practicing the tenets of its code of ethics and statement of values.
The tone at the top is set and promoted by the board of directors and senior management, and it
refers to the general attitude, integrity, and ethical practices of these individuals.
Organizational culture is the collection of learned beliefs, traditions, and guides for behavior
shared among members of the organization.
Happy employees deliver higher quality customer services.
Control Environment also includes the activities related to the competence and development
of personnel, the assignment of authority and responsibility, and the organizational structure.
Employee reporting lines and accountability requirements are also shaped by reporting lines,
and these play an important role in the effectiveness of internal controls.
Management establishes a risk management philosophy and the entity’s risk appetite, forms a
risk culture, and integrates ERM with related initiatives.
• It is important to remember that culture plays a key role defining the control
environment. According to Trompenaars, organizational culture includes 3 key
elements:
1. The general relationship between employees and their organizations
2. The vertical or hierarchical system of authority defining superiors and
subordinates
3. The general views of employees about the organization’s destiny, purpose,
and goals, and their place in it
The following are some examples of unethical behavior that auditors should be on
the lookout for:
• Undue emphasis on bottom-line performance
• High-pressure sales tactics
• Kickbacks or bribes
Communication, Consistency, and Belief in the Message
It is very important for management to communicate clearly, consistently,
and often what is allowed and what is not. By setting clear expectations
there is a better chance that they will be followed.
Risks - events that can jeopardize the organization’s ability to achieve its objectives.
Risk assessment - the process of identifying, assessing, and measuring risks to the
organization, program, or process under review
COSO indicates in its 2013 IC-IF that the organization is subject to a variety of events
Risk assessment involves a dynamic and iterative process of identifying, analyzing, and
deciding how best to respond to these risks in relation to the achievement of
objectives.
Management specifies objectives within three separate but related categories:
Reporting
Compliance
Operations
The SMARTER Model for Effective Goals
The link between audit findings and business objectives
Effects of Risk
• Loss of assets
• Negative publicity
• Erroneous decisions
• Customer dissatisfaction
• Fraudulent financial or operational reporting
• Erroneous record keeping and accounting
• Noncompliance with rules and regulations
• Purchase of resources uneconomically
• Failure to accomplish established goals
3. CONTROL ACTIVITIES
Controls are actions established through policies and
procedures that mitigate the likelihood and/ or impact of risks.
Preventive
Detective
Directive
Compensating
4. INFORMATION AND COMMUNICATION