.‡ The report suggests that audit results be cataloged in terms of the COSO framework and that this information be utilized in top-level reports to management and the board of directors.

COSO . and ‡ (3) compliance with laws and regulations .three primary objectives of an internal control system ‡ (1) efficient and effective operations. ‡ (2) accurate financial reporting.

five essential components of an effective internal control system: ‡ THE CONTROL ENVIRONMENT. ‡ ° INFORMATION AND COMMUNICATION. and practices that ensure management objectives are achieved and risk mitigation strategies are carried out. which covers the external oversight of internal controls by management or other parties outside the process. or the application of independent methodologies. ‡ ° RISK ASSESSMENT. procedures. . or the policies. by employees within a process. which establishes the foundation for the internal control system by providing fundamental discipline and structure. which involves the identification and analysis by management²not the internal auditor²of relevant risks to achieving predetermined objectives. which support all other control components by communicating control responsibilities to employees and by providing information in a form and time frame that allows people to carry out their duties. ‡ ° MONITORING. like customized procedures or standard checklists. ‡ ° CONTROL ACTIVITIES.

rather than on many audit objectives. a separate audit can be initiated. ‡ Each auditor. ‡ Concentrating on one audit objective allows us to improve audit focus and efficiency. . in conjunction with management. ‡ If another objective needs to be addressed. or compliance ‡ This determination is made during audit planning and formally documented in the working papers. financial reporting. determines the appropriate COSO objective² operations.How to do it ‡ focus each audit on a single COSO objective.

Management has not ensured mitigation of critical operating risks. Audit tests detect key risks not previously contemplated by management. Management does not have a basis for determining which risks are most critical. There are verified instances of breakdowns of "soft controls. Management has not identified relevant risks to achieving its objectives. Management¶s risk mitigation strategy is not adequately reflected within control activities. ‡ Control ActivitiesKey control activities are not functioning as intended. ." ‡ Risk AssessmentManagement has not predefined relevant objectives. Such objectives are incompatible with broader objectives.RATING CRITERIA FOR COSO-BASED AUDITS ‡ Control ComponentCRITERIA FOR UNSATISFACTORY RATINGControl Environment"Hard controls" are missing or inadequate.

Customer or supplier complaints and disputes are not resolved. and independent process checks. or remedial action is not undertaken in a timely manner. . and this is pervasive. ‡ OverallThe ratings of all components should be considered to determine whether controls provide reasonable assurance that management objectives will be achieved. either through independent evaluations or ongoing. structured. collected.‡ Information & CommunicationKey metrics are not identified. ‡ MonitoringManagement has not established a means of determining the quality of the internal control system over time. Employees do not understand their control responsibilities. and communicated. A strength in the internal controls of one component may compensate for a control weakness in another.