For Wizard Kim-D1

profiletkrmaslatwbha81
Chapters1-3.docx

1. Executive Summary

Internal control helps entities achieve important objectives and sustain and improve performance. COSO’s Internal Control—Integrated Framework (Framework) enables organizations to effectively and efficiently develop systems of internal control that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision making and governance of the orga7nization.

Designing and implementing an effective system of internal control can be challenging; operating that system effectively and efficiently every day can be daunting. New and rapidly changing business models, greater use and dependence on technology, increasing regulatory requirements and scrutiny, globalization, and other challenges demand any system of internal control to be agile in adapting to changes in business, operating and regulatory environments.

An effective system of internal control demands more than rigorous adherence to policies and procedures: it requires the use of judgment. Management and boards of direc-tors1 use judgment to determine how much control is enough. Management and other personnel use judgment every day to select, develop, and deploy controls across the entity. Management and internal auditors, among other personnel, apply judgment as they monitor and assess the effectiveness of the system of internal control.

The Framework assists management, boards of directors, external stakeholders, and others interacting with the entity in their respective duties regarding internal control without being overly prescriptive. It does so by providing both understanding of what constitutes a system of internal control and insight into when internal control is being applied effectively.

For management and boards of directors, the Framework provides: •• A means to apply internal control to any type of entity, regardless of industry or legal structure, at the levels

of entity, operating unit, or function

•• A principles-based approach that provides flexibility and allows for judgment in designing, implementing, and conducting internal control—principles that can be applied at the entity, operating, and functional levels

•• Requirements for an effective system of internal control by considering how components and principles are present and functioning and how components operate together

•• A means to identify and analyze risks, and to develop and manage appropriate responses to risks within acceptable levels and with a greater focus on anti-fraud measures

•• An opportunity to expand the application of internal control beyond financial reporting to other forms of reporting, operations, and compliance objectives

•• An opportunity to eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing risks to the achievement of the entity’s objectives

For external stakeholders of an entity and others that interact with the entity, application of this Framework provides:

•• Greater confidence in the board of directors’ oversight of internal control systems •• Greater confidence regarding the achievement of entity objectives

•• Greater confidence in the organization’s ability to identify, analyze, and respond to risk and changes in the business and operating environments

•• Greater understanding of the requirement of an effective system of internal control •• Greater understanding that through the use of judgment, management may be able to eliminate ineffective,

redundant, or inefficient controls

Internal control is not a serial process but a dynamic and integrated process. The Framework applies to all entities: large, mid-size, small, for-profit and not-for-profit, and government bodies. However, each organization may choose to implement internal control differently. For instance, a smaller entity’s system of internal control may be less formal and less structured, yet still have effective internal control.

The remainder of this Executive Summary provides an overview of internal control, including a definition, categories of objective, description of the requisite components and associated principles, and requirement of an effective system of internal control. It also includes a discussion of limitations—the reasons why no system of internal control can be perfect. Finally, it offers considerations on how various parties may use the Framework.

e Framework uses the term “board of directors,” which encompasses the governing body, including board, board of trustees, general partners, owner, or supervisory board.

Defining Internal Control

Internal control is defined as follows:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

This definition reflects certain fundamental concepts. Internal control is: •• Geared to the achievement of objectives in one or more categories—operations, reporting, and compliance

•• A process consisting of ongoing tasks and activities—a means to an end, not an end in itself •• Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people

and the actions they take at every level of an organization to affect internal control

•• Able to provide reasonable assurance—but not absolute assurance, to an entity’s senior management and board of directors

•• Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process

This definition is intentionally broad. It captures important concepts that are fundamental to how organizations design, implement, and conduct internal control, providing a basis for application across organizations that operate in different entity structures, industries, and geographic regions.

Objectives

The Framework provides for three categories of objectives, which allow organizations to focus on differing aspects of internal control:

•• Operations Objectives—These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.

•• Reporting Objectives—These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies.

•• Compliance Objectives—These pertain to adherence to laws and regulations to which the entity is subject.

Components of Internal Control

Internal control consists of five integrated components.

Control Environment

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.

Risk Assessment

Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.

A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.

Control Activities

Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.

Information and Communication

Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information, and it provides information to external parties in response to requirements and expectations.

Monitoring Activities

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.

Relationship of Objectives and Components

A direct relationship exists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and the

organizational structure of the entity (the operating units, legal entities, and other). The relationship can be depicted in the form of a cube.

•• The three categories of objectives—operations, reporting, and compliance—are represented by the columns.

•• The five components are represented by the rows.

•• An entity’s organizational structure is rep- resented by the third dimension.

Components and Principles

The Framework sets out seventeen principles representing the fundamental concepts associated with each component. Because these principles are drawn directly from the components, an entity can achieve effective internal control by applying all principles. All principles apply to operations, reporting, and compliance objectives. The principles supporting the components of internal control are listed below.

Control Environment

1. The organization2 demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

2 For purposes of the Framework, the term “organization” is used to collectively capture the board, management, and other personnel, as reflected in the definition of internal control.

page14image1820842352

Risk Assessment

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9. The organization identifies and assesses changes that could significantly impact the system of internal

control.

Control Activities

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the achievement of objectives.

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication

13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Effective Internal Control

The Framework sets forth the requirements for an effective system of internal control. An effective system provides reasonable assurance regarding achievement of an entity’s objectives. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives. It requires that:

•• Each of the five components and relevant principles is present and functioning. “Present” refers to the determination that the components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives. “Functioning” refers to the determination that the components and relevant principles continue to exist in the operations and conduct of the system of internal control to achieve specified objectives.

•• The five components operate together in an integrated manner. “Operating together” refers to the determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective. Com-ponents should not be considered discretely; instead, they operate together as an integrated system. Components are interdependent with a multitude of interrelationships and linkages among them, particularly the manner in which principles interact within and across components.

When a major deficiency exists with respect to the presence and functioning of a com-ponent or relevant principle, or with respect to the components operating together in an integrated manner, the organization cannot conclude that it has met the requirements for an effective system of internal control.

When a system of internal control is determined to be effective, senior management and the board of directors have reasonable assurance, relative to the application within the entity structure, that the organization:

•• Achieves effective and efficient operations when external events are considered unlikely to have a significant impact on the achievement of objectives or where the organization can reasonably predict the nature and timing of external events and mitigate the impact to an acceptable level

•• Understands the extent to which operations are managed effectively and efficiently when external events may have a significant impact on the achievement of objectives or where the organization can reasonably predict the nature and timing of external events and mitigate the impact to an acceptable level

•• Prepares reports in conformity with applicable rules, regulations, and standards or with the entity’s specified reporting objectives

•• Complies with applicable laws, rules, regulations, and external standards

The Framework requires judgment in designing, implementing, and conducting internal control and assessing its effectiveness. The use of judgment, within the boundaries established by laws, rules, regulations, and standards, enhances management’s ability to make better decisions about internal control, but cannot guarantee perfect outcomes.

Limitations

The Framework recognizes that while internal control provides reasonable assurance of achieving the entity’s objectives, limitations do exist. Internal control cannot prevent bad judgment or decisions, or external events that can cause an organization to fail to achieve its operational goals. In other words, even an effective system of internal control can experience a failure. Limitations may result from the:

•• Suitability of objectives established as a precondition to internal control

•• Reality that human judgment in decision making can be faulty and subject to bias

•• Breakdowns that can occur because of human failures such as simple errors •• Ability of management to override internal control •• Ability of management, other personnel, and/or third parties to circumvent controls through

collusion •• External events beyond the organization’s control

These limitations preclude the board and management from having absolute assurance of the achievement of the entity’s objectives—that is, internal control provides reason-able but not absolute assurance. Notwithstanding these inherent limitations, management should be aware of them when selecting, developing, and deploying controls that minimize, to the extent practical, these limitations.

Using the Internal Control—Integrated Framework How this report can be used depends on the roles of the interested parties:

•• The Board of Directors—The board should discuss with senior management the state of the entity’s system of internal control and provide oversight as needed. Senior management is accountable for internal control and to the board of directors, and the board needs to establish its policies and expectations of how members should provide oversight of the entity’s internal control. The board should be apprised of the risks to the achievement of the entity’s objectives, the assessments of internal control deficiencies, the management actions deployed to mitigate such risks and deficiencies, and how management assesses the effectiveness of the entity’s system of internal control. The board should challenge management and ask the tough questions, as necessary, and seek input and support from internal auditors, external auditors, and others. Sub- committees of the board often can assist the board by addressing some of these oversight activities.

•• Senior Management—Senior management should assess the entity’s system of internal control in relation to the Framework, focusing on how the organization applies the seventeen principles in support of the components of internal control. Where management has applied the 1992 edition of the framework, it should first review the updates made to this version (as noted in Appendix F of the Framework), and consider implications of those updates to the entity’s system of internal control. Management may consider using the Illustrative Tools as part of this initial comparison and as an ongoing evaluation of the overall effectiveness of the entity’s system of internal control.

•• Other Management and Personnel—Managers and other personnel should review the changes made to this version and assess implications of those changes on the entity’s system of internal control. In addition, they should consider how they are conducting their responsibilities in light of the Framework and discuss with more senior personnel ideas for strengthening internal control. More specifically, they should consider how existing controls affect the relevant principles within the five components of internal control.

•• Internal Auditors—Internal auditors should review their internal audit plans and how they applied the 1992 edition of the framework. Internal auditors also should review in detail the changes made to this version and consider possible implications of those changes on audit plans, evaluations, and any reporting on the entity’s system of internal control.

•• Independent Auditors—In some jurisdictions, an independent auditor is engaged to audit or examine the effectiveness of the client’s internal control over financial reporting in addition to auditing the entity’s financial statements. Auditors can assess the entity’s system of internal control in relation to the Framework, focusing on how the organization has selected, developed, and deployed controls that affect the principles within the components of internal control. Auditors, similar to management, may use the Illustrative Tools as part of this evaluation of the overall effectiveness of the entity’s system of internal control.

•• Other Professional Organizations—Other professional organizations providing guidance on operations, reporting, and compliance may consider their standards and guidance in comparison to the Framework. To the extent diversity in concepts and terminology is eliminated, all parties benefit.

•• Educators—With the presumption that the Framework attains broad acceptance, its concepts and terms should find their way into university curricula.

2. Objectives, Components, and Principles Introduction

An organization adopts a mission and vision, sets strategies, establishes objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole or be targeted to specific activities within the entity. Though many objectives are specific to a particular entity, some are widely shared. For example, objectives common to most entities are sustaining organizational success, reporting to stakeholders, recruiting and retaining motivated and competent employees, achieving and maintaining a positive reputation, and complying with laws and regulations.

Supporting the organization in its efforts to achieve objectives are five components of internal control:

·  Control Environment

·  Risk Assessment

·  Control Activities

·  Information and Communication

·  Monitoring Activities

These components are relevant to an entire entity and to the entity level, its subsidiaries, divisions, or any of its individual operating units, functions, or other subsets of the entity.

Relationship of Objectives, Components, and the Entity

A direct relationship exists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube.

page20image577751792

·  The three categories of objectives are represented by the columns.

·  The five components are represented by the rows.

·  The entity structure, which represents the overall entity, divisions, subsidiaries, operating units, or

functions, including business processes such as sales, purchasing, production, and marketing and to which internal control relates, are depicted by the third dimension of the cube. fn 3

Each component cuts across and applies to all three categories of objectives. For example, attracting, developing, and retaining competent people who are able to conduct internal control—part of the control environment component—is relevant to all three objectives categories.

The three categories of objectives are not parts or units of the entity. For instance, operations objectives relate to the efficiency and effectiveness of operations, not specific operating units or functions such as sales, marketing, procurement, or human resources.

Accordingly, when considering the category of objectives related to reporting, for example, knowledge of a wide array of information about the entity's operations is needed. In that case, focus is on the middle column of the model—reporting objectives—rather than on the operations objectives category.

Internal control is a dynamic, iterative, and integrated process. For example, risk assessment not only influences the control environment and control activities, but also may highlight a need to reconsider the entity's requirements for information and communication, or for its monitoring activities. Thus, internal control is not a linear process where one component affects only the next. It is an integrated process in which components can and will impact another.

No two entities will, or should, have the same system of internal control. Entities, objectives, and systems of internal control differ by industry and regulatory environment, as well as by internal considerations such as the

size, nature of the management operating model, tolerance for risk, reliance on technology, and competence and number of personnel. Thus, while all entities require each of the components to maintain effective internal control over their activities, one entity's system of internal control will look different from another's.

Footnotes (Relationship of Objectives, Components, and the Entity):

fn 3 Throughout the Framework, the term "the entity and its subunits" refers collectively to the overall entity, divisions, subsidiaries, operating units, and functions.

Objectives

Management, with board oversight, sets entity-level objectives that align with the entity's mission, vision, and strategies. These high-level objectives reflect choices made by management and board of directors about how the organization seeks to create, preserve, and realize value for its stakeholders. Such objectives may focus on the entity's unique operations needs, or align with laws, rules, regulations, and standards imposed by legislators, regulators, and standard setters, or some combination of the two. Setting objectives is a prerequisite to internal control and a key part of the management process relating to strategic planning.

Individuals who are part of the system of internal control need to understand the overall strategies and objectives set by the organization. As part of internal control, management specifies suitable objectives so that risks to the achievement of such objectives can be identified and assessed. Specifying objectives includes the articulation of specific, measurable or observable, attainable, relevant, and time-bound objectives.

However there may be instances where an entity might not explicitly document an objective. Objectives specified in appropriate detail can be readily understood by the people who are working toward achieving them.

Categories of Objectives

The Framework groups entity objectives into the three categories of operations, reporting, and compliance.

Operations Objectives

Operations objectives relate to the achievement of an entity's basic mission and vision—the fundamental reason for its existence. These objectives vary based on management's choices relating to the management operating model, industry considerations, and performance. Entity-level objectives cascade into related sub-objectives for operations within divisions, subsidiaries, operating units, and functions, directed at enhancing effectiveness and efficiency in moving the entity toward its ultimate goal.

As such, operations objectives may relate to improving financial performance, productivity (e.g., avoiding waste and rework), quality, environmental practices, innovation, and customer and employee satisfaction. These objectives pertain to all types of entities. For example, a for-profit entity may focus on revenue, profitability, return on assets, and liquidity. In contrast, a not-for-profit entity, though certainly concerned with revenues or levels of spending, may focus more on increasing donor participation. A governmental agency may focus on achieving the mission established by the legislature or governing body, by effectively and efficiently managing specific government programs and its spending in line with the designated purposes of its appropriators to ensure objectives are supported. If an entity's operations objectives are not well conceived or clearly specified, its resources may be misdirected.

page21image320531840

Safeguarding of Assets

The operations category of objectives includes safeguarding of assets, in other words, protecting and preserving entity assets. For instance, an entity may set objectives relating to the prevention of loss of assets and the timely detection and reporting of any such losses. These objectives form the basis of assessing risk relating to safeguarding of assets and selecting and developing controls needed to mitigate such risk.

The efficient use of an entity's assets and prevention of loss through waste, inefficiency, or poor business decisions (e.g., selling product at too low a price, extending credit to bad risks, failing to retain key employees, allowing patent infringement to occur, incurring unforeseen liabilities) relate to broader operations objectives and are not a specific consideration relating to safeguarding of assets.

Laws, rules, regulations, and external standards have created an expectation that management reporting on internal control includes controls relating to preventing and detecting unauthorized acquisition, use, or disposition of entity assets. In addition, some entities consider safeguarding of assets a separate category of objective, and that view can be accommodated within the application of the Framework.

Reporting Objectives

Reporting objectives pertain to the preparation of reports for use by organizations and stakeholders. Reporting objectives may relate to financial or non-financial reporting and to internal or external reporting. Internal reporting objectives are driven by internal requirements in response to a variety of potential needs such as the entity's strategic directions, operating plans, and performance metrics at various levels. External reporting objectives are driven primarily by regulations and/or standards established by regulators and standard-setting bodies.

·  External Financial Reporting Objectives—Entities need to achieve external financial reporting objectives to meet obligations to and expectations of stakeholders. Financial statements are necessary for accessing capital markets and may be critical to being awarded contracts or in dealing with suppliers and vendors. Investors, analysts, and creditors often rely on an entity's external financial statements to assess its performance against peers and alternative investments. Management may also be required to publish financial statements using objectives set forth by rules, regulations, and external standards.

·  External Non-Financial Reporting Objectives—Management may report external non-financial information in accordance with laws, rules, regulations, standards, or other frameworks. Non-financial reporting requirements as set forth by regulations and standards for management reporting on the effectiveness of internal control over financial reporting are part of external non-financial reporting objectives. For purposes of the Framework, external reporting in the absence of a law, rule, regulation, standard, or framework represents external communication.

·  Internal Financial and Non-Financial Reporting Objectives—Internal reporting to management and the board of directors includes information deemed necessary to manage the organization. It supports decision making and assessment of the entity's activities and performance. Internal reporting objectives are based on preferences and judgments of management and the board. Internal reporting objectives vary among entities because different organizations have different strategic directions, operating plans, and expectations.

Relationship within Reporting Category of Objectives

page23image1876343664

The overall relationship between the four sub-categories of reporting objectives is shown in the graphic below.

Reporting objectives are different from the Information and Communication component of internal control. Management establishes, with board oversight, reporting objectives when the organization needs reasonable assurance of achieving a particular reporting objective. In these situations all five components of internal control are needed. For instance, in preparing internal non-financial reporting to the board on the status of merger integration efforts, the organization specifies internal reporting objectives (e.g., prepares reliable, relevant, and useful reports), assigns competent individuals, assesses risks relating to specified objectives, selects and develops controls within the five components necessary to mitigate such risks, and monitors components of internal control supporting the specified non-financial reporting objective.

In contrast, the Information and Communication component supports the functioning of all components of reporting objectives, as well as operations and compliance objectives. For instance, controls within Information and Communication support the preparation of the above report, helping to provide relevant and quality information underlying the report, but these controls are only part of the overall system of internal control.

Compliance Objectives

Entities must conduct activities, and often take specific actions, in accordance with applicable laws and regulations. As part of specifying compliance objectives, the organization needs to understand which laws, rules and regulations apply across the entity. Many laws and regulations are generally well known, such as those relating to human resources, taxation, and environmental compliance, but others may be more obscure, such as those that apply to an entity conducting operations in a remote foreign territory.

Laws and regulations establish minimum standards of conduct expected of the entity. The organization is expected to incorporate these standards into the objectives set for the entity. Some organizations will set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. For instance, a particular

law may limit minors working outside school hours to eighteen hours in a school week. However, a retail food service company may choose to limit its minor-age staff to working fifteen hours per week.

For purposes of the Framework, compliance with an entity's internal policies and procedures, as opposed to compliance with external laws and regulations as discussed above, relates to operations objectives.

Overlap of Objectives Categories

An objective in one category may overlap or support an objective in another. For example, "closing financial reporting period within five workdays" may be a goal supporting primarily an operations objective—to support management in reviewing business performance. But it also supports timely reporting and filings with regulatory agencies.

The category in which an objective falls may vary depending on the circumstances. For instance, controls to prevent theft of assets—such as maintaining a fence around inventory, or having a gatekeeper to verify proper authorization of requests for movement of goods—fall under the operations category. These controls may not be relevant to reporting where inventory losses are detected after a periodic physical inspection and recorded in the financial statements. However, if for reporting purposes management relies solely on perpetual inventory records, as may be the case for interim or internal financial reporting, the physical security controls would then also fall within the reporting category. These physical security controls, along with controls over the perpetual inventory records, are needed to achieve reporting objectives. A clear understanding is needed of the entity's business processes, policies and procedures, and the respective impact on each category of objectives.

Basis of Objectives Categories

Some objectives are derived from the regulatory or industry environments in which the entity operates. For example:

·  Some entities submit information to environmental agencies.

·  Publicly traded companies file information with securities regulators.

·  Universities report grant expenditures to government agencies.

These objectives are established largely by law or regulation, and fall into the category of compliance, external reporting, or, in these examples, both.

Conversely, operations and internal reporting objectives are based more on the organization's preferences, judgments, and choices. These objectives vary widely among entities simply because informed and competent people may select different objectives. For example, one organization might choose to be an early adopter of emerging technologies in developing new products, whereas another might be a quick follower, and yet another a late adopter. These choices would reflect the entity's strategies and the competencies, technologies, and controls within its research and development function. Consequently, no one formulation of objectives can be optimal for all entities.

Objectives and Sub-Objectives

Management links specified entity-level objectives to more specific sub-objectives that cascade throughout the organization. Sub-objectives also are established as part of or flowing from the strategy-setting process, and relate to the entity and its subunits and functional activities such as sales, production, engineering, marketing, productivity, employee engagement, innovation, and information technology. Management aligns these sub- objectives with entity-level objectives and coordinates these across the entity.

Where entity-level objectives are consistent with prior practice and performance, the linkage between activities is usually known. Where objectives depart from an entity's past practices, management addresses the linkages or accepts increased risks. For example, an entity-level objective relating to customer satisfaction depends on linked sub-objectives dealing with the introduction of services that use a newer and less proven technology infrastructure. These sub-objectives might need to be substantially changed if past practice used older, proven technologies.

Sub-objectives for operating units and functional activities also need to be specific, measurable or observable, attainable, relevant, and time-bound. In addition, they must be readily understood by the people who are working toward achieving them. Management and other personnel require a mutual understanding of both what is to be accomplished and the means of determining to what extent it is accomplished in order to ensure individual and team accountability.

Entities may specify multiple sub-objectives for each activity, flowing both from the entity-level objectives and from established standards relating to compliance and reporting objectives, as deemed suitable in the circumstances. For example, procurement operations objectives may be to:

·  Purchase goods that meet engineering specifications

·  Purchase goods from companies that meet environmental, health, and safety specifications (e.g., no

child labor, good working conditions)

·  Negotiate acceptable prices and other terms

As another example, when specifying suitable external reporting objectives relating to the preparation of external financial statements, management considers accounting standards, financial statement assertions, and qualitative characteristics that are applicable to the entity and its subunits. For example, management may set an entity-level external financial reporting objective as follows: "Our company prepares reliable financial statements reflecting transactions and events in accordance with generally accepted accounting principles."

Management also specifies suitable sub-objectives for divisions, subsidiaries, operating units, and functions with sufficient clarity to support entity-level objectives. For instance, management specifies sub-objectives for sales transactions that apply appropriate accounting standards based on the circumstances and that address relevant financial statement assertions and qualitative characteristics, such as:

·  All sales transactions that occur are recorded on a timely basis.

·  Sales transactions are recorded at correct amounts in the right accounts.

·  Sales transactions are accurately and completely summarized in the entity's books and records.

·  Presentation and disclosures relating to sales are properly described, sorted, and classified.

Components and Principles of Internal Control

The Framework sets out five components of internal control and seventeen principles representing the fundamental concepts associated with components. These components and principles of internal control are suitable for all entities. All seventeen principles apply to each category of objective, as well as to objectives and sub-objectives within a category. For instance, an entity may apply the Framework relative to complying with a specific law regarding commercial arrangements with foreign entities, a sub-category of the compliance category of objectives.

Below is a summary of each of the five components of internal control and the principles relating to each component. Each of the principles is covered in the respective component chapters. fn 4

Control Environment

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.

There are five principles relating to Control Environment:

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises oversight of the

development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment

Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity's objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.

There are four principles relating to Risk Assessment:

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9. The organization identifies and assesses changes that could significantly impact the system of internal

control.

Control Activities

Control activities are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various stages within business processes, and over the technology environment.

There are three principles relating to Control Activities:

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the achievement of objectives.

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication

Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day controls. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives.

There are three principles relating to Information and Communication:

13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board.

There are two principles relating to Monitoring Activities:

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Footnotes (Components and Principles of Internal Control):

fn 4 For purposes of the Framework, when describing principles the term "organization" is used to capture the meaning of, collectively, the board of directors, management, and other personnel. Typically the board of directors serves in an oversight capacity within this term.

page27image1522714784

Internal Control and the Management Process

Because internal control is a part of management's overall responsibility, the five components are discussed in the context of the management of the entity. Not every decision or action of management, however, is part of internal control:

·  Having a board that comprises directors with sufficient independence from management and that carries out its oversight role is part of internal control. However, many decisions reached by the board are not part of internal control; for example approving a particular mission or vision. The board also fulfills a variety of governance responsibilities in addition to its responsibilities for oversight of internal control.

·  Making strategic decisions impacting the entity's objectives is not part of internal control. An organization may apply enterprise risk management approaches or other approaches in setting objectives.

·  Setting the overall level of acceptable risk and associated risk appetite fn 5 is part of strategic planning and enterprise risk management, not part of internal control. Similarly, setting risk tolerance levels in relation to specific objectives is also not part of internal control.

·  Selecting and developing controls designed to mitigate risks based on the organization's risk assessment process is a part of internal control; however, choosing which risk response is preferred to address specific risks is not part of internal control.

Internal Control and Objective-Setting

It is not practical to design and implement a system of internal control unless the entity's objectives are established, set, and specified for the organization. Establishing and setting objectives and related sub- objectives are parts of or flow from the strategic-planning process, with consideration given to laws, rules, regulations, and standards as well as management's own choices. However, internal control cannot dictate or establish what an entity's objectives should be.

As part of internal control, an organization specifies objectives by:

·  Articulating and codifying specific, measurable or observable, attainable, relevant and time-based objectives

·  Assessing suitability of objectives and sub-objectives for internal control based on facts, circumstances, and established laws, rules, regulations, and standards

·  Communicating objectives and sub-objectives throughout the entity

The following diagram illustrates establishing and setting objectives as part of the management process outside of internal control, and specifying and using objectives as part of internal control in the context of an external financial reporting and an operations objective.

page28image1811466864 page28image1811467152

External Parties Establish

External parties establish laws, rules, and standards (where applicable) relating to compliance and external financial reporting objectives.

Part of the Management Process

Set

Set strategic objectives and select strategy within the context of an entity's established mission or vision.

Set entity-wide objectives and develop risk tolerances basedonentityrequirements suitable in the circumstances.

Part of Internal Control

page28image1811518640 page28image1811519008 page28image1811519312

Specify

Articulate specific, measurable or observable, attainable, relevant and time-based objectives and sub-objectives.

Assess and affirm suitability of objectives and sub-objectives forinternalcontrolbasedon facts, circumstances, and

Use

Use specified objectives and sub- objectives as the basis for risk assessment.

page28image1811556192 page28image1811556608

page29image1522833840 page29image1523978480

External Parties Establish

Part of the Management Process

Set

Align objectives with entity strategy and overall risk appetite.

Set objectives and subobjectives for the entity and its subunits suitable in those circumstances.

Part of Internal Control Specify

Use

page29image1522905184 page29image1522905488 page29image1522905792

established laws, rules, and standards.

Communicate objectives and sub-objectives throughout the entity and its subunits.

page29image1522919904 page29image1522920192

Examples of Financial Reporting Objectives and Sub-Objectives

page29image1522927488 page29image1522927776

The Financial Accounting Standards Board (FASB) established accounting principles generally accepted in the United States of America (US GAAP).

A regulatory body establishes an accounting standard on revenue recognition.

Not applicable for operations objectives.

Our company prepares reliable financial statements reflecting transactions and events in accordance with US GAAP.

Our company recognizes sales revenue upon installation of equipment for sales-type capital leases or recognizes rental revenue over the operating lease term.

Example of Operations Objectives

page29image1522992112 page29image1522992400 page29image1522992688 page29image1522992976

Our company seeks to improve performance by increasing inventory turnover ratio to twelve times per year, recognizing that lower inventory levels may result in more backorder items for customers.

Operating unit financial management identifies and assesses risk to recording revenue on equipment sales in accordance

Operating unit management Operating unit assesses suitability of operations management identifies

Management assesses and affirms that US GAAP is suitable in the circumstances. If not, management provides feedback to the objective-setting process.

Management identifies and assesses risk to preparing reliable financial statements reflecting activities in accordance with US GAAP.

Operating unit financial management assesses and affirms suitability of applicable accounting standards relating to all equipment sales. If not, operating unit financial management provides feedback to the objective-setting process. with US GAAP.

objectives relating to inventory turnover and customer back- order goals. If not, operating unit financial management provides feedback to the objective-setting process.

and assesses risk to the achievement of an inventory turnover ratio of twelve times per year.

page29image1523130224 page29image1523130512 page29image1523130800

Footnotes (Internal Control and the Management Process):

fn 5 "Risk appetite" is defined as the amount of risk, on a broad level, an entity is willing to accept in pursuit of its mission/vision.

3. Effective Internal Control Requirements for Effective Internal Control

An effective system of internal control provides reasonable assurance of achievement of an entity's objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires that:

·  Each of the five components of internal control and relevant principles is present and functioning fn 6

·  The five components are operating together in an integrated manner

In determining whether a system of internal control is effective, management exercises judgment in assessing whether each of the components and relevant principles is present and functioning and components are operating together.

When internal control is determined to be effective, senior management and the board of directors have reasonable assurance of the following categories of objectives:

Operations—the organization:

o achieves effective and efficient operations when external events are considered unlikely to have a significant impact on the achievement of objectives or when the organization can reasonably predict the nature and timing of external events and mitigate the impact to an acceptable level

o understands the extent to which operations are managed effectively and efficiently when external events may have a significant impact on the achievement of objectives and the impact cannot be mitigated to an acceptable level

·  Reporting—the organization prepares reports in conformity with applicable laws, rules, regulations, and standards established by legislators, regulators, and standard setters, or with the entity's specified objectives and related policies

·  Compliance—the organization complies with applicable laws, rules, and regulations The Framework sets forth that components and relevant principles are requisite to an effective system of

internal control. It does not prescribe the process for how management assesses its effectiveness.

Footnotes (Requirements for Effective Internal Control): fn 6 Chapter 4, Additional Considerations, introduces points of focus as important characteristics of principles.

The Framework does not require that management assess separately whether points of focus are in place.

Suitability and Relevance of Components and Principles

The Framework views all components of internal control as suitable and relevant to all entities.

Principles are fundamental concepts associated with components. As such, the Framework views the seventeen principles as suitable to all entities. The Framework presumes that principles are relevant because they have a

page30image1522345504 page30image1522346288

significant bearing on the presence and functioning of an associated component. Accordingly, if a relevant principle is not present and functioning, the associated component cannot be present and functioning.

There may be a rare industry, operating, or regulatory situation in which management has determined that a principle is not relevant to a component. Considerations in applying this judgment may include the entity structure recognizing any legal, regulatory, industry, or contractual requirements for governance of the entity, and the level of use and dependence on technology used by the entity. Management must support its determination that a principle is not relevant with the rationale of how, in the absence of that principle, the associated component can be present and functioning.

Present and Functioning

The phrase "present and functioning" applies to components and principles.

·  "Present" refers to the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives.

·  "Functioning" refers to the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.

In determining whether a component is present and functioning, senior management, with board of director oversight, needs to determine to what extent relevant principles are present and functioning. However, a principle being present and functioning does not imply that the organization strives for the highest level of performance in applying that particular principle. Rather, management exercises judgment in balancing the cost and benefit of designing, implementing, and conducting internal control.

Operating Together

The Framework requires that all components operate together in an integrated manner. "Operating together" refers to the determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective.

Components are interdependent with a multitude of interrelationships and linkages among them, particularly the manner in which principles interact within and across components. Components that are present and functioning capture the inherent interdependencies and linkages among them. Examples of components operating together include the following:

·  The organization establishes expected standards of conduct and sets performance measures and incentives within the Control Environment to reduce the potential for fraudulent behavior and may impact the assessed level of fraud risk evaluated within Risk Assessment.

·  The development and deployment of policies and procedures as part of Control Activities contributes to the mitigation of risks identified and analyzed within Risk Assessment.

·  The processing of relevant, quality information within Information and Communication supports deployment of business process and transaction controls within Control Activities and performance of ongoing and separate evaluations of such controls within Monitoring Activities.

·  The communication of internal control deficiencies to those responsible for taking corrective actions as part of Monitoring Activities requires a full understanding of the entity's structures, reporting lines, authorities and responsibilities as set forth in the Control Environment and as communicated within Information and Communication.

Accordingly, management can demonstrate that components operate together when:

·  Components are present and functioning

·  Internal control deficiencies aggregated across components do not result in the determination that one or

more major deficiencies exist

Deficiencies in Internal Control

There are many potential sources for identifying internal control deficiencies, including the entity's monitoring activities, other components, and external parties that provide input relative to the presence and functioning of components and relevant principles.

The term "internal control deficiency" refers to a shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives. An internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives is referred to as a "major deficiency." As illustrated below, a major deficiency is a subset of internal control deficiencies. As such, a major deficiency is by definition also an internal control deficiency.

When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control. A major deficiency exists in the system of internal control when management determines that a component and one or more relevant principles are not present or functioning or that components are not operating together.

A major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component. Similarly, a major deficiency in a relevant principle cannot be mitigated to an acceptable level by the presence and functioning of other principles.

In determining whether components and relevant principles are present and functioning, management can consider controls to effect principles. fn 7 For instance, in assessing whether the principle Assesses Fraud Risk may not be present and functioning, the organization can consider controls to effect other principles, such as those relating to Establishes Structure, Authority, and Responsibility and Enforces Accountability. By considering controls initially considered in the context of other principles, management may be able to determine that the principle Assesses Fraud Risk is present and functioning.

Management exercises judgment to assess the severity of an internal control deficiency, or combination of deficiencies, in determining whether components and relevant principles are present and functioning, and components are operating together, and ultimately in determining the effectiveness of the entity's system of internal control. Further, these judgments may vary depending on the category of objectives.

Regulators, standard-setting bodies, and other relevant third parties may establish criteria for defining the severity of, evaluating, and reporting internal control deficiencies. The Framework recognizes and accommodates their authority and responsibility as established through laws, rules, regulations, and external standards.

page32image1523572032

In those instances where an entity is applying a law, rule, regulation, or external standard, management should use only the relevant criteria contained in those documents to classify the severity of internal control deficiencies, rather than relying on the classifications set forth in the Framework. The Framework recognizes that any internal control deficiency that results in a system of internal control not being effective pursuant to such criteria would also preclude management from concluding that the entity has met the requirements for effective internal control in accordance with the Framework (e.g., a major non-conformity relating to operations or compliance objectives, or a material weakness relating to compliance or external reporting objectives).

For internal reporting and operations objectives, senior management, with board of director oversight, may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving these objectives.

Footnotes (Deficiencies in Internal Control):

fn 7 The role of controls and how they effect principles is further described in Chapter 4, Additional Considerations

Other Considerations

Although the organization may rely on an outsourced service provider to conduct business processes, policies, and procedures on behalf of the entity, management retains ultimate responsibility for meeting the requirements for an effective system of internal control.

Management's assessment of the effectiveness of internal control occurs within the entity's system of internal control. Other parties interacting with the entity, such as external auditors and regulators, are not part of the entity's system of internal control and thus cannot be part of management's process for assessing effective internal control.