Internal Control — Integrated Framework (Draft Sep 2012)

7/29/2019 Internal Control Integrated Framework (Draft Sep 2012)

1/166

C o m m i t t e e o S p o n s o r i n g O r g a n i z a t i o n s o t h e T r e a d w a y C o m m i s s i o n

Internal Control Integrated Framework

Committee of Sponsoring Organiza tions of the Treadway Commission

To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by

November 16, 2012.

Respondents will be asked to respond to a series of questions. Those questions may be found on-line atwww.ic.coso.org and in

a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send

responses by fax.

Written comments on this exposure draft will become part of the public record and will be available on-line March 31, 2013.

September 2012

Internal Control over External Financial Reporting:

A Compendium o Approaches and Examples


2/166

2012 All Rights Reserved. No part o this publication may be reproduced, redistributed, transmitted or displayed in any orm or by any

means without written permission. For inormation regarding licensing and reprint permissions please contact the American Institute o

Certifed Public Accountants, licensing and permissions agent or COSO copyrighted materials. Direct all inquiries to copyright@aicpa.

org or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd., Durham, NC 27707. Telephone inquiries may be directed

to 888-777-7707.


3/166

Internal Control Integrated Framework

To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by

November 16, 2012.

Respondents will be asked to respond to a series of questions. Those questions may be found on-line atwww.ic.coso.org and in

a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send

responses by fax.

Written comments on this exposure draft will become part of the public record and will be available on-line March 31, 2013.

September 2012

Internal Control over External Financial Reporting:

A Compendium o Approaches and Examples

Committee of Sponsoring Organiza tions of the Treadway Commission


4/166

Committee o Sponsoring Organizations othe Treadway Commission

Board Members Representative

COSO Chair David L. Landsittel

American Accounting Association Mark S. Beasley

Douglas F. Prawitt

The Institute o Internal Auditors Richard F. Chambers

American Institute o Certied Public Accountants Charles E. Landes

Financial Executives International Marie N. Hollein

Institute o Management Accountants Sandra Rictermeyer

Jerey C. Thomson

PwCAuthor

Principal Contributors

Miles E.A. Everson Engagement Leader New York, USA

Stephen E. Soske Project Lead Partner Boston, USA

J. Aaron Garcia Project Lead Director San Diego, USA

Cara M. Beston Partner San Jose, USA

Charles E. Harris Partner Florham Park, USA

Eric M. Bloesch Managing Director Philadelphia, USA

James M. Downs Director San Francisco, USA

(Through January 2012)

Frank J. Martens Director Vancouver, Canada

Jay A. Posklensky Director Florham Park, USA

Charles J. Finn Senior Manager Detroit, USA

Natalie Protze Senior Manager Washington D.C., USA

(July 2011 to March 2012)


5/166

Advisory Council

Sponsoring Organizations Representatives

Audrey A. Gramling Bellarmine University Fr. Raymond J. Treece

Endowed ChairSteven E. Jameson Community Trust Bank Executive Vice President and

Chie Internal Audit & Risk

Ocer

J. Stephen McNally Campbell Soup Company Finance Director/Controller

Ray Purcell Pzer Director o Financial Controls

Bill Schneider AT&T Director o Accounting

Members at Large

Jennier Burns Deloitte Partner

Jim DeLoach Protiviti Managing Director

Trent Gazzaway Grant Thornton Partner

Cees Klumper The Global Fund to Fight AIDS,

Tuberculosis and Malaria

Chie Risk Ocer

Thomas Montminy PwC Partner

Al Paulus E&Y Partner

Thomas Ray KPMG Partner

Dr. Larry E. Rittenberg University o Wisconsin Emeritus Proessor oAccounting

Chair Emeritus COSO

Ken Vander Wal ISACA President

Regulatory Observers and Other Observers

James Dalkin Government Accountability

Oce

Director in the Financial

Management and Assurance

Team

Harrison E. Greene, Jr. Federal Deposit InsuranceCorporation

Assistant Chie Accuntant

Christian Peo Securities and Exchange

Commission

Proessional Accounting

Fellow (Through June 2012)

Amy Steele Securities and Exchange

Commission

Associate Chie Accountant

(Commencing July 2012)

Vincent Topho International Federation

o Accountants

Senior Technical Manager

Keith Wilson Public Company Accounting

Oversight Board

Deputy Chie Auditor


6/166

Additional PwC Contributors

Mark Cohen Partner San Francisco, USA

Andrew Dahle Partner Chicago, USA

Junya Hakoda Partner (Retired) Tokyo, Japan

Brian Kinman Partner St. Louis, USA

Pat McNamee Partner Florham Park, USA

Jonathan Mullins Partner (Retired) Dallas, USA

Alexander Young Partner Toronto, Canada

Antoine Elachkar Managing Director Washington D.C., USA

Gary Moss Managing Director Milwaukee, USA

Catherine Jourdan Director Paris, France

Frank Maggio Director Chicago, USA

Christopher Michaelson Director Minneapolis, USA

Sallie Jo Perraglia Manager New York, USA

Tracy Walker Director Bangkok, Thailand

Qiao Pan Senior Associate New York, USA


7/166

PreaceThis project was commissioned by COSO, which is dedicated to providing thought lead-

ership through the development o comprehensive rameworks and guidance on internal

control, enterprise risk management, and raud deterrence designed to improve organi-

zational perormance and oversight and to reduce the extent o raud in organizations.COSO is a private sector initiative, jointly sponsored and unded by:

American Accounting Association (AAA)

American Institute o Certied Public Accountants (AICPA)

Financial Executives International (FEI)

Institute o Management Accountants (IMA)

The Institute o Internal Auditors (IIA)


8/166


9/166

Table o Contents

Foreword ...........................................................................................................i

1. Introduction.............................................................................................. 1

2. Control Environment ...............................................................................11

3. Risk Assessment ................................................................................... 45

4. Control Activities .....................................................................................73

5. Inormation and Communication ..........................................................103

6. Monitoring Activities .............................................................................131

Appendix

Examples by Topic .....................................................................................148

Internal Control Integrated Framework September 2012


10/166


11/166

ForewordIn 2013, the Committee o Sponsoring Organizations o the Treadway Commission

(COSO) released an update to its Internal ControlIntegrated Framework (Framework).

The original ramework, which was released in 1992, has gained broad acceptance and

is widely used around the world. It is recognized as a leading ramework or designing,implementing, and conducting internal control and or establishing requirements or

an eective system o internal control. To help users apply the Framework to internal

control over external nancial reporting, COSO has released this companion publica-

tion, Internal Control over External Financial Reporting: A Compendium o Approaches

and Examples (Compendium).

The Framework retains the core denition o internal control and the ve components o

internal control. At the same time, the Framework includes enhancements and clari-

cations that are intended to ease use and application. One o the more signicant

enhancements is the ormalization o undamental concepts introduced in the original

ramework as principles. These principles associated with the ve components provide

clarity or users in designing and implementing systems o internal control. In turn, thisCompendium provides approaches and examples to illustrate how entities may apply

the principles set out in the Framework to a system o internal control over external

nancial reporting.

In the twenty years since the release o the original ramework, business and operating

environments have changed dramatically, becoming increasingly complex, technologi-

cally driven, and global. At the same time, stakeholders have become more engaged,

seeking greater transparency and accountability or the integrity o systems o inter-

nal control that support business decisions and governance o the organization. The

Framework and the Compendium incorporate many o these changes including:

Expectations or Governance OversightHigher regulatory and stakeholder

expectations require the board o directors to oversee internal control over exter-

nal nancial reporting. Some jurisdictions require specic regulatory requirements

or expertise and independence o board members o certain types o entities.

Globalization o Markets and OperationsOrganizations expand beyond domes-

tic markets in the pursuit o value, oten entering into international markets and

executing cross-border mergers and acquisitions.

Changes and Greater Complexity in the BusinessOrganizations change busi-

ness models and enter into complex transactions in pursuit o growth, greater

quality, and productivity, and in response to changes in market and regulatory

environments. These changes may include entering into strategic alliances, joint

ventures, and other complex contractual arrangements with external parties,

implementing shared services, and engaging outsourced service providers.

1

2

3



12/166


13/166

Introduction

1. IntroductionCOSOs Internal ControlIntegrated Framework (Framework) sets orth three catego-

ries o objectives: operations, reporting, and compliance. The ocus o this publication,

Internal Control over External Financial Reporting: A Compendium o Approaches and

Examples (Compendium) is the external nancial reporting category o objectives, asubset o the reporting category. External nancial reporting objectives address the

preparation o nancial reports or external parties, including:

Financial statements or external purposes, and

Other external nancial reporting derived rom an entitys nancial and accounting

books and records.

Using this DocumentThe Compendium has been developed to assist those users o the Framework who are

responsible or designing, implementing and conducting a system o internal controlover external nancial reporting (ICEFR) that supports the preparation o nancial state-

ments and other external nancial reporting. It is also relevant to entities that report

on the eectiveness o internal control over nancial reporting relating to nancial

statements or external purposes. The preparation o nancial statements or external

purposes and other external nancial reporting applies to:

Public EntitiesOten, public entities are required by rules and regulations

to prepare nancial statements or external purposes; additionally, they oten

prepare other external nancial reporting derived rom its nancial and account-

ing books and records, such as earnings press releases, or inormation included

in stipulated reports or business partners or lending agencies as required by

contractual obligations. Private EntitiesEntities whose ownership may be closely held may prepare nan-

cial statements to provide to banks and other third parties in order to raise capital

or to meet contractual obligations. These can be in accordance with standards

and regulations, however oten, there is no requirement or private entities to

prepare the nancial statements in accordance with specic standards or regula-

tions; the orm o the nancial statements or other external nancial reporting is

stipulated by contractual obligations or a third party.

Not-For-Proft EntitiesThese entities may prepare nancial statements or

external purposes in accordance with appropriate rules and regulations, however

since these entities purpose is other than realizing and generating prot, they

may prepare other nancial reporting or donors, government agencies, or otherthird parties in order to raise unds to support the stated cause, not necessarily in

accordance with specic standards or regulations.

7

8



14/166

Internal Control over External Financial Reporting: A Compendium of Approaches and Examples

Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities

Governmental EntitiesIn addition to any nancial statements or external pur-

poses that might be required by law, governmental entities may prepare nancial

reporting, to provide to the public or to other governmental oversight agencies

that is not necessarily required to be prepared in accordance with specic stan-

dards or regulations.

In applying the Framework, users will nd relevant approaches and examples in theCompendium o how organizations apply various aspects o the principles in the design,

implementation and conduct o internal control over external nancial reporting objec-

tives. These approaches and examples relate to each o the ve components and sev-

enteen principles set orth in the Framework.

Approaches describe how organizations may apply these principles within

their system o internal control over external nancial reporting. Approaches

are designed to give users o the Compendium a summary-level description o

activities that management may consider as they apply the Framework in an

ICEFR context.

Examples provide specic illustrations to users on the application o each princi-

ple, based on situations drawn rom practical experiences. Examples may illus-trate one or more points o ocus o a particular principle. They are not designed

to provide a comprehensive, end-to-end example o how the principle may be ully

applied in practice.

The Compendium includes an appendix that highlights those examples that relate to the

changes in business and operating environments that are noted in the Framework.

Note that this document is not designed to be read rom beginning to end. Nor are the

approaches and examples linked across the principles; rather, they stand on their own

and relate to specic points o ocus o the principles. Finally, even though the deni-

tions, components, principles, and points o ocus are consistent with those ound in the

Framework, readers should reer to the Framework or a comprehensive discussion ohow entities design, implement, and conduct internal control, and or the requirements

o an eective system o internal control.

Specic Considerations o External FinancialReportingThis section considers some unique aspects o applying the Framework in the context

o external nancial reporting, and especially preparing nancial statements or

external purposes.

Types o External Financial Reports

External nancial reporting objectives are consistent with accounting principles suitable

and available or that entity and appropriate in the circumstances. External nancial

reporting objectives address the preparation o nancial reports, including nancial

statements or external purposes and other external nancial reporting derived rom an

entitys nancial and accounting books and records.

9

10

11

12

13



15/166

Introduction

Financial Statements or External Purposes

Financial statements or external purposes are prepared in accordance with applicable

accounting standards, rules and regulations. These nancial statements include annual

and interim nancial statements, condensed nancial statements, and selected nan-

cial inormation derived rom such statements. These statements may, or instance, be

publicly led with a regulator, distributed through annual meetings, posted to an entitys

website, or distributed through other electronic media.

Another orm o nancial statements prepared or external purposes may be nancial

reports prepared in accordance with other comprehensive basis o accounting, such as

those by taxing authorities, regulatory agencies, or requirements established through

contracts and agreements. These nancial reports are typically distributed to specied

external users (e.g., reporting to a bank on nancial covenants established in a loan

agreement, to a taxing authority in connection with ling tax returns, reporting on nan-

cial inormation to an energy regulatory commission)).

Other external nancial reporting

Other external nancial reporting derived rom an entitys nancial and manage-ment accounting books and records rather than rom nancial statements or external

purposes may include earnings releases, selected nancial inormation posted to an

entitys website, and selected amounts reported in regulatory lings. External nan-

cial reporting objectives relating to such other nancial inormation may not be driven

directly by standard setters and regulators, but are typically expected by stakeholders

to align with such standards and regulations.

Suitable Objectives o Financial Statements orExternal Purposes

Complies with Applicable Accounting Standards

Regulators and accounting standard-setters establish laws, rules, and standards relat-

ing to the preparation o nancial statements or external purposes. These nancial

reporting rules and standards orm the basis upon which management species suit-

able objectives or the entity and its subunits.

When speciying suitable external reporting objectives relating to the preparation o

nancial statements, management considers the accounting standards that are appli-

cable to that entity and its subunits. Management also species the accounting prin-

ciples that are appropriate in the circumstances. For example, management may set

an entity-level external nancial reporting objective as ollows: Our Company prepares

reliable nancial statements refecting activities in accordance with generally accepted

accounting principles.

Management species suitable sub-objectives or divisions, subsidiaries, operat-

ing units, and unctions with sucient clarity to support entity-level objectives. For

example, a US company applies accounting principles generally accepted in the United

States o America (US GAAP) to all subunits in preparing its consolidated nancial

statements, and it applies International Financial Reporting Standards (IFRS) to those

14

15

16

17

18

19



16/166



subunits that submit subsidiary nancial statements in statutory lings in non-United

States jurisdictions.

Further, management species appropriate accounting principles (e.g., US GAAP, IFRS)

to apply to transactions and events o the entity. For example, management speci-

es that FASB Accounting Standard Codication No. 605 Revenue Recognition and

SAB 101A Revenue Recognition in Financial Statements (US GAAP) or IAS 18 RevenueRecognition (IFRS) apply to all sales transactions as applicable to the entity or subunits

respective external nancial reporting objective.

Considers Materiality

Financial statement materiality sets the threshold or determining whether a nancial

amount is relevant. Entities must consider suitable regulations and guidance promul-

gated by standard-setters and regulators.1

Refects Entity Activities

External nancial reporting refects the entitys transactions and events. In preparing

external nancial statements, management implicitly or explicitly considers suitableobjectives and sub-objectives relating to qualitative characteristics (e.g. reliability, trans-

parency) and assertions (e.g., existence and completeness o transactions). Accounting

standard setters may also determine relevant qualitative characteristics and assertions

or external nancial reporting.

For example, reliability is a requently used qualitative characteristic associated with

external nancial reporting objectives. Reliability involves preparing external nancial

statements that are ree o material error and bias. Reliability is also necessary or an

entitys external reporting to aithully represent the transactions or other events it pur-

ports to represent.

Management makes assertions regarding the recognition, measurement, presenta-tion, and disclosure o account balances and classes o transactions and events in the

entitys nancial statements. For example, one grouping o assertions relating to nan-

cial statements is summarized as ollows:2

Existence or OccurrenceAssets, liabilities, and ownership interests exist at a

specic date and recorded transactions represent events that actually occurred

during a certain period.

CompletenessAll transactions and other events and circumstances that

occurred during a specic period, and that should have been recognized in that

period, have in act been recorded.

Rights and ObligationsAssets are the rights and liabilities are the obligations o

the entity at a given date.

1 For example, Topic 1M o the Sta Accounting Bulletins o the United States Securities and Exchange

Commission provides guidance on assessing materiality.

2 These nancial statement assertions are substantially consistent with those established by the American

Institute o Certied Public Accountants and the International Auditing and Assurance Standards Board.

20

21

22

23

24



17/166

Introduction

Valuation or AllocationAsset, liability, revenue, and expense components are

recorded at appropriate amounts in conormity with relevant and appropriate

accounting principles. Transactions are mathematically correct and appropriately

summarized and recorded in the entitys books and records.

Presentation and DisclosureItems in the statements are properly described,

sorted, and classied.

For example, management species sub-objectives or sales transactions that apply

applicable accounting standards based on the circumstances and that address relevant

nancial statement assertions and qualitative characteristics, such as:

All sales transactions that occur are recorded on a timely basis.

Sales transactions are recorded at correct amounts in the right accounts.

Sales transactions are accurately and completely summarized in the entitys

books and records.

Presentation and disclosures relating to sales are properly described, sorted,

and classied.

Judgment

In preparing nancial statements, management exercises judgment in complying with

external nancial reporting requirements. Management considers how identied risks

to specied nancial reporting objectives and sub-objectives should be managed.

Managements alternatives to respond to risk may be limited compared to some other

categories o objectives. That is, management is less likely to accept a risk than to

reduce the risk. For instance, management may decide to mitigate a risk by outsourc-

ing transaction processing to a third party that is better suited to perorm the business

process. However, management always retains responsibility or designing, implement-

ing, and conducting its system o internal control even when outsourcing to a thirdparty. For external nancial reporting objectives, risk acceptance or avoidance should

occur only when identied risks could not, individually or in aggregate, exceed the risk

threshold and result in a material misstatement.

Management also exercises judgment in selecting and applying suitable account-

ing principles, particularly those relating to subjective measurements and complex

transactions. For instance, management exercises judgment in making assumptions

and using data in developing accounting estimates, in applying accounting principles

to complex transactions, and in preparing reliable and transparent presentations and

disclosures. Internal control over external nancial reporting addresses the potential

or bias in exercising judgment that could lead to a material misstatement in external

nancial reporting.

25

26

27



18/166



Overlapping Objectives

Many controls are interrelated and may support multiple objectives. An objective in one

category may overlap or support an objective in another. For example, closing nancial

reporting period within ve workdays may be a goal supporting primarily an operations

objectiveto support management in reviewing business perormance. But it also sup-

ports timely reporting and timely lings with regulatory agencies.

The category in which an objective alls can sometimes vary depending on the circum-

stances. For instance, controls to prevent thet o assetssuch as maintaining a ence

around inventory, or having a gatekeeper to veriy proper authorization o requests or

movement o goodsall under the operations category. These controls may not be

relevant to reporting where inventory losses are detected ollowing periodic physical

inspection and recording in the nancial statements. However, i or reporting pur-

poses management relies solely on perpetual inventory records, as may be the case or

interim or internal nancial reporting, the physical security controls would then also all

within the reporting category. These physical security controls, along with controls over

the perpetual inventory records, are needed to achieve reporting objectives. A clear

understanding is needed o the entitys processes and its policies, procedures, and therespective impact on each category o objectives.

Deciencies in Internal Control

The term internal control deciency reers to a shortcoming in a component or

relevant principle o the system o internal control that has the potential to adversely

aect the ability o the entity to achieve its objectives. There are many potential sources

or identiying internal control deciencies, including the entitys monitoring activi-

ties, assessment o eectiveness in other components o internal control, and external

parties that provide input relative to the presence and unctioning o a component or

relevant principle.

When an organization determines that an internal control deciency exists, management

must assess the severity o that deciency based on its potential eect on the entitys

system o internal control. Assessing the severity o an internal control deciency or

combination o deciencies requires management to exercise judgement to determine

the potential impact on the system o internal control. Regulators, standard-setting

bodies, and other relevant third parties establish criteria or evaluating the severity and

corresponding classication and reporting o deciencies relating to external reporting,

operations, and compliance objectives. As well, or internal reporting and other opera-

tions objectives, management and board o directors may need to establish objective

criteria or evaluating internal control deciencies and reporting to those responsible or

achieving these objectives. The Framework does not prescribe such criteria, but rec-ognizes and accommodates the authority and responsibility o those other parties that

interact with the entity to issue such laws, rules, regulations, and standards or conduct-

ing assessments and classications.

28

29

30

31



19/166


20/166



control are in place and unctioning. The nature and extent o the documentation

may be infuenced by the entitys regulatory requirements. This does not neces-

sarily mean that all documentation will or should be more ormal, but that su-

cient evidence that the components o internal control are present and operating

together is available and suitable to satisy the entitys objectives.

In cases where an external auditor attests to the eectiveness o the overall

system o internal control, management will likely be expected to provide the

auditor with support or its assertion on the eectiveness o internal control. That

support would include evidence that the system o internal control is properly

designed and operating eectively. In considering the nature and extent o docu-

mentation needed, management should also remember that the documentation

to support the assertion will likely be used by the external auditor as part o his or

her audit evidence. Management may also document signicant judgments, how

such decisions were considered, and the nal decisions reached.

Approaches and Examples or Applying PrinciplesThe Compendium illustrates through approaches and examples how the principles

apply to external nancial reporting objectives. Each chapter ocuses on one o the ve

components o internal control and contains:

A summary o the component that is consistent with the Framework

A listing o principles associated with that component

A listing o relevant approaches or applying principles in an external nancial

reporting context

For each principle, there is a listing o approaches that illustrate how organizations

apply the principles in designing, implementing or conducting certain aspects o internal

control over external nancial reporting. The approaches apply to any size or type oentity, and, or consistency and illustrative purposes, incorporate the points o ocus

contained in the Framework. This structure is intended to assist users in understand-

ing the linkages o the points o ocus to its associated principle. Various organizations

apply these approaches dierently depending on the entitys circumstances, and the

application by a particular entity is likely to evolve as circumstances change over time.

The approaches included are not intended to be a comprehensive listing. Users should

recognize that points o ocus not listed in the Framework may also be suitable and

relevant in the users judgement depending upon the entitys particular circumstances.

For each approach, one or more examples are provided to illustrate how an important

aspect o the approach has been put in place by entities that prepare nancial state-

ments or external purposes. The examples are based on experiences o entities, andsome details may have been modied or the purposes o this publication (e.g., entity

and personal names are ctional and not attributable to any specic entity). The exam-

ples are not intended to be construed as best practices or suggested solutions or

users o the Framework. Further, the examples are not necessarily sucient to demon-

strate that a particular principle is present and unctioning as dened in the Framework.

36

37

38



21/166

Introduction

These approaches and examples are likely to be relevant to many types o entities

(including public, private, not-or-prot, and governmental entities) that aim to prepare

nancial statements or external purposes and other orms o external nancial report-

ing. Where an example is not applicable to all types o entities, this is noted. Finally,

even though the approaches and examples primarily relate to the preparation o nan-

cial statements or external purposes, any entity seeking to design, implement and

conduct a system o internal control to achieve other external nancial reporting objec-tives may also benet rom them.

39



22/166


23/166


24/166

Framework | Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities

Principles Approaches

1. The organization demonstrates

a commitment to integrity and

ethical values.

Establishing Standards o Conduct

Leading by Example on Matters o

Integrity and Ethics

Evaluating Management and Other

Personnel, Outsourced Service

Providers, and Business Partners or

Adherence to Standards o Conduct

Reporting and Taking Prompt Action

on Deviations rom Standards o

Conduct

2. The board o directors demonstrates

independence rom management

and exercises oversight or the

development and perormance ointernal control.

Establishing the Roles, Responsibili-

ties, and Delegation o Authority o

the Board o Directors

Establishing Policies and Practicesor Meetings between the Board o

Directors and Management

Identiying and Reviewing Board o

Director Candidates

Reviewing Managements Assertions

and Judgments

Obtaining an External View

Considering Whistle-Blower Inorma-

tion about Financial Statement Errors

and Irregularities

3. Management establishes, with board

oversight, structures, reporting

lines, and appropriate authorities

and responsibilities in the pursuit

o objectives.

Dening Roles and Reporting Lines

and Assessing Them or Relevance

Dening Authority at Dierent Levels

o Management

Maintaining Job Descriptions and

Service-Level Agreements

Dening the Role o Internal Auditors



25/166


26/166


27/166


28/166


These documents emphasize that every individual is responsible or maintaining an

ethical environment and reporting any ethical breaches. Service-level agreements and

contracts with external parties include the relevant language to speciy the companys

expected standards o conduct and serve as a basis or evaluating adherence. The

code also specically sets the expectation o reporting and resolving issues by provid-

ing clear inormation on how to ask a policy question or report a violation through an

independent third party.

Approach: Leading by Example on Matters o Integrity and Ethics

The CEO and key members o management articulate and demonstrate the importance

o integrity and ethical values across the organization. The various orms and mecha-

nisms used to do this may include:

Communications rom senior management that support the expected standards

o conduct and that stay consistent as they permeate throughout the organization

Day-to-day actions and decision making at all levels o the organization that are

consistent with the expected standards o conduct

Interactions with suppliers, customers, and other external parties that refect air

and honest dealings

Perormance appraisals and incentives that reinorce expected standards o

behavior consistent with the entitys objectives at all levels o the organization

Timely inquiries and investigations into any alleged conduct that is inconsistent

with the entitys standards o conduct

Corrective action when deviations rom expected standards o conduct occur

While this approach can be synonymous with that o establishing standards o conduct

when both operate eectively, history has shown instances where organizations dene

and communicate honorable standards o conduct, yet senior management does not

internalize or exhibit these standards in its conduct, and thereore sets a dierent tone

than what is expected.

Example: Using a Company Newsletter to Reinorce Expectations oIntegrity and Ethics

Space Inc., a supplier to the aerospace industry, uses its monthly newsletter to employ-

ees, outsourced service providers, business partners, and other external parties to

emphasize the importance o exercising sound integrity and ethical values. Each edition

o the newsletter contains a section related to ethical decision making and conse-

quences o violations o the code. The newsletter draws attention to the multitude oresources available to discuss and resolve ethical issues; it also reports what actions

are taken by senior management when the code is violated at any level o the organiza-

tion. The newsletter illustrates the open dialogue and resolution o issues that is actively

promoted by senior management.

Examples o ethical dilemmas are provided, along with suggested resolutions. The

newsletter points out that reports o violations originate rom a variety o sources,

SetstheToneattheTop

EstablishesStandardsofConduct

Evaluates Adherence to Standards

o Conduct

Addresses Deviations in a Timely Manner

45

46

47

48

49



29/166

Control Environment | Demonstrates Commitment to Integrity and Ethical Values

including employees, managers, the companys anonymous hotline, and external

parties. Responses range rom no action (in cases where the violation is shown not to

have occurred) to various levels o discipline, including dismissal.

Finally, the newsletter reminds all Space Inc. employeesrom senior management

to all levels o employeesthat as part o their annual perormance review they must

certiy that they have read the companys mission statement and code o conduct andthat they comply with policies at all times.

Approach: Evaluating Management and Other Personnel, Out-sourced Service Providers, and Business Partners or Adherence to

Standards o Conduct

The board o directors and senior management evaluate adherence to the companys

standards o conduct. This is accomplished in a variety o ways, which may include:

Assessing results rom training and ethics certication processes

Considering anomalies in key perormance indicators and internal analyticalreviews o operational and nancial inormation that could be a potential indicator

o raudulent nancial reporting or other misconduct

Considering the results rom ongoing and separate evaluations o internal control,

which include evaluations o internal control at outsourced service providers and

business partners who provide inormation necessary to produce external nan-

cial reporting

Analyzing issues and trends rom hotlines and help lines made available within

the organization that could indicate potential raud occurrences and other

ethical concerns

Requesting eedback rom meetings held with outsourced service providers andbusiness partners when obtaining nancial inormation or inormation that impacts

the entitys internal control over external nancial reporting

Example: Conducting Ethics Audits

The not-or-prot organization Partners or Development conducts scheduled audits

to determine whether employees are receiving and understanding the board-approved

standards o conduct when they are rst hired and as part o communications, training,

and annual review processes. The audits also include non-employees and consultants

rom their IT service provider. The standards consist o three documents: the code o

ethics and standards o personal conduct, the compliance policy statement, and the

expected standards o conduct.

Partners or Developments purpose in conducting these audits is to determine i there

are any instances o non-compliance and to use those ndings to assess and correct

any deciencies in the organizations new-hire orientation, communications, training,

and employee review processes. Upholding the organizations standards o conduct is a

undamental requirement or continued unding rom its government sponsors.

Sets the Tone at the Top

Establishes Standards o Conduct

EvaluatesAdherencetoStandards

o Conduct

Addresses Deviations in a Timely Manne

50

51

52

53



30/166


31/166


32/166


Exercises Oversight Responsibility

Principle 2.The board o directors demonstratesindependence rom management and exercises oversightor the development and perormance o internal control.

Points o Focus

The ollowing points o ocus may assist management in determining whether this prin-

ciple is present and unctioning.

Establishes Oversight ResponsibilitiesThe board o directors identies and

accepts its oversight responsibilities in relation to established requirements

and expectations.

Applies Relevant ExpertiseThe board o directors denes, maintains, and

periodically evaluates the skills and expertise needed among its members

to enable them to ask probing questions o senior management and take

commensurate actions.

Operates IndependentlyThe board o directors has sucient members who are

independent rom management and objective in evaluations and decision-making.

Provides Oversight or the System o Internal ControlThe board o directors

retains oversight responsibility or managements development and perormance

o internal control:

- Control EnvironmentEstablishing integrity and ethical values, oversight

structures, authority and responsibility, expectations o competence, and

accountability to the board

- Risk AssessmentOverseeing managements assessment o risks to the

achievement o objectives, including the potential impact o signicant

changes, raud, and management override o internal control

- Control ActivitiesProviding oversight to senior management in the develop-

ment and perormance o control activities

- Inormation and CommunicationAnalyzing and discussing inormation relat-

ing to the entitys achievement o objectives

- Monitoring ActivitiesAssessing and overseeing the nature and scope

o monitoring activities and managements evaluation and remediation

o deciencies

59



33/166

Control Environment | Exercises Oversight Responsibility

Approaches and Examples to Applying the Principle

Approach: Establishing the Roles, Responsibilities, and Delegationo Authority o the Board o Directors5

The roles, responsibilities, and powers o delegation o the board o directors are

dened in its corporate bylaws and committee charters in accordance with applicableregulatory and listing requirements. For external nancial reporting purposes, the board

typically orms an audit committee whose responsibilities include overseeing:

The eectiveness o internal control over external nancial reporting, including the

assessment o risks, signicant deciencies, and material weaknesses (i any)

Managements assessment o any signicant matters, considering the potential

impact on nancial reporting and need or corrective action

The quality o nancial reporting and disclosures

The hiring o and payment to the external auditor

Audit committee members typically demonstrate independence o thought and sub-stance by absence o any material nancial or other personal ties to the company, which

could impede their ability to provide unbiased guidance and oversight.

The responsibilities o the board and audit committee are to oversee managements

perormance o internal control. The board must thereore retain objectivity in relation

to management.

Example: Reviewing and Documenting Key Activities o theAudit Committee

Every year, the board o directors o Northern Power, a distributor o electricity, com-

missions an eectiveness evaluation o its audit committee relative to its charter. The

charter sets out the responsibilities and key activities o the committee. Under thecharter, the committee solicits rom management and independent reviewers as neces-

sary the inormation required to:

Oversee the quality and reliability o nancial reporting and disclosures

Understand the key risks acing the organization and the processes management

uses to identiy, assess, and manage risks, considering internal audit ndings,

litigation, compensation schemes, regulation, and compliance

Evaluate organizational behavior, culture, and adherence to standards o conduct

Understand how management and the external auditor evaluate materiality or

nancial reporting purposes

Assess reasonableness and appropriateness o critical accounting policies o

the company

5 In practice, many o the activities o the board o directors included here would be carried out by one o its

committees, such as the audit committee.

EstablishesOversightResponsibility

AppliesRelevantExpertise

OperatesIndependently

ProvidesOversightfortheSystemof

InternalControl

60

61

62

63



34/166


Conrm or reject the basis or management estimates and proposed accounting

policy changes beore approving

Evaluate, retain, or change external auditors

Review audit plans

Review managements assessment o internal control over external

nancial reporting

The results o the evaluation are used to determine whether the roles and responsibili-

ties o the committee have been met and could result in committee member changes or

impact remuneration. In addition to the annual review, every three years the company

conducts a benchmark review against leading practices and renes its charter,

as appropriate.

Approach: Establishing Policies and Practices or Meetings between

the Board o Directors and Management

The board o directors reviews and approves policies and practices that support the

perormance o internal control across the business in regular meetings between man-

agement and the board. The processes and structures particularly relevant to the audit

committee o the board are those that provide:

Appropriate orums to enable board members to ask probing questions

o management

A calendar that establishes the timing and requency o meetings

with management

Expected practices to keep board members current on both emerg-

ing and adopted accounting standards and their impact on the entitys

nancial statements

Procedures to review managements development and perormance o internal

control over external nancial reporting

Authority to engage experts as needed and oversight to ensure that management

appropriately resolves matters raised by the board

Criteria and procedures or calling special and/or urgent meetings as necessary

Allocation o time in board meetings or discussions with external advisors, inter-

nal and external auditors, and legal counsel without management being present

The policies and practices are updated as needed to refect changes in internal and

external expectations, including rules and regulations.

Example: Establishing an Audit Committee Meeting Calendar

The audit committee o Outer Limits Innovations, an aerospace control systems sup-

plier, uses its charter as guidance when setting its meeting dates and agendas. Fred

Krahn, the chair o the committee, plans or at least one meeting during the year at





InternalControl

64

65

66

67



35/166


which each responsibility set orth in the charter is discussed. This practice helps the

audit committee cover all relevant responsibilities, and helps management anticipate

and plan or the committees expectations. The meeting calendar, which is shown

below, is periodically reassessed to adjust or emerging regulatory and technical

matters that could aect the company or the industry.

Frequency PlannedMeeting

A E ANQuarter

1 2 3 4

Audit Committee Issues

Reportofresultsofannualindependentaudittotheboard

Appointmentoftheexternalauditor

Approvalofexternalauditorfeesforupcomingyear

Reviewofannualproxystatementauditcommitteereport

Assessment o the adequacy o audit committee charter

Approvalofauditcommitteemeetingplanfortheupcomingyear,

conrmmutualexpectationswithmanagementandtheauditor

Audit committee sel-assessment

Approvalofguidelinesforengagementsofexternalauditorsfor

other services (pre-approval policy)

Approval o any non-audit services provided by outside auditors

Reportofexternalauditorpre-approvalstatus/limits

Reviewofproceduresforhandlingnancialreportingerrors

orirregularities

Overseesfraudriskassessmentprocess

Approvalofminutesofpreviousmeeting

Reportquarterlymatterstotheboard(chair)

Scheduleexecutivesessionofcommitteemembers

Othermatters

Financial Management

AnnualReport,10-K,andPr oxyStatementMatters

Quarterlyreportearningsreviewwithmanagementandexternal

auditor,pre-approvalofexternalauditorprofessionalactivities

Assessment o system o internal control

Statusofsignicantaccountingestimates,judgmentsandspecial

issues(e.g.majortransactions,accountingchanges,SECissues,

etc.)Othermatters(adequacyofstafng,successionplanning,etc.)

A=AnnuallyE=EachMeetingorConferenceCallAN=AsNecessary



36/166


Example: Preparing Eectively or Meetings

The audit committee o Millennium Lighting, a manuacturer o lighting and ventila-

tion equipment, is chaired by Janis White, a CPA with nancial reporting expertise and

previous public accounting experience. Ms. White regularly distributes to the committee

members any updates rom management on technical matters.

Beore each committee meeting, she circulates the drat agenda both to the commit-tee members and the external auditors to solicit their input on any additional technical

accounting agenda items they would like to discuss. Ms. White is committed to keeping

open channels o communication with the external audit engagement partner and the

companys chie audit executive to ensure she receives timely updates on any discus-

sions occurring with management as technical matters emerge. Internal audit, litigation,

and corporate social responsibility are a ew o the areas that are regularly solicited or

input by the board or audit committee.

Approach: Identiying and Reviewing Board o Director Candidates

The board o directors periodically assesses and conrms its collective ability to provide

eective oversight. Through independent review and sel-assessment it determines the

adequacy o its composition, whether it has sucient independent members, and the

appropriate expertise.

To meet the entitys external nancial reporting objectives, the board o directors identi-

es certain board candidates who are independent o both management and the entity

and who have requisite nancial reporting and other relevant expertise. These members

are typically assigned to the audit committee.6 Such expertise may be established

through proessional networks and organizations and by educational institutions whose

missions are aligned to the advancement o the nancial reporting proession.

The board reviews the results o due diligence perormed on potential board candi-

dates and conrms their competence and ability to remain unbiased. The procedures to

ensure that potential board members meet the dened criteria may include:

Evaluating the key risks acing the organization and accordingly dening board

member prole requirements

Perorming background checks and obtaining independent reerences

Reviewing current aliations and directorships to ensure independence relative to

management and the entity

Considering skills and expertise, ranging rom nancial to regulatory and various

technical knowledge needed to understand the issues that could aect the com-

panys external nancial reporting

Validating that any credentials and certications held demonstrate an achieved

competence level

6 Standard setters, regulators, or listing agencies may have specic requirements regarding director inde-

pendence, qualications, and the makeup o the audit committee.





InternalControl

68

69

70

71

72



37/166


Reviewing inormation about nancial and other relationships with the company,

its external auditors, or management

Using an independent nominating committee or search rm to oversee due dili-

gence procedures

Evaluating periodically the due diligence procedures used or identiying potential

directors, including checking that an individual directors certications are com-plete, up-to-date, and comply with the entitys ethics guidelines and indepen-

dence rules

Example: Changing the Board Composition o a CloselyHeld Company

Giante Ore is a mining exploration company whose shares are traded on an over-

the-counter bulletin board. Giante Ore has long maintained a board o directors that

includes three o the CEOs amily members and three outside, but not independent,

directors: the companys outside legal counsel, a venture capitalist, and a personal

riend o the CEO.

Giante Ore recognized that it needed to strengthen its control environment and board

eectiveness. To that end, it revisited its board structure. The three relatives and one

personal riend o the CEO let the board and have been replaced by our independent

directors, all o whom are nancially literate. One o the our has specic nancial exper-

tise. These directors have now been appointed to a newly ormed audit committee with

its responsibilities set orth in a charter.

Example: Assessing and Disclosing Director Qualications

When Greene Inc. needs to identiy new members or its board, it ollows a detailed pro-

cedure to ensure the best possible candidates are chosen. The nominating committee

works with the human resources department, the legal department, and an independent

executive search rm to identiy candidates and conduct due diligence in support othe interest o the company in its short- and longer-term objectives. The key skills it has

identied are nancial literacy, liquidity risk management expertise, business continuity

planning, and corporate social responsibility reporting experience that refects the busi-

ness perormance expectations o the companys stakeholders.

The same team conducts an annual review to ensure that board members continue

to have the requisite competence and independence given the entitys stakeholder

needs. The senior management o Greene Inc. provides the results o the review in its

public lings.

73

74

75

76



38/166


Approach: Reviewing Managements Assertions and Judgments

The board demonstrates an appropriate level o skepticism o managements assertions

and judgments that aect nancial reporting by asking probing questions. In particular,

the audit committee o the board seeks clarication and justication o the companys

process or:

Selecting and implementing accounting policies

Determining critical accounting estimates

Making key assumptions used in the application o technical accounting and

reporting matters

Evaluating other risks acing the organization, with the potential impact on nan-

cial reporting

Example: Reviewing Financial Statement Estimates

Future Fabrications manuactures specialty polymer products. The audit commit-

tee meets regularly with management to review the reasonableness o managements

assumptions and judgments used to develop signicant estimates. The committee thenmeets privately with the external auditor to discuss its assessment o managements

estimates and the related impact on nancial reporting.

This practice is carried out or all assumptions related to key nancial statement

accounts, disclosures, and relevant assertions. For example, or Future Fabrications

annual goodwill evaluation, management provides relevant inormation regarding any

specialists engaged to assist the company, key judgments and assumptions included

in the companys discounted cash fow model, plausible sensitivity scenarios that were

considered, and conrmation o the appropriate technical accounting standard applied.

Approach: Meeting with Auditors

The audit committee o the board meets regularly with internal and external auditors, in

private when necessary, to review and provide oversight o:

Key risks acing the organization

Audit scope and testing plans

Basis or denition o materiality threshold

Changes in accounting policies

Assumptions in models and calculations

Resources and stang

Signicant audit ndings

Quality and reliability o nancial reporting and disclosures





InternalControl





InternalControl

77

78

79

80



39/166


Example: Interacting with Auditors

Sara Greenburg is the chair o the audit committee o Seaworthy Solutions, a marine

construction services provider. She arranges or the committee to meet quarterly with

the external auditor to discuss a wide range o issues such as audit scope, testing

plans, internal control over external nancial reporting, quality o nancial reporting,

and audit ndings and recommendations. She is responsible or coordinating the audit

committees evaluation o the external auditor. She bases her evaluation on a number

o considerations, including the rms reputation, the qualications o the audit partner

and team, knowledge and experience in the companys industry, and the rms quality

control procedures. Ms. Greenburg believes that these interactions, supplemented as

needed with interim conversations, eectively positions the audit committee chair to

monitor the external auditors perormance and make an inormed judgment on any

need to modiy or terminate the relationship.

The audit committee also regularly meets with the Seaworthys chie audit executive

to ensure that the same oversight objectives o the internal audit unction are attained.

The chie audit executive has a direct reporting line to the audit committee to enable an

objective mindset and acilitate the escalation o issues.

Authors note: This example was taken rom a public company in the US. Standard setters, regulators, or spe-

cic listing agencies may have specic requirements regarding composition and operating responsibilities o

the audit committee. These may vary based on the situation, and the acts and circumstances o this example

infuenced the responsibility and the requency o meetings.

Approach: Considering Whistle-Blower Inormation about FinancialStatement Errors and Irregularities

The audit committee considers inormation obtained rom the companys whistle-blower

and anti-raud programs (or similar processes) to monitor the risks in misstatements

in nancial reporting. These may include risks o inappropriate acts by sta and man-

agement override o controls. The audit committee evaluates managements analysiso signicant matters, potential impact on nancial reporting, and corrective actions

being taken.

Example: Assessing the Potential o Management Override

Generation Now is an electricity transmission and distribution company. At least annu-

ally, its audit committee discusses in executive session its assessment o the risks

o management override o internal control, including motivations, opportunities, and

rationalizations or management override and how those activities might be concealed.

The committee reviews independent evaluations o the unctioning o the companys

whistle-blower process and related reports and the raud hotline, and rom time to time

it also makes inquiries o those managers who are not directly responsible or nancialreporting (including personnel in sales, procurement, and human resources, among

others). It also collects inormation whenever any concerns are expressed about ethics

or possible management override o internal controls. The process o questioning con-

tinues until resolution is reached.



OperatesIndependently ProvidesOversightfortheSystemof

InternalControl

81

82

83

84



40/166


41/166

Control Environment | Establishes Structure, Authority, and Responsibility

Approaches and Examples to Applying the Principle

Approach: Dening Roles and Reporting Lines and Assessing Themor Relevance

Senior management prepares organizational charts to document, communicate, and

enorce accountability or the achievement o the entitys nancial reporting objectives.The organizational charts can be used to:

Set orth assignments o authority and responsibility

Ensure duties are appropriately segregated

Establish reporting lines and communication channels

Dene the various reporting dimensions relevant to the organization

Identiy dependencies or roles and responsibilities involved in nancial reporting

as well as those accountable or external parties

Each unit or department within the entity that is relevant to external nancial report-

ing aligns its roles and responsibilities to processes supporting the nancial reportingobjectives. Senior management and the board o directors veriy that accountability

and inormation fow within each o the various organizational structures (by business

segment, geographical location, legal entity, or other) continually support the achieve-

ment o the entitys existing nancial reporting objectives. Existing structures are peri-

odically assessed or relevance considering changes in the entity or the environment in

which it operates to ensure such alignment.

Example: Reorganizing to Support Control Structure

Beore Harmony Homes Real Estate became a public company, a wide range o the

employees reported to the owner and CEO, Milton Chang, and the business structures

in the US and in Asia were loosely connected. During the plans to go public, Mr. Chang,with the boards guidance, took steps to strengthen the organizational structure to

better support both operations and nancial reporting objectives. Management created

three departments to oversee its core business activities: sales and customer service,

purchasing/inventory, and production. Geographic governance structures were also

established to oversee operations by jurisdiction and acilitate reporting to local regula-

tors and other stakeholders. The managers charged with leading each o these depart-

ments and territories, as well as the managers o key sta unctions, documented each

persons responsibility in the processes. Job descriptions, including internal control

responsibilities, were developed to support ull understanding o each persons role.

The clarity o roles helps to ensure responsibilities are carried out in support o the

organizations objectives. They also provide the basis or risk assessment, controlactivities, inormation and communication, and monitoring activities along dierent

dimensions simultaneously.

ConsidersAllStructuresoftheEntity

EstablishesReportingLines

Denes,Assigns,andLimitsAuthorities

Responsibilities

86

87

88

89



42/166


43/166


44/166


45/166


46/166


47/166


48/166


This intensive training has provided senior management o Orex with the condence

that their CFO and controller now have sucient knowledge to make inormed decisions

on the proper application o the standard. Documentation o the training attended has

been tracked and included in Ms. Shreves and Mr. Tellemanns employee les.

Approach: Selecting Appropriate Outsourced Service Providers

Management identies the required skills and experience necessary to support the enti-

tys external nancial reporting objectives. It then decides whether to internally retain

people with these skills and experience or to outsource to a third party. The suitability

o a third party is determined not only by assessing skills and experience, but also by

considering the entitys policies on using vendors and on ethical standards. The con-

tractual arrangement with the outsourced service provider captures these competence

requirements and provides the basis or the entity to periodically assess the outsourced

service providers continued commitment to competence.

Example: Retaining External Tax AssistanceCompu Services, a developer o analytical sotware products, currently has limited tax

accounting expertise among its sta. The nance director thereore sought to contract

with a third-party accounting rm, SMR Ledger, LLP, to review its tax provisions. SMR

Ledger is a dierent accounting rm rom the Compu Services auditor.

For successul selection and use o the vendors services, management was careul to

veriy that the vendor met the suitability standards set orth in Compu Services poli-

cies. Being impacted directly by the quality o the control procedures carried out by the

vendor, the CFO spends time with the vendor to understand any assumptions used in

models or calculations, particularly as they may impact nancial reporting. Indeed, while

Compu Services management chooses to outsource certain tax activities, it remains

responsible or the eectiveness o relevant controls regardless o where they are oper-ated. The company thereore requests annual independent certications o the vendors

internal control eectiveness.

Approach: Evaluating Competence and Behavior

To maintain and advance the entitys expected competence and behavioral standards,

management develops policies and conducts practices that may include:

Developing incentives and rewards that consider the multiple dimensions o

conduct and perormance

Reinorcing expectations o continued demonstration and strengthening o

expected levels o competence

Ensuring individual and team goals in support o the achievement o the enti-

tys objectives are dened, use observable metrics, and are communicated to

each employee

EstablishesPoliciesandPractices

EvaluatesCompetenceandAddresses

Shortcomings

Attracts,Develops,andRetainsIndividuals

PlansandPreparesforSuccession



Shortcomings



113

114

115

116

117



49/166

Control Environment | Demonstrates Commitment to Competence

Developing a perormance appraisal process that conrms employee knowledge

o both their progress against their goals and their status within the organization

Conducting periodic perormance reviews and evaluating employees relative to

their assigned roles to conrm that the employees skills are appropriate or their

current job responsibilities

Making appropriate advancement or termination decisions based onperormance reviews

Changing the perormance appraisal process as needed based on lessons

learned or changes in strategy and operating objectives

Continually endorsing behavior that is consistent with competence standards, and

discouraging inconsistent behavior

Using the same criteria, the board o directors evaluates the competencies o individu-

als serving in key nancial reporting roles, such as the CEO and CFO.

Example: Periodically Assessing Perormance

City Government periodically reviews the perormance o its employees who are

responsible or owning, executing, or testing nancial reporting controls. Perormance is

evaluated against expectations that are established at the beginning o each year. The

progress achieved on needed improvements is reviewed with employees at the end o

each quarter, and a more ormal annual review process occurs ollowing the year-end

reporting cycle. An employees career advancement is based on the overall peror-

mance rating. Management identies specic areas or improvement and proessional

growth, which employees can address with training and development steps, as jointly

agreed with the respective manager in the context o City Governments nance unc-

tion and overall perormance objectives.

Example: Audit Committee Review o Managers RolesThe bylaws o Lead Products Co. speciy the responsibility o the audit committee o

the board or reviewing the principal roles and responsibilities o key nancial reporting

senior management. To this end, the chair o the audit committee meets annually with

the companys human resources director, chie audit executive, and legal counsel to

review the roles, responsibilities, and perormance o the various company managers.

The review ocuses on aligning respective managerial responsibilities with Lead Prod-

ucts organization chart, and the managers expertise and experience in carrying out

the responsibilities.

118

119

120



50/166


Approach: Evaluating Suciency and Competency oFinance Personnel

Senior management evaluates the suciency and competency o the personnel who are

involved in recording and reporting nancial inormation, and in designing and develop-

ing nancial reporting systems including underlying IT systems. Senior management

assesses the departments ability to identiy issues, articulate positions supported by

the relevant literature, and stay abreast o technical nancial reporting developments.

Considerations when assessing the adequacy and competency o nancial reporting

personnel include overall technical skills, nature and requency o their training, and the

number o personnel dedicated to nancial reporting.

Example: Assessing Key Financial Reporting Personnel

The senior management o Tall Tree Finance, an investment bank and institutional secu-

rities company, annually assesses the ability o its key nancial reporting personnel to

understand and manage eectively the companys current business activities, related

accounting questions, and IT implementation challenges. The audit committee oversees

this assessment.

In particular, the assessment considers how adequately personnel respond to emerging

accounting, reporting, and internal control issues. Senior management uses the results

o this assessment to make decisions on sta training, reassignments, or other organi-

zational changes.

Example: Aligning Competencies with Key FinancialReporting Positions

The start-up company o Wireless Data Communications has seen its revenue double

over the last several years, and business transactions and processing have become

signicantly more complex. Because o these evolving corporate needs due to the rapid

growth, it is essential or employee competencies in key nancial reporting positions tobe aligned with roles and responsibilities.

Consequently, the CEO, CFO, and vice-president o human resources together annu-

ally review employee job descriptions and perormance assessments. During a recent

review, they determined that the companys controller, hired initially to perorm basic

accounting and bookkeeping unctions, no longer had the expertise needed or the

associated nancial reporting responsibilities. The company has now assigned the con-

troller to a position better suited to his skills, and hired an individual with the requisite

competencies as controller.



Shortcomings



121

122

123

124

125



51/166


52/166


53/166


54/166


Senior management subsequently reports to the board what actors were considered

in developing the perormance measures, incentives, and rewards and how they are

expected to drive the desired behavior.

Example: Dening and Communicating the Basis or Reward

Modern Financial Services has implemented a rewards system that requires the

achievement o dened perormance measures and encourages departments to

monitor the eectiveness o their internal control systems and to sel-report possible

control deciencies or opportunities or enhancement. This encouragement comes in

the orm o a policy that gives departments credit in the internal audit grading system

or sel-reported deciencies. Any deciencies that are identied through internal audit

procedures, rather than through a departments monitoring eorts, are counted against

the score.

The credit does not preclude the internal audit department rom reporting specic de-

ciencies to management or the board when warranted, but it does positively aect the

grading system, which can aect departmental compensation and benets. The result

is that Modern Financial Services is more likely to identiy control deciencies beore

they can become material to the organization.

Approach: Evaluating Perormance Measures or Intended Infuence

The board o directors and management periodically evaluate the appropriateness o

perormance measures used to determine whether they have the intended infuence on

how people respond to pressures, incentives, and rewards. This evaluation may include:

Reassessing the relevance o perormance measures considering industry trends,

regulatory changes, or changes in the entitys objectives

Considering past nancial errors, ethical violations, and instances o non-compli-ance and whether the established measures could have caused excessive pres-

sures to override controls

Engaging external parties to conduct benchmarking and to interview employees

Monitoring the changing sources o threats that cause pressure to bypass estab-

lished controls or take shortcuts

Considering whether the selection o accounting policies has been unduly infu-

enced by the established perormance measures

Using the assessment to make changes in perormance measures and associated

hiring, evaluation, and promotion structures

The board o directors oversees the periodic assessment to ensure it has been com-

pleted, and may subsequently approve compensation plans. The board also provides

oversight to ensure that the perormance measures and compensation plans estab-

lished or senior management are appropriately aligned with the entitys strategic objec-

tives and balanced to promote the desired accountability without causing excessive

pressure that could lead to raudulent nancial reporting.

EnforcesAccountability,throughStructures,

Authorities,andResponsibilities

EstablishesPerformanceMeasures,

Incentives,andRewards

EvaluatesPerformanceMeasures,

Incentives,andRewardsforOngoing

Relevance

ConsidersExcessivePressures

EvaluatesPerformanceandRewardsor

DisciplinesIndividuals

138

139

140

141

142



55/166


56/166


During the employee perormance review and appraisal process, management provides

eedback about the extent to which each employee has perormed in accordance with

the companys core values o sound integrity and ethics.

Example: Providing Recognition or Suggestions Made to EnhanceInternal Control

Medic Quest, a private company that researches, develops, produces, and markets

medical scanning equipment, encourages its employees to identiy and submit sugges-

tions or improving internal control, including internal control over nancial reporting.

Employees are rewarded in the orm o company awards and/or cash bonuses or ideas

that are used.

150

151



57/166


58/166


Principles Approaches

6. The organization species objec-

tives with sucient clarity to enable

the identication and assessment o

risks relating to objectives.

Identiying Financial Statement

Assertions

Speciying Financial Reporting

Objectives

Assessing Materiality

Reviewing and Updating Understand-

ing o Applicable Standards

Considering the Range o Entity

Activities

7. The organization identies risks to

the achievement o its objectivesacross the entity and analyzes risks

as a basis or determining how the

risks should be managed.

Applying a Risk Identication Process

Assessing Risks to Signicant Finan-

cial Statement Accounts

Meeting with Entity Personnel

Assessing the Likelihood and Signi-

cance o Identied Risks

Considering Internal and External

Factors

Evaluating Risk Responses

8. The organization considers the

potential or raud in assessing risks

to the achievement o objectives.

Conducting Fraud Risk Assessments

Considering Approaches to Circum-

vent or Override Controls

Considering Fraud Risk in the InternalAudit Plan

Using Inormation Technology Tools

Reviewing Incentives and Pressures

Related to Compensation Programs

9. The organization identies andassesses changes that could signi-

cantly impact the system o internal

control.

Assessing Change in the External

Environment

Conducting Risk Assessments Relat-

ing to Signicant Change

Considering Change throughSuccession

Considering CEO and Senior Execu-

tive Changes



59/166


60/166

7/29/2019 Internal Control Integrated Framewor

Documents

Internal Control — Integrated Framework (Draft Sep 2012)