COSO Committee of Sponsoring Organizations of the Treadway Commission
The scenario is equally applicable to all types of entities. However, due to the nature of some of these entities, certain principles, such as Principle 2 (Exercises Oversight Responsibility) may be somewhat different. For example, a private entity may not have an independent board of directors, but it may have an advisory board that exhibits independence from the day-to-day management of the company.
Component Evaluation—Control Environment | ||||
---|---|---|---|---|
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
1. Demonstrates Commitment to Integrity and Ethical Values—The organization demonstrates a commitment to integrity and ethical values. | Y | Y | The company has a history of integrity and ethical behavior. All employees must annually read and sign a code of conduct. Our policies consistently encourage adherence to a high degree of integrity and ethical behavior. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
2. Exercises Oversight Responsibility—The board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control. | Y | Y | The board of directors bears no personal or professional relationship with management and provides guidance, direction, and challenge to management regarding internal control processes throughout the company. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
3. Establishes Structure, Authority, and Responsibility— Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. | Y | Y | The company has a very clear organizational structure with well-defined roles and responsibilities, including well-staffed operations and quality assurance departments. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
4. Demonstrates Commitment to Competence—The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. | Y | Y | ||
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
CE 4-1 | The organization relies on experienced hires from the industry but does not have an effective formal learning and development program to continually train and potentially improve the skill level of the existing employees. | N | Though there is no formal training program, there is an informal method to develop and upgrade talent through a mentoring process. Because there is normally little change in the business the lack of a formal training program is not considered severe enough to be a major deficiency. | |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
5. Enforces Accountability—The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. | Y | Y | The vice-president of operations and the head of quality assurance are held accountable for achieving objectives associated with internal controls. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Explanation/Conclusion | ||||
Evaluate deficiencies across the component:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered across the component, represent a major deficiency.** | Based on preliminary analysis at the principle level, one internal control deficiency was noted. No major deficiencies were noted or combination of deficiencies to consider. | |||
Evaluate the component using judgment and based on the principles and the deficiencies.** | Yes/No | Explanation/Conclusion | ||
Is the component present? | Yes | While an internal control deficiency (CE 4-1) was identified in Principle 4 (Demonstrates Commitment to Competence) it was not considered a major deficiency and all principles were determined to be present. | ||
Is the component functioning? | Yes | While an internal control deficiency (CE 4-1) was identified in Principle 4 (Demonstrates Commitment to Competence) it was not considered a major deficiency and all principles were determined to be functioning. | ||
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning and the system of internal control is not effective. |
Component Evaluation—Risk Assessment | ||||
---|---|---|---|---|
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
6. Specifies Suitable Objectives—The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. | Y | Y | Objectives within the organization are clearly defined. Objectives are focused on controlling costs and managing defects and are very specific based on historical performance and organizational goals. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
7. Identifies and Analyzes Risks—The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. | Y | Y | Based on the objectives defined during the annual process, risks are identified by the senior team and reviewed by the head of quality assurance. | |
Identification No. | Internal control deficiency description | Is internal control deficiency a major deficiency? (Y/N) | ||
N/A | N/A | N/A | ||
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
8. Assesses Fraud Risk—The organization considers the potential for fraud in assessing risks to the achievement of objectives. | Y | Y | The organization has policies, procedures, and controls around fraud identification and remediation. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
9. Identifies and Analyzes Significant Change—The organization identifies and assesses changes that could significantly impact the system of internal control. | Y | Y | As part of the risk assessment process, we have considered changes to the organizational structure, systems environment, and financial environment. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
RA 9-1 | Some operations personnel do not possess the necessary skills to identify the risks associated with the new technology. | N | Compensating control: Operations personnel are not trained in the new technology, but management annually performs a high-level review of risks, which should catch any major changes in risk. | Linked to internal control deficiency CE 4-1 in Principle 4 (Demonstrates Commitment to Competence) |
Explanation/Conclusion | ||||
Evaluate deficiencies across the component:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered across the component, represent a major deficiency.** | Based on preliminary analysis at the principle level, one internal control deficiency was noted in Principle 9 (RA 9-1). No major deficiencies were noted or combination of deficiencies to consider. | |||
Evaluate the component using judgment and based on the principles and the deficiencies.** | Yes/No | Explanation/Conclusion | ||
Is the component present? | Yes | Despite the internal control deficiency noted in Principle 9 (RA 9-1), we determined that the Risk Assessment component is present. | ||
Is the component functioning? | Yes | Despite the internal control deficiency noted in Principle 9 (RA9-1), we determined that the Risk Assessment component is functioning. | ||
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning and the system of internal control is not effective. |
Component Evaluation—Control Activities | ||||
---|---|---|---|---|
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
10. Selects and Develops Control Activities—The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. | Y | Y | The organization has developed control activities that link to the risks identified in the risk assessment process. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
11. Selects and Develops General Controls over Technology— The organization selects and develops general control activities over technology to support the achievement of objectives. | Y | Y | The organization has controls over technology, including controls around access to systems, change management, and the technology infrastructure. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
12. Deploys through Policies and Procedures—The organization deploys control activities through policies that establish what is expected and procedures that put the policies into action. | Y | Y | The organization maintains robust policies that clearly outline expectations that support the objectives and principles of their control environment. Also, procedures are in place that support these polices. However, in some cases the staff lacks the competency to properly implement the procedures. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
CA 12-1 | The policies and related procedures are thorough and robust. However, the staff is not formally trained on the policies and procedures. Production errors have occurred because new hires were not formally trained on the procedures. | N | Most staff have been with the company for a long time and the issues to date have been minor and subsequently corrected. | Linked to internal control deficiency (CE 4-1) noted in Principle 4 (Demonstrates Commitment to Competence). |
Explanation/Conclusion | ||||
Evaluate deficiencies across the component:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered across the component, represent a major deficiency** | Based on preliminary analysis at the principle level, an internal control deficiency was noted in Principle 12. No major deficiencies were noted or combination of deficiencies to consider. | |||
Evaluate the component using judgment and based on the principles and the deficiencies** | Yes/No | Explanation/Conclusion | ||
Is the component present? | Yes | Despite the internal control deficiency noted in Principle 12, we determined that the Control Activities component is present. | ||
Is the component functioning? | Yes | Despite the internal control deficiency noted in Principle 12, we determined that the Control Activities component is functioning. | ||
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, management must conclude that the component is not present and functioning and the system of internal control is not effective. |
Component Evaluation—Information and Communication | ||||
---|---|---|---|---|
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
13. Uses Relevant Information—The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. | Y | Y | Information policies are well developed, and relevant, quality information is generated to support all aspects of internal control. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
14. Communicates Internally—The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. | Y | Y | Objectives and internal control responsibilities are clearly communicated on a quarterly basis. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
15. Communicates Externally—The organization communicates with external parties regarding matters affecting the functioning of internal control. | Y | Y | Several external communications are in place, such as our robust customer feedback and supplier partner programs. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Explanation/Conclusion | ||||
Evaluate deficiencies across the component:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered across the component, represent a major deficiency.** | No internal control deficiencies noted. | |||
Evaluate the component using judgment and based on the principles and the deficiencies.** | Yes/No | Explanation/Conclusion | ||
Is the component present? | Yes | No internal control deficiencies noted. | ||
Is the component functioning? | Yes | No internal control deficiencies noted. | ||
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning and the system of internal control is not effective. |
Component Evaluation—Monitoring Activities | ||||
---|---|---|---|---|
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
16. Conducts Ongoing and/or Separate Evaluations—The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. | Y | Y | The quality organization conducts internal operational reviews with input and oversight from internal audit. However, not all operations staff responsible for the evaluations are adequately trained and experienced in the new technology. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
MA 16-1 | The personnel performing the formal reviews, while experienced, do not receive formal training on the new technology and processes. As a result, the initial drafts of some reports of findings require corrections. | N | Compensating control: This internal control deficiency is partially mitigated by having experienced senior management review the reports who have been able to correct the findings based on their skill and experience. | Linked to internal control deficiency (CE 4-1) noted in Principle 4 (Demonstrates Commitment to Competence). |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
17. Evaluates and Communicates Deficiencies—The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. | Y | Y | As part of its internal efficiency reviews, the organization evaluates deficiencies noted, identifies responsibility, and communicates results to senior management. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Explanation/Conclusion | ||||
Evaluate deficiencies across the component:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered across the component, represent a major deficiency.** | Based on a preliminary analysis at the principle level, one internal control deficiency was noted in Principle 16. This was not deemed amajor deficiency and there was no combination of deficiencies to consider. | |||
Evaluate the component using judgment and based on the principles and the deficiencies.** | Yes/No | Explanation/Conclusion | ||
Is the component present? | Yes | Despite the internal control deficiency noted in Principle 16, we determined that all Monitoring Activity principles were present and the component is present. | ||
Is the component functioning? | Yes | Despite the internal control deficiency noted in Principle 16, we determined that the Monitoring Activities component is functioning. | ||
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning and the system of internal control is not effective. |
Overall Assessment of a System of Internal Control | ||||
---|---|---|---|---|
Entity or part of organization structure subject to the assessment (entity, division, operating unit, function) | Manufacturing division supplying parts for aerospace industry | |||
Objective(s) being considered for the scope of internal control being assessed | Considerations regarding management's acceptable level of risk | |||
Operations | Quality of parts within the tolerance levels prescribed by customers | 0.1% variation from specifications tolerance for parts manufactured for customers | ||
Reporting | ||||
Compliance | ||||
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
Control Environment | Y | Y | CE 4-1, classified as internal control deficiency | |
Risk Assessment | Y | Y | RA 9-1 classified as internal control deficiency | |
Control Activities | Y | Y | CA 12-1 classified as internal control deficiency | |
Information and Communication | Y | Y | No deficiencies noted | |
Monitoring Activities | Y | Y | MA 16-1 classified as internal control deficiency | |
Are all components operating together in an integrated manner? Evaluate if a combination of internal control deficiencies, when aggregated across components, represent a major deficiency.* <Update Summary of Deficiencies Template as needed> | Components are not operating together in an integrated manner. In the preliminary evaluation of principles and components, the internal control deficiencies noted (CE 4-1, RA 9-1, CA 12-1, and MA 16-1) were not classified as major deficiencies.* However, when evaluating the components together, it was noted that most of the deficiencies related to competence (see Principle 4, Demonstrates Commitment to Competence). Therefore, it is our judgment that, together, these deficiencies indicate a major deficiency and that the components are not operating together in an integrated manner. fn 6 | |||
Is the overall system of internal control effective? <Y/N>* | N | |||
Basis for conclusion | Based on considerations when evaluating the components together, it is our judgment that a major deficiency exists. Therefore, the overall system of internal controls is not effective. | |||
* If it is determined that there is a major deficiency, then management must conclude that the overall system of internal control is not effective.6 |
Summary of Internal Control Deficiencies | |||||||||
---|---|---|---|---|---|---|---|---|---|
ID # | Source of the internal control deficiency | Internal Control Deficiency Description | Severity Considerations | Is internal control deficiency a major deficiency? (Y/N) | Owner | Remediation Plan and Date | Impact on Present/ Functioning | List any internal control deficiencies in other principles that may have contributed to this internal control deficiency | |
Component | Principle | ||||||||
CE 4-1 | CE | 4 | The organization relies on experienced hires from the industry but does not have an effective learning and development program to continually train and potentially improve the skill level of the existing employees. | Though there is no formal training program, there is an informal method to develop and upgrade talent through a mentoring process. Because there is normally little change in the business, the lack of a formal training program is not considered severe enough to be a major deficiency. | N Later changed to Y | John XYZ | See "Remediation Action Plan" memo | Principle present and functioning | |
RA 9-1 | RA | 9 | Some operations personnel do not possess the necessary skills to identify the risks associated with the new technology. | Compensating Control: Though operations personnel are not trained in the new technology, management annually performs a high-level review of risks, which should catch any major changes in risk. | N | Jane ABC | See "Remediation Action Plan" memo | Principle present and functioning Component present and functioning | CE 4-1 |
CA 12-1 | CA | 12 | The policies and related procedures are thorough and robust. However, the staff is not formally trained on the policies and procedures. Production errors have occurred because new hires were not formally trained on the procedures. | Most staff have been with the company for a long time and the issues to date have been minor and subsequently corrected. | N | Jeff CDE | See "Remediation Action Plan" memo | Principle present and functioning Component present and functioning | CE 4-1 |
MA 16-1 | MA | 16 | The personnel performing the formal reviews, while experienced, do not receive formal training on the new technology and processes. As a result, the initial drafts of some reports of findings require corrections. | Compensating Control: This internal control deficiency is partially mitigated by having experienced senior management review the reports; they have been able to correct the findings based on their skill and experience. | N | Joe FGH | See "Remediation Action Plan" memo | Principle present and functioning Component present and functioning | CE 4-1 |
fn 6 Given this determination, management would likely update the templates to reflect that the deficiencies have been reclassified as major and the associated components and principles are not present and functioning.
Generated November 10, 2014 20:30:53 |