Table of Contents

Chapter Links

Foreword

1. Introduction

Committee of Sponsoring Organizations of the Treadway Commission

Board Members

PwC—Author

Principal Contributors

Advisory Council

Sponsoring Organizations Representatives

Members at Large

Regulatory Observers and Other Observers

Additional PwC Contributors

Using This Document

Intended Audience

Approaches and Examples for Applying Principles

Limitations of Illustrations

Considerations for External Financial Reporting

Types of External Financial Reports

Financial Statements for External Purposes

Other External Financial Reporting

Objectives Established for External Financial Reporting

Suitable Objectives of Financial Statements for External Purposes

Applicable Accounting Standards

Considers Materiality

Reflects Entity Activities

Risks to Achieving Suitable Objectives

Risk of Material Omission or Misstatement

Risk of Material Omission or Misstatement Due to Fraud

Management Override

Risk of Material Omission or Misstatement Due to Illegal Acts and Corruption

Risk Response

Smaller Entities

Documentation

Structure of the Compendium

Return to Top

2. Control Environment

Demonstrates Commitment to Integrity and Ethical Values

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Establishing Standards of Conduct

Example: Defining, Communicating, and Regularly Updating the Code of Business Conduct and Ethical Standards

Approach: Leading by Example on Matters of Integrity and Ethics

Example: Using a Company Newsletter to Reinforce Expectations of Integrity and Ethics

Approach: Evaluating Management and Other Personnel, Outsourced Service Providers, and Business Partners for Adherence to Standards of Conduct

Example: Conducting Ethics Audits

Example: Evaluating Misconduct Reported through an Anonymous Hotline

Approach: Developing Processes to Report and Promptly Act on Deviations from Standards of Conduct

Example: Taking Action when Deviations Occur

Exercises Oversight Responsibility

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Establishing the Roles, Responsibilities, and Delegation of Authority of the Board of Directors

Example: Reviewing and Documenting Key Activities of the Audit Committee

Example: Reviewing Governmental Agency Financial Results and Underlying Internal Control

Approach: Establishing Policies and Practices for Meetings between the Board of Directors and Management

Example: Establishing an Audit Committee Meeting Calendar

Example: Preparing Effectively for Meetings

Approach: Identifying and Reviewing Board of Director Candidates

Example: Changing the Board Composition of a Closely Held Company

Example: Assessing and Disclosing Director Qualifications

Approach: Reviewing Management's Assertions and Judgments

Example: Reviewing Financial Statement Estimates

Approach: Obtaining an External View

Example: Interacting with Auditors

Approach: Considering Whistle-Blower Information about Financial Statement Errors and Irregularities

Example: Assessing the Potential of Management Override

Example: Investigating and Reporting Whistle-Blower Allegations

Establishes Structure, Authority, and Responsibility

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Defining Roles and Reporting Lines and Assessing Them for Relevance

Example: Reorganizing to Support Control Structure

Example: Redefining Roles with CEO and Board Input

Approach: Defining Authority at Different Levels of Management

Example: Maintaining an Authority and Approval Matrix

Approach: Maintaining Job Descriptions and Service-Level Agreements

Example: Aligning Roles and Responsibilities with Objectives

Example: Maintaining Control while Engaging Outside Service Providers

Approach: Defining the Role of Internal Auditors

Example: Reviewing and Approving the Internal Audit Plan

Demonstrates Commitment to Competence

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Establishing Required Knowledge, Skills, and Expertise

Example: Periodically Reviewing Policies

Approach: Linking Competence Standards to Established Policies and Practices in Hiring, Training, and Retention Decisions

Example: Recruiting and Retaining Key Financial Reporting Positions

Example: Defining Performance Expectations

Approach: Identifying and Delivering Financial Reporting–Related Training as Needed

Example: Implementing Complex Accounting Standards

Approach: Selecting Appropriate Outsourced Service Providers

Example: Retaining External Tax Assistance

Approach: Evaluating Competence and Behavior

Example: Periodically Assessing Performance

Example: Audit Committee Review of Managers’ Roles

Approach: Evaluating the Capacity of Finance Personnel

Example: Assessing the Adequacy of Staffing Levels for Financial Reporting

Example: Aligning Competencies with Key Financial Reporting Positions

Approach: Developing Alternate Candidates for Key Financial Reporting Roles

Example: Addressing Succession Planning

Enforces Accountability

Points of Focus

Approaches and Examples for Applying the Principle

Approaches: Defining and Confirming Responsibilities

Example: Cascading Responsibilities throughout the Organization and Certifying Results

Approach: Developing Balanced Performance Measures, Incentives, and Rewards

Example: Defining and Communicating the Basis for Reward

Approach: Evaluating Performance Measures for Intended Influence

Example: Establishing and Overseeing Performance Measures, Incentives, and Rewards

Approach: Linking Compensation and Other Rewards to Performance

Example: Aligning Incentives with Ethics and Values

Example: Providing Recognition for Suggestions Made to Enhance Internal Control

Return to Top

3. Risk Assessment

Specifies Relevant Objectives

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Identifying Financial Statement Accounts, Disclosures, and Assertions

Example: Linking Accounts, Assertions, and Risks

Approach: Specifying Financial Reporting Objectives

Example: Specifying Objectives

Example: Assessing the Suitability of Specified Objectives

Approach: Assessing Materiality

Example: Assessing Materiality for a Private Company Financial Statement

Approach: Reviewing and Updating Understanding of Applicable Standards

Example: Reviewing Financial Accounting Policies

Example: Reviewing and Updating Understanding of Applicable Standards

Example: Reviewing and Updating Statutory Reporting Requirements

Approach: Considering the Range of Entity Activities

Example: Considering the Range of Assessment Activities

Identifies and Analyzes Risks

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Applying a Risk Identification Process

Example: Analyzing Risk across Functions

Approach: Assessing Risks to Significant Financial Statement Accounts

Example: Assessing Risks to Significant Financial Statement Accounts

Example: Using Risk Ratings

Approach: Meeting with Entity Personnel

Example: Analyzing Risk for Information Technology

Approach: Assessing the Likelihood and Significance of Identified Risks

Example: Identifying and Responding to Risk

Example: Using Benchmark Data to Assess Significance and Response to Risk

Approach: Considering Internal and External Factors

Example: Analyzing Risks from External Factors

Example: Considering Changes in Information Systems

Approach: Evaluating Risk Responses

Example: Considering Risk Response in a Revenue Process

Assesses Fraud Risk

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Conducting Fraud Risk Assessments

Example: Assessing Fraud Risk

Approach: Considering Approaches to Circumvent or Override Controls

Example: Maintaining Oversight

Approach: Considering Fraud Risk in the Internal Audit Plan

Example: Identifying and Analyzing Risk of Material Omission and Misstatement Due to Fraud

Approach: Reviewing Incentives and Pressures Related to Compensation Programs

Example: Analyzing Compensation Structure

Identifies and Analyzes Significant Change

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Assessing Change in the External Environment

Example: Reacting to Significant Change Caused by External Factors

Approach: Conducting Risk Assessments Relating to Significant Change

Example: Updating Risk Assessment for a New CEO

Example: Responding to Significant Change from International Exposure

Example: Responding to Significant Change from an Acquisition

Approach: Considering Change through Succession

Example: Planning for Executive Transition

Approach: Considering CEO and Senior Executive Changes

Example: Preparing for a Change in CEO

Return to Top

4. Control Activities

Selects and Develops Control Activities

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to Control Activities

Example: Using Workshops to Map Identified Risks to Control Activities

Example: Using a Risk and Controls Matrix to Map Risks to Control Activities

Example: Using an Inventory of Risks and Control Activities

Approach: Implementing or Assessing Control Activities when Outsourcing to a Third Party

Example: Obtaining a Report on Controls at a Service Organization from a Service Payroll Provider

Example: Implementing or Assessing Control Activities when a Report on Controls at a Service Organization is Not Available

Approach: Considering the Types of Control Activities

Example: Balancing the Types of Control Activities

Example: Evaluating Preventive versus Detective Control Activities

Example: Setting the Threshold for Business Performance Reviews

Example: Controlling Significant Accounting Estimates

Example: Automating Balance Sheet Reconciliations

Approach: Considering Alternative Control Activities to the Segregation of Duties

Example: Using Alternative Control Activities when Access to Purchasing Transactions Are Not Segregated

Approach: Identifying Incompatible Functions

Example: Manually Assessing Incompatible Functions Across an Entity

Example: Using Automated Tools to Enforce the Segregation of Incompatible Functions

Selects and Develops General Controls over Technology

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Using Risk and Control Matrices to Document Technology Dependencies

Example: Using a Walkthrough to Understand Technology Dependencies

Approach: Evaluating End-User Computing

Example: Evaluating Financial Close End-User Spreadsheet Control Activities

Approach: Implementing or Assessing Control Activities when Outsourcing IT Functions to a Third Party

Example: Obtaining a Report on Controls at a Service Organization from a Cloud-Based Service Provider

Approach: Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties

Example: Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties

Approach: Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and Data

Example: Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and Data

Approach: Administering Security and Access

Example: Establishing Logical Security

Approach: Applying a System Development Life Cycle over Packaged Software

Example: Managing Changes to Packaged Software

Approach: Applying a System Development Life Cycle over Software Developed In-House

Example: Managing Changes to Custom Software

Example: Varying Control Activities in an SDLC Based on Risk

Deploys through Policies and Procedures

Points of Focus

Approaches for Applying the Principle

Approach: Developing and Documenting Policies and Procedures

Example: Using Templates to Document Policies

Example: Establishing Policies and Procedures

Example: Establishing Responsibilities for Reviewing Financial Statements

Example: Reassessing Policies and Procedures for Revenue Recognition

Example: Reviewing Cost Overruns by Competent Personnel

Example: Performing Control Activities in a Timely Manner

Example: Taking Corrective Action

Approach: Deploying Control Activities through Business Unit or Functional Leaders

Example: Deploying Control Activities through a Central Control Function

Approach: Conducting Regular and Ad Hoc Assessments of Control Activities

Example: Regularly Assessing Policies and Procedures

Example: Ad Hoc Assessing of Control Activities

Return to Top

5. Information and Communication

Uses Relevant Information

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Creating an Inventory of Information Requirements

Example: Evaluating Business Activities to Identify Information Requirements

Example: Maintaining Data Flow Diagrams, Flowcharts, Narratives, and Procedures Manuals

Approach: Obtaining Information from External Sources

Example: Gathering Information from External Sources

Example: Capturing Information through Electronic Data Interchange

Approach: Obtaining Information from Non-Finance Management

Example: Conducting Quarterly Interviews of Operations and Other Management

Example: Obtaining Operating Information for Financial Reporting

Approach: Creating and Maintaining Information Repositories

Example: Using a Data Warehouse to Facilitate Access to Information

Approach: Using an Application to Process Data into Information

Example: Data Capture and Processing for the Purchasing and Payables Cycle

Approach: Enhancing Information Quality through a Data Governance Program

Example: Validating Data and Information

Approach: Identifying, Securing, and Retaining Financial Data and Information

Example: Identifying and Protecting Financial Data and Information

Example: Identifying and Classifying Data for Financial Reporting

Communicates Internally

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Communicating Information Regarding External Financial Reporting Objectives and Internal Control

Example: Using Communications Programs to Reinforce Internal Control

Example: Using an Internal Accounting and Finance Conference to Reinforce Policy Changes

Approach: Communicating Internal Control Responsibilities

Example: Using Governance, Risk, and Compliance Technology to Manage Internal Controls

Approach: Developing Guidelines for Communication to the Board of Directors

Example: Facilitating Communication between Executive Management and the Board of Directors

Approach: Reviewing Financial and Internal Control Information with the Board of Directors

Example: Preparing Financial and Internal Control Reporting Package for Discussion with the Board

Approach: Communicating a Whistle-Blower Program to Company Personnel

Example: Employee Ethics Hotline

Approach: Communicating through Alternative Reporting Channels

Example: Establishing a Mentoring Program to Encourage Communicating with Management

Approach: Establishing Cross-Functional and Multidirectional Internal Control Communication Processes and Forums

Example: Establishing a Cross-Functional Internal Control Committee

Communicates Externally

Points of Focus

Approaches for Applying the Principle

Approach: Communicating Information to Relevant External Parties

Example: Communicating Internal Control Information to a Federal Agency

Example: Establishing Periodic Communications with Contractors and Outsourced Service Providers

Approach: Obtaining Information from Outside Sources

Example: Communications from Regulatory Bodies

Example: Obtaining Information from External Sources to Assist with Accounting Estimates

Approach: Surveying External Parties

Example: Conducting Discussions with Customers

Approach: Communicating the Whistle-Blower Program to Outside Parties

Example: Facilitating Communication with External Parties

Approach: Reviewing External Audit Communications

Example: Managing and Assessing External Audit Communications

Return to Top

6. Monitoring Activities

Conducts Ongoing and/or Separate Evaluations

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Periodically Reviewing the Mix of Monitoring Activities

Example: Changes in Business Operations

Example: Changing the Internal Audit Plan

Approach: Establishing a Baseline

Example: Establishing a Baseline

Approach: Identifying and Using Metrics

Example: Using Metrics to Monitor Payroll

Example: Using Built-In Operating Measures and Key Control Indicators

Approach: Designing and Implementing a Dashboard

Example: Using Dashboards to Relate Operating Information

Approach: Using Technology to Support Monitoring Activities

Example: Using Continuous Monitoring

Example: Using Technology to Identify Trends

Approach: Conducting Separate Evaluations

Example: Investigating and Reporting Whistle-Blower Allegations

Example: Identifying and Protecting Sensitive Financial Data and Information

Example: Conducting Senior Financial Officer Visits

Example: Using Self-Assessments

Approach: Using Internal Audit to Conduct Separate Evaluations

Example: Identifying and Analyzing Risk of Material Omission and Misstatement due to Fraud

Example: Conducting Separate Evaluations

Approach: Understanding Controls at an Outsourced Service Provider

Example: Reviewing the Service Auditor's Report for Changes in Controls

Evaluates and Communicates Deficiencies

Points of Focus

Approaches and Examples for Applying the Principle

Approach: Assessing and Reporting Deficiencies

Example: Identifying Sources of Deficiencies

Example: Reporting Protocols for Identified Deficiencies

Approach: Monitoring Corrective Action

Example: Establishing Reporting Protocols for Identified Deficiencies

Example: Follow-Up Reporting on Internal Audit Issues

Approach: Developing Guidelines for Reporting Deficiencies

Example: Reporting Deficiencies to the Board

Return to Top

Appendices

A: Examples by Topic

Expectations for Governance Oversight

Globalization of Markets and Operations

Changes and Greater Complexity in the Business

Demands and Complexities of Laws, Rules, Regulations, and Standards

Expectations for Competencies and Accountabilities

Use of, and Reliance on, Evolving Technologies

Expectations Relating to Preventing or Detecting Fraud

B: Public Comment Letters