Principle 1 (Demonstrates Commitment to Integrity and Ethical Values)

Internal control deficiencies noted after evaluating the principle:

There is no formal training program to help make employees aware of the importance of adherence to the standards of conduct.

The company does not have processes in place to evaluate individuals against the published integrity and ethics policy.

Processes to identify and address deviations are ad hoc in the organization.

Management determined that the combination of internal control deficiencies (as noted above) resulted in the deficiencies being classified as major deficiencies and, therefore, concluded that Principle 1 is not present and functioning.

Principle 2 (Exercises Oversight Responsibility)

Internal control deficiency noted because even though risk assessments are performed and reviewed by management, the board of director's review is not formally documented.

Internal control deficiency noted because the board does not formally document its review of remediation plans and monitoring activities.

In its preliminary analysis, management determined that the internal control deficiencies are not significant and/or are compensated for by other controls. These deficiencies do not represent a major deficiency.

Management concludes that the principle is present and functioning, despite internal control deficiencies, based on an evaluation of the severity of the deficiencies or that there are compensating controls in place.

Principle 3 (Establishes Structure, Authority, and Responsibility)

Internal control deficiency noted because oversight and control structures have not evolved to keep up with changes in the business.

In its preliminary analysis, management determined that the internal control deficiency, though important, did not rise to the level of a major deficiency. Currently, the business structure changes only affect a small portion of the entity.

Management concludes that Principle 3 is present and functioning as the deficiencies affect only a small portion of the entity.

Principle 4 (Demonstrates Commitment to Competence)

No internal control deficiencies noted.

Management concludes that Principle 4 is present and functioning.

Note that as part of Principle 4, management removed the point of focus Plans and Prepares for Succession, as the aspects of this point of focus are now included in the point of focus Evaluates Competence and Addresses Shortcomings.

Principle 5 (Enforces Accountability)

Internal control deficiency noted because bonuses for senior management and division and operating unit leaders are tied directly to sales performance, these bonuses are a large portion of management's compensation, and there is no evidence that any consideration has been given to the pressures that may result or mitigating controls in place.

Management determines that the internal control deficiency noted was a major deficiency and, therefore, concludes that Principle 5 is not present and functioning.

Note that under Principle 5, management had previously customized the point of focus Enforces Accountability through Structures, Authorities, and Responsibilities from the version documented in the Framework The new point of focus reads (changes in bold): "How does management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary? As part of this process, how does management develop alternative/backup owners for all aspects of internal control?"

Management concludes that the component is not present and functioning, since two principles are not present and functioning due to the identified major deficiencies. This is a rollup of the principle evaluations.

Principle 1—Major deficiency—not present and functioning

Principle 2—Internal control deficiencies (compensating controls noted)—present and functioning

Principle 3—Internal control deficiency (compensating controls noted)—present and functioning

Principle 4—No internal control deficiencies—present and functioning

Principle 5—Major deficiency—not present and functioning