Management evaluated Principle 1 (Demonstrates Commitment to Integrity and Ethical Values) at both the operating unit and the entity levels since the policies, procedures, and actions at the entity level have at least some effect on the operating unit. Internal control deficiencies were identified at the entity level.

Management determined that while the principle was present and functioning at the operating unit level, the internal control deficiencies at the entity level could jeopardize the objective of ensuring environmental compliance at this business in the longer term. A lack of commitment to integrity and ethical values at the entity level may, over time, cause the commitment at the operating unit level to deteriorate.

The principle was found to be present and functioning at the operating unit level despite deficiencies.

Management evaluated Principle 2 (Exercises Oversight Responsibility). Given the specificity of this principle to the board, this principle needs to be evaluated in the context of the entity's commitment as it relates to the objective at the operating unit level.

The principle was found to be present and functioning at the entity level with no deficiencies.

Management evaluated Principle 3 (Establishes Structure, Authority, and Responsibility) at both the business and the entity levels.

The principle was found to be present and functioning at the entity and operating unit level with no deficiencies.

Management evaluated Principle 4 (Demonstrates Commitment to Competence) at both the business and the entity levels.

The principle was found to be present and functioning at the entity and operating unit level with no deficiencies.

Management evaluated Principle 5 (Enforces Accountability) at the operating unit level. Management felt that it should evaluate the presence and functioning of the principle at the operating unit level as that was most relevant to the operating unit's objective.

The principle was found to be present and functioning at the operating unit level with no deficiencies.

Evaluation of Control Environment component:

The five control environment principles were evaluated as being present and functioning at operating unit A. Management will need to determine whether the entity-level internal control deficiencies in Principle 1 are severe enough to preclude concluding that the component is present and functioning.

Management evaluated all the principles in Risk Assessment at the operating unit level only as the risk assessment process for the objective being assessed is specific to this operating unit.

The principles were found to be present and functioning at the operating unit level.

Evaluation of the Risk Assessment Component:

Management evaluated the four principles relating to the Risk Assessment component and concluded that the component was present and functioning.

Management evaluated Principles 10 and 12 at the operating unit level only as the business process control activities for this objective reside at the operating unit.

The principles were found to be present and functioning at the operating unit level.

Management evaluated Principle 11 (Selects and Develops General Controls over Technology) at both the entity level (because of the centralized data center) and the operating unit level. At the centralized data center it was determined that there was an internal control deficiency in the network-level access security control activities. However, the transaction-level access control activities at the operating unit were considered strong enough to compensate for this deficiency.

The principle was found to be present and functioning.

Evaluation of the Control Activities component:

Management evaluated the three principles relating to the Control Activities component and concluded that the component was present and functioning.

Management evaluated Principle 13 (Uses Relevant Information) at both the entity and operating unit level as information relevant to the objective originated and was used at both levels.

The principle was found to be present and functioning.

Management evaluated Principle 14 (Communicates Internally) at both the operating unit and entity levels as information was communicated internally between both levels.

At the operating unit level, management determined the principle was present and functioning. However, at the entity level, management identified an internal control deficiency. Poor communication of internal control responsibilities at the entity level could impact the operating unit.

The principle was found to be present and functioning.

Management evaluated Principle 15 (Communicates Externally) at the entity level as externally communicated information relevant to the objective was performed at the entity level.

The principle was found to be present and functioning with no deficiencies.

Evaluation of Information and Communication component:

The three Information and Communication principles were evaluated as being present and functioning at the operating unit level. Management will need to determine whether the entity-level internal control deficiency in Principle 14 is severe enough to preclude concluding that the component is present and functioning. In making this determination, management may use the points of focus supporting the principles to determine if there are compensating controls either in this component or another component at the appropriate level (operating unit or entity level) that mitigates that risk that the deficiency identified could result in a failure of the stated objective.

Management evaluated Principles 16 (Conducts Ongoing and/or Separate Evaluations) and 17 (Evaluates and Communicates Deficiencies) at the entity and operating unit levels. Ongoing evaluations are conducted at the operating unit and separate evaluations are done at both the operating unit by its management and the entity by the entity's internal audit group. Deficiencies are evaluated at both levels.

The principles were found to be present and functioning with no deficiencies.

In the evaluation of Monitoring Activities, the component was found to be present and functioning.

This template is not included for this scenario. The concepts related to completing an overall assessment template are illustrated in the Scenario B, Are All Components Present, Functioning, and Operating Together in an Integrated Manner?