coso-frame2_notes_on_different_entity | American Accounting Association

COSO Committee of Sponsoring Organizations of the Treadway Commission

Committee of Sponsoring Organizations of the Treadway Commission

COSO Internal Control Framework

COMPENDIUM
EXECUTIVE
SUMMARY

ILLUSTRATIVE
TOOLS APPENDICES

COSO ERM Framework

COMPLETE
FRAMEWORK EXECUTIVE
SUMMARY

APPENDICES
COMPENDIUM


Prev		Next

The scenario is equally applicable to all types of entities. However, due to the nature of some entities, certain principles, such as Principle 2, Exercises Oversight Responsibility, may be different in, for example, a governmental entity.

Principle Evaluation—Control Environment
Principle 1: Demonstrates Commitment to Integrity and Ethical Values —The organization demonstrates a commitment to integrity and ethical values.
Points of Focus Sets the Tone at the Top—The board of directors and management at all levels of the entity demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity's standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners. Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity's expected standards of conduct. Addresses Deviations in a Timely Manner—Deviations of the entity's expected standards of conduct are identified and remedied in a timely and consistent manner.
Summary of Controls to Effect Principle 1
The board of directors and senior management have formulated a set of policies on integrity and ethics, and these policies are regularly flashed on the firm's internal portal and in newsletters, as well as being incorporated into the contracts with outsourced service providers. It is up to the management of each operating unit to evaluate adherence to the organization's integrity and ethics policies. In most cases, this is not conducted. It is up to the management of each operating unit to identify and address deviations against the organization's integrity and ethics policies. Normally, this occurs only when management is specifically made aware of a situation.
Deficiencies Applicable to Principle 1
Identification No.	Internal control deficiency description	Evaluate preliminary deficiency severity: (Consider whether other controls to effect this principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Preliminary Severity—Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
CE 1-1	There is no formal training program to help make employees aware of the importance of adherence to the standards of conduct.	N ^{fn 5}	N/A
CE 1-2	The company does not have processes in place to evaluate individuals against the published integrity and ethics policy.	N ^{fn 5}	N/A
CE 1-3	Processes to identify and address deviations are ad hoc in the organization.	N ^{fn 5}	N/A
Evaluate deficiencies within the principle:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered within the principle, represent a major deficiency.** <Update Summary of Deficiencies Template as required>		The combination of the internal control deficiencies noted in Principle 1 (CE 1-1, CE1-2, and CE 1-3) result in reclassifying all three as major deficiencies. While there are formally published and communicated ethics and compliance policies, without training to make people aware of the policies, and processes to evaluate individuals against deviations and identify and address deviations, the organization is not setting a tone that clearly communicates the message that violating the policies is unacceptable.
Evaluate the principle using judgment.**		Y/N	Explanation/Conclusion
Is the principle present?		N	Due to the major deficiency in the principle, the principle is not present.
Is the principle functioning?		N	As the principle was not present, it is also not functioning.
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, management must conclude that the principle is not present and functioning and the system of internal control is not effective.
Principle 2: Exercises Oversight Responsibility —The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Points of Focus Establishes Oversight Responsibilities—The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations. Applies Relevant Expertise—The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions. Operates Independently—The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. Provides Oversight for the System of Internal Control—The board of directors retains oversight responsibility for management's design, implementation, and conduct of internal control: Control Environment—Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountability to the board. Risk Assessment—Overseeing management's assessment of risks to the achievement of objectives, including the potential impact of significant changes, fraud, and management override of internal control. Control Activities—Providing oversight to senior management in the development and performance of control activities. Information and Communication—Analyzing and discussing information relating to the entity's achievement of objectives. Monitoring Activities—Assessing and overseeing the nature and scope of monitoring activities and management's evaluation and remediation of deficiencies.
Summary of Controls to Effect Principle 2 The board of directors has a charter that is comprehensive and outlines the board's oversight responsibilities in a manner consistent with the entity's regulatory environment and expectations. The charter for the board clearly establishes the need for integrity and ethical values and outlines the organizational structure from the top down along with requirements for integrity, ethics, competence, and accountability at each level. The charter indicates that the board should review management's assessment of risk; however, the details of this review are not formally documented. The board consists of family members and a number of business professionals with significant experience. The managing director has considerable experience in running large businesses. There are a number of board members who come from outside organizations and who have a variety of experience. The board of directors has delegated certain responsibilities to its committees, and each committee has a well-defined charter delineating its responsibilities in the context of the entity's regulatory environment and expectations. The board reviewed the proposed summary of control activities and provided its feedback and guidance. The summary list of control activities and the internal control plan is presented annually by the compliance director. The executive committee regularly reports on the progress of the organization and the achievement of its internal financial reporting objectives. Every deficiency is analyzed by management and a corresponding remediation plan is provided to the board. However, the board does not formally document its review of the closure of the remediation activities.
Deficiencies Applicable to Principle 2
Identification No.	Internal control deficiency description	Evaluate preliminary deficiency severity: (Consider whether other controls to effect this principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Preliminary Severity—Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
CE 2-1	While the charter indicates that the board should review management's assessment of risk, the details of this review are not formally documented.	N	This is primarily a documentation issue—the board does review the risk assessment as evidenced in the board minutes.
CE 2-2	The board does not formally document its review of remediation plans and monitoring activities.	N	The remediation plans for deficiencies are reviewed by the board but not formally documented. Compensating control:The remediation activity and its completion are monitored by operational management.
Evaluate deficiencies within the principle:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered within the principle, represent a major deficiency.** <Update Summary of Deficiencies Template as required>		The internal control deficiencies noted in Principle 2 are minor or compensated for by other controls (see comments in deficiencies CE 2-1 and CE 2-2). These deficiencies do not represent a major deficiency.
Evaluate the principle using judgment**		Y/N	Explanation/Conclusion
Is the principle present?		Y	Internal control deficiencies noted were not considered severe enough to be major or have compensating controls. See comments in deficiencies CE 2-1 and CE 2-2.
Is the principle functioning?		Y	Internal control deficiencies noted were not considered severe enoughto be major or have compensating controls. See comments in deficiencies CE 2-1 and CE 2-2.
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, management must conclude that the principle is not present and functioning and the system of internal control is not effective.
Principle 3: Establishes Structure, Authority, and Responsibility —Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Points of Focus Considers All Structures of the Entity—Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives. Establishes Reporting Lines—Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. Defines, Assigns, and Limits Authorities and Responsibilities—Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization: Board of Directors—Retains authority over significant decisions and reviews management's assignments and limitations of authorities and responsibilities Senior Management—Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities Management—Guides and facilitates the execution of senior management directives within the entity and its subunits Personnel—Understands the entity's standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives Outsourced Service Providers—Adheres to management's definition of the scope of authority and responsibility for all non-employees engaged
Summary of Controls to Effect Principle 3 The design of the internal control system and the internal financial reporting objectives are discussed at the board meetings. The internal control organization design is evaluated jointly by both the board and management. The reporting and related governance structure is designed through consultation with the governance committee constituted by a competent senior management team. The governance committee works with the controller to ensure that responsibilities are clearly defined and the controls around segregation of duties are adequately designed.
Deficiencies Applicable to Principle 3
Identification No.	Internal control deficiency description	Evaluate preliminary deficiency severity: (Consider whether other controls to effect this principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Preliminary Severity—Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
CE 3-1	Management has defined and the board of directors has signed off on the company's structures, reporting lines, and authorities and responsibilities; however, the business model has since evolved to encompass business partners, outsourced service providers, and new product lines so that new or are needed. Internal control weaknesses relating to this new dimension of the business could therefore be missed and cause the company to fall short of meeting its internal financial reporting objectives.	N	This internal control deficiency is important, but does not rise to the level of a major deficiency. Currently, the business structure changes affect a relatively small portion of the entity.
Evaluate deficiencies within the principle:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered within the principle, represent a major deficiency** <Update Summary of Deficiencies Template as required>		In a preliminary analysis, it has been determined that the severity of the internal control deficiency noted in Principle 3 (CE 3-1), though important, did not rise to the level of a major deficiency.
Evaluate the principle using judgment**		Y/N	Explanation/Conclusion
Is the principle present?		Y
Is the principle functioning?		Y
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, management must conclude that the principle is not present and functioning and the system of internal control is not effective.
Principle 4: Demonstrates Commitment to Competence —The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
Points of Focus Establishes Policies and Practices—Policies and practices reflect expectations of competence necessary to support the achievement of objectives. Evaluates Competence and Addresses Shortcomings—The board of directors and management evaluate competence across the organization and in outsourced service providers in relation to established policies and practices, and acts, as necessary to address shortcomings. Attracts, Develops, and Retains Individuals—The organization provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. Plans and Prepares for Succession—Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.
Summary of Controls to Effect Principle 4 The competency framework is embedded into the policies and procedures of the organization. Specifically, there are sections of the policies and procedures that focus on the capabilities required at each level to effectively execute the controls around financial reporting. The internal control team evaluates and reports on the competency of the organization as well as the outsourced service providers. These reports are evaluated and gaps addressed by the management and the board. The organization has a robust training and mentoring framework to guide and support individuals and service providers on the organization's policies and procedures.
Deficiencies Applicable to Principle 4
Identification No.	Internal control deficiency description	Evaluate preliminary deficiency severity: (Consider whether other controls to effect this principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Preliminary Severity—Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
N/A	N/A	N/A	N/A	N/A
Evaluate deficiencies within the principle:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered within the principle, represent a major deficiency** <Update Summary of Deficiencies Template as required>		No internal control deficiencies noted.
Evaluate the principle using judgment**		Y/N	Explanation/Conclusion
Is the principle present?		Y	No internal control deficencies noted.
Is the principle functioning?		Y	No internal control deficencies noted.
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, management must conclude that the principle is not present and functioning and the system of internal control is not effective.
Principle 5: Enforces Accountability —The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Points of Focus Enforces Accountability through Structures, Authorities, and Responsibilities—Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary. Establishes Performance Measures, Incentives, and Rewards—Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance—Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives. Considers Excessive Pressures—Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. Evaluates Performance and Rewards or Disciplines Individuals—Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence and provide rewards or exercise disciplinary action as appropriate.
Summary of Controls to Effect Principle 5 There are clear responsibilities within the organizational structure related to the execution of controls supporting the internal financial reporting objective. These responsibilities are annually reviewed by the board. The responsibility and related organizational structure is tied to a transparent evaluation framework that incorporates good practices, which encourages desirable and responsible behavior. There is a top-down performance reward system that is tied to internal control responsibilities for most personnel. The board evaluates the performance of the management team through discussions and reviews rather than just tracking numerical metrics. Performance is reviewed against established internal control goals and responsibilities established at the beginning of the year. There is also a review of the internal control organization and issues are traced to the individuals and teams responsible. Appropriate rewards and/or enforcement actions are exercised. This is reviewed quarterly by the board.
Deficiencies Applicable to Principle 5
Identification No.	Internal control deficiency description	Evaluate preliminary deficiency severity: Consider whether other controls to effect this principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Preliminary Severity—Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
CE 5-1	The compensation structure for senior management is heavily weighted toward sales incentive bonuses as compared to salary. This may contribute to excessive pressure to meet business targets and produce favorable internal financial reports.	Y	There is no evidence that any consideration has been given to the pressures that may result or mitigating controls in place.	The incentive compensation puts pressure on senior management to act unethically. The major deficiencies in Principle 1 (CE 1-1, CE 1-2, and CE 1-3) do not set a tone that unethical behavior is unacceptable in the organization.
Evaluate deficiencies within the principle:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered within the principle, represent a major deficiency.** <Update Summary of Deficiencies Template as required>		The internal control deficiency noted in the principle (CE 5-1) is a major deficiency.
Evaluate the principle using judgment.**		Y/N	Explanation/Conclusion
Is the principle present?		N	Due to the major deficiency (CE 5-1) in the principle, the principle is not present.
Is the principle functioning?		N	As the principle was not present, it is also not functioning.
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, management must conclude that the principle is not present and functioning and the system of internal control is not effective.
		Present? (Y/N)	Functioning? (Y/N)	Explanation/Conclusion
1. Demonstrates Commitment to Integrity and Ethical Values—The organization demonstrates a commitment to integrity and ethical values.		N	N	The appropriate tone at the top is not being set without a formal training program in place and there are no processes to identify and enforce adherence to the integrity and ethics policies (see deficiencies CE 1-1, CE 1-2, and CE 1-3).
Identification No.	Internal control deficiency description	Evaluate internal control deficiency severity: Consider whether the controls to effect another principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
CE 1-1	There is no formal training program to help make employees aware of the importance of adherence to the standards of conduct.	Y	While individually this may not be a major deficiency, when considered in combination with CE 1-2 and CE 1-3, it has been determined that this is a major deficiency. This is not compensated for by controls in other principles.
CE 1-2	The company does not have processes in place to evaluate individuals against the published integrity and ethics policy.	Y	While individually this may not be a major deficiency, when considered in combination with CE 1-1 and CE 1-3 it has been determined that this is a major deficiency. This is not compensated for by controls in other principles.
CE1-3	Processes to identify and address deviations are ah-hoc in the organization.	Y	While individually this may not be a major deficiency, when considered in combination with CE 1-1 and CE 1-2 it has been determined that this is a major deficiency. This is not compensated for by controls in other principles.
		Present? (Y/N)	Functioning? (Y/N)	Explanation/Conclusion
2. Exercises Oversight Responsibility—The board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control.		Y	Y	The internal control deficiencies noted in Principle 2 (CE 2-1 and CE 2-2) are relatively minor and are compensated for by other controls (see Comments/ Compensating Controls).
Identification No.	Internal control deficiency description	Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
CE 2-1	While the charter indicates that the board should review management's assessment of risk, this review is not formally documented.	N	This is primarily a documentation issue—the board does review the risk assessment.
CE 2-2	The board does not formally document its review of remediation plans and monitoring activities.	N	The remediation plans for deficiencies are also reviewed by the board, but not formally documented. Compensating control: The remediation activity and its completion are monitored by operational management.
		Present? (Y/N)	Functioning? (Y/N)	Explanation/Conclusion
3. Establishes Structure, Authority, and Responsibility— Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.		Y	Y	Oversight and control structures have not evolved to keep pace with changes in the business (see deficiency 3-1).
Identification No.	Internal control deficiency description	Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
CE 3-1	Management has defined and the board of directors has signed off on the company's structures, reporting lines, and authorities and responsibilities; however, the business model has since evolved to encompass business partners, outsourced service providers, and new product lines. As a result, new or different oversight and control structures are needed. Internal control weaknesses relating to this new dimension of the business could therefore be missed and cause the company to fall short of meeting its internal financial reporting objectives.	N	This internal control deficiency is important, but does not rise to the level of a major deficiency. Currently, the business structure changes only affect a small portion of the entity.
		Present? (Y/N)	Functioning? (Y/N)	Explanation/Conclusion
4. Demonstrates Commitment to Competence—The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.		Y	Y	No internal control deficiencies noted.
Identification No.	Internal control deficiency description	Evaluate internal control deficiency severity: Consider whether the controls to effect another principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
N/A	N/A	N/A	N/A	N/A
		Present? (Y/N)	Functioning? (Y/N)	Explanation/Conclusion
5. Enforces Accountability—The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.		N	N	The incentive structure represents an internal control deficiency (see internal control deficiency CE 5-1).
Identification No.	Internal control deficiency description	Evaluate internal control deficiency severity: Consider whether the controls to effect another principle compensate for the internal control deficiency.)		List internal control deficiencies related to another principle that may impact this internal control deficiency
Identification No.	Internal control deficiency description	Is internal control deficiency a major deficiency? (Y/N)	Comments/ Compensating Controls
CE 5-1	The compensation structure for senior management is heavily weighted toward sales incentive bonuses as compared to salary. This may contribute to excessive pressure to meet business targets and produce favorable internal financial reports.	Y	There is no evidence that any consideration has been given to the pressures that may result or mitigating controls in place.	CE 1-1, CE 1-2, CE 1-3
		Explanation/Conclusion
Evaluate deficiencies across the component:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered across the component, represent a major deficiency.**		Major deficiencies noted in Principles 1 and 5
Evaluate the component using judgment and based on the principles and the deficiencies.**		Yes/No	Explain
Is the component present?		N	Major deficiencies noted.
Is the component functioning?		N	As the component is not present, it is also not functioning.
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning and the system of internal control is not effective.

Footnotes (Notes on Different Entity Types):

^{fn 5}Once it is determined that the internal control deficiencies, when considered across the principle, rise to the level of a major deficiency, management should adjust the preliminary severity analysis to reflect each internal control deficiency as a major deficiency.

Prev	Up	Next
	Home

Generated November 10, 2014 20:30:53

Copyright © 2013 – 2016 Committee of Sponsoring Organizations of the Treadway Commission and the American Accounting Association. All Rights Reserved. Use of materials is subject to COSO's Policy of Acceptable Use.

COSO Committee of Sponsoring Organizations of the Treadway Commission

Committee of Sponsoring Organizations of the Treadway Commission

COSO Internal Control Framework

COSO ERM Framework

To access this page, please login with your COSO credentials using the button below:

Contact Info

COSO Committee of Sponsoring Organizations of the Treadway Commission

COSO User Logout

Committee of Sponsoring Organizations of the Treadway Commission

COSO Internal Control Framework

COSO ERM Framework

To access this page, please login with your COSO credentials using the button below:

Please enter your COSO login credentials below