COSO Committee of Sponsoring Organizations of the Treadway Commission
The scenario applies equally to all types of entities. However, management of a smaller entity would likely be more aware of any significant changes in its revenue processes and may address a lack of controls quicker.
Principle Evaluation—Control Activities | ||||
---|---|---|---|---|
Principle 10: Selects and Develops Control Activities —The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. | ||||
Points of Focus
| ||||
Summary of Controls to Effect Principle 10 In general, control activities are established to address specific risks associated with the risk assessment. An analysis of the company using the balance sheet, income statement, and risk assessment is used to determine which business processes require control activities. This analysis is updated annually at the beginning of the year, but not refreshed toward year-end. As part of the risk assessment process, the competitive environment, the state of the business, and the nuances of the organization are considered in determining and developing the specific control activities. Manual and automated controls as well as preventive and detective controls are considered. The risk assessment is updated annually and factors in changes to systems and processes. An analysis of the entity in its entirety is reviewed and considers control activities at the entity level, as well at the division and process-specific levels. An analysis of sensitive access is performed, including a detailed matrix that defines potential segregation of duty conflicts. Wherever potential conflicts exist, access rights are aligned to segregate these duties. Where this is not possible, controls are developed to ensure that potential conflicting activities are logged and monitored. See the specific risk and control matrices (RCMs) for each process for control activity details. | ||||
Deficiencies Applicable to Principle 10 | ||||
Identification No. | Internal control deficiency description | Evaluate preliminary deficiency severity: (Consider whether other controls to effect this principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Preliminary Severity-Is internal control deficiency a major deficiency? (Y/N) | Comments/ Compensating Controls | |||
CA 10-1 | There were inadequate control activities over the revenue process for Division C. We investigated the root cause and determined that control activities were not established at Division C because it was small and in a growth phase. During the course of the year, Division C grew to be a significant portion of the overall revenue, but controls were never implemented. | Material weakness | Due to the lack of control activities for one revenue stream, there is a reasonable possibility that a material misstatement of the organization's financial statements would not be prevented, detected, or corrected on a timely basis. | Material weakness noted in Principle 9 (Identifies and Analyzes Significant Change-The organization identifies and assesses changes that could significantly impact the system of internal control). |
CA 10-2 | There was a failure to determine that there were business processes relevant (material) to the entity's financial statements at Division C, resulting in a lack of controls around revenue. | Material weakness | Due to the lack of control activities for one revenue stream, there is a reasonable possibility that a material misstatement of the organization's financial statements would not be prevented, detected, or corrected on a timely basis. | Material weakness noted in Principle 9 (Identifies and Analyzes Significant Change-The organization identifies and assesses changes that could significantly impact the system of internal control). |
Evaluate deficiencies within the principle:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered within the principle, represent a major deficiency.** <Update Summary of Deficiencies Template as required> | See comments section above. | |||
Evaluate the principle using judgment.** | Y/N | Explanation/Conclusion | ||
Is the principle present? | N | Due to material weaknesses noted, the principle is not present. | ||
Is the principle functioning? | N | As the principle is not present, it is also not functioning. | ||
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, management must conclude that the principle is not present and functioning and the system of internal control is not effective. |
Component Evaluation—Control Activities | ||||
---|---|---|---|---|
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
10. Selects and Develops Control Activities—The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. | N | N | A material weakness is noted in Principle 10. See deficiency details. | |
Identification No. | Internal control deficiency description | Evaluate preliminary deficiency severity:(Consider whether other controls to effect this principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Preliminary Severity—Is internal control deficiency a major deficiency? (Y/N) | Comments/Compensating Controls | |||
CA 10-1 | There were inadequate control activities over the revenue process for Division C. An investigation of the root cause determined that control activities were not established at Division C because it was small and in a growth phase. During the course of the year, Division C grew to be a significant portion of the overall revenue, but controls were never implemented. | Material weakness | Due to the lack of control activities for one revenue stream, there is a reasonable possibility that a material weakness of the organization's financial statements would not be prevented, detected, or corrected on a timely basis | Material weakness noted in Principle 14 or internal control, necessary to support the functioning of other components of internal control). |
CA 10-2 | As noted above, there was a failure to link the risk assessment with the establishment of controls at Division C, resulting in a lack of controls around revenue. While the process for scoping is generally sound, it needs to be more tightly linked to the risk assessment. | Material weakness | Due to the lack of control activities for one revenue stream, there is a reasonable possibility that a material weakness of the organization's financial statements would not be prevented, detected, or corrected on a timely basis | Material weakness noted in Principle 14 or internal control, necessary to support the functioning of other components of internal control). |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
11. Selects and Develops General Controls over Technology—The organization selects and develops general control activities over technology to support the achievement of objectives. | Y | Y | No deficiencies noted. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
12. Deploys through Policies and Procedures—The organization deploys control activities through policies that establish what is expected and procedures that put the policies into action. | Y | Y | No deficiencies noted. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Explanation/Conclusion | ||||
Evaluate deficiencies across the component: Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered across the component, represent a significant deficiency or material weakness.** | The deficiencies noted in Principle 10 represent material weaknesses. See comments in Principle 10 above. No other material weaknesses were noted. | |||
Evaluate the component using judgment and based on the principles and the deficiencies.** | Yes/No | Explanation/Conclusion | ||
Is the component present? | No | Due to the material weaknesses in Principle 10, the component is not present. | ||
Is the component functioning? | No | Since the component is evaluated as not present, it is also not functioning. | ||
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning and the system of internal control is not effective. |
Overall Assessment of a System of Internal Control | ||||
---|---|---|---|---|
Entity or part of organization structure subject to the assessment (entity, division, operating unit, function) | Entity | |||
Objective(s) being considered for the scope of internal control being assessed | Considerations regarding management's acceptable level of risk | |||
Operations | ||||
Reporting | External Financial Reporting | The acceptable level of risk for this assessment is based on materiality levels, determined to be 5% of profit before tax. | ||
Compliance | ||||
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
Control Environment | Y | Y | All principles present and functioning despite nternal control deficiencies | |
Risk Assessment | N | N | Material weakness noted in Principle 9 | |
Control Activities | N | N | Material weakness noted in Principle 10 | |
Information and Communication | Y | Y | All principles present and functioning despite internal control deficiencies | |
Monitoring Activities | Y | Y | All principles present and functioning despite internal control deficiencies. | |
Are all components operating together in an Evaluate if a combination of internal control deficiencies, when aggregated across components, represent a significant deficiency or material weakness.* <Update Summary of Deficiencies Template as needed> | Because of the material weaknesses noted, the Control Activities and Risk Assessment components are not present and functioning. Also, the two components are not operating together in an integrated manner. No other deficiencies or combination of deficiencies were noted that would be deemed a significant deficiency or material weakness. | |||
Is the overall system of internal control effective? <Y/N>* | N | |||
Basis for conclusion | Due to the material weaknesses noted in Control Activities and Risk Assessment, these components were not present and functioning and the overall system of internal controls was not effective. | |||
* If it is determined that there is a major deficiency, management must conclude that the system of internal control is not effective. |
Generated November 10, 2014 20:30:53 |