COSO Committee of Sponsoring Organizations of the Treadway Commission
The process to combine multiple assessments is likely to be simpler when a less complex organizational structure exists.
Component Evaluation—Risk Assessment | ||||
---|---|---|---|---|
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
6. Specifies Suitable Objectives—The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. | Y | Y | This principle was evaluated at each division and no internal control deficiencies were noted. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
7. Identifies and Analyzes Risks—The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. | Y | N | This principle was evaluated at each division and an internal control deficiency (RA7-1) was noted at Division 4 that the process to analyze risks to determine how they should be managed is not functioning. Detailed controls (i.e., policies and procedures) were selected and developed but they were not deployed. Risks were not being effectively analyzed to assess the significance of the risk and determine how they should be managed. The evaluation of the risk assessment processes at the other divisions found them to be present and functioning. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether controls to effect other principles within and across components compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/Compensating Controls | |||
RA7-1 | For Division 4, The process to identify and analyze risks was not functioning. | Y | The major deficiency is at the division level. | |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
8. Assesses Fraud Risk—The organization considers the potential for fraud in assessing risks to the achievement of objectives. | Y | Y | This principle was evaluated at each division and no internal control deficiencies were noted. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether the controls to effect another principle compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
9. Identifies and Analyzes Significant Change—The organization identifies and assesses changes that could significantly impact the system of internal control. | Y | Y | This principle was evaluated at each division and no internal control deficiencies were noted. | |
Identification No. | Internal control deficiency description | Evaluate internal control deficiency severity: (Consider whether controls to effect other principles within and across components compensate for the internal control deficiency.) | List internal control deficiencies related to another principle that may impact this internal control deficiency | |
Is internal control deficiency a major deficiency? (Y/N) | Comments/Compensating Controls | |||
N/A | N/A | N/A | N/A | N/A |
Explanation/Conclusion | ||||
Evaluate deficiencies across the component:* Evaluate if any internal control deficiencies or combination of internal control deficiencies, when considered across the component, represent a major deficiency.** | RA 7-1 is considered a major deficiency across the entity | |||
Evaluate the component using judgment and based on the principles and the deficiencies.** | Yes/No | Explanation/Conclusion | ||
Is the component present? | Y | |||
Is the component functioning? | N | The affected division makes up 20% of overall product sales (by number of units) for the company. It is estimated that the major deficiency at Division 4 has the potential to manufacture 10% of the newly produced products to be outside of specification, so there is a high likelihood that more than 1% of the entity's shipped products would be outside of specification if the deficiency is not remediated. Management concludes that the system of internal control for this objective is not effective. | ||
* Note: Record deficiencies in Summary of Deficiencies Template. ** If it is determined that there is a major deficiency, management must conclude that the component is not present and functioning and the system of internal control is not effective. |
Customized Table to Evaluate Risk Assessment Component Across Divisions
Division 1 | Division 2 | Division 3 | Division 4 | Division 5 | Division 6 | Division 7 | Division 8 | Division 9 | Division 10 | |
---|---|---|---|---|---|---|---|---|---|---|
Principle 6 | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies |
Principle 7 | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | Major deficiency noted | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies |
Principle 8 | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies |
Principle 9 | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies | P/F with no deficiencies |
Overall Assessment of a System of Internal Control | ||||
---|---|---|---|---|
Entity or part of organization structure subject to the assessment (entity, division, operating unit, function) | Entity | |||
Objective(s) being aggregated for the scope of internal control being assessed | Considerations regarding management's acceptable level of risk | |||
Operations | Objective is effectiveness of quality controls. | The company's risk tolerance for quality issues is that less than 1% (plus or minus 0.25%) of shipped products will have a measurable defect. | ||
Reporting | ||||
Compliance | ||||
Present? (Y/N) | Functioning? (Y/N) | Explanation/Conclusion | ||
Control Environment | Y | Y | ||
Risk Assessment | Y | N | Deficiency RA7-1 has been determined to be a major deficiency | |
Control Activities | Y | Y | ||
Information and Communication | Y | Y | ||
Monitoring Activities | Y | Y | ||
Are all components operating together in an integrated manner? Evaluate if a combination of internal control deficiencies, when aggregated across components, represent a major deficiency.* <Update Summary of Deficiencies Template as needed> | The deficiency in Risk Assessment was detected by the organization's monitoring activities and an investigation did not show any deficiencies related to the Information and Communication, Control Environment, or Control Activities components. | |||
Is the overall system of internal control effective? <Y/N>* | N | |||
Basis for conclusion | The affected division makes up 20% of overall product sales (by number of units) for the company. It is estimated that the major deficiency at Division 4 has the potential to have 10% of the newly produced products in this division to be outside of specification, so there is a high likelihood that greater than 1% of the entity's shipped products would be outside of specification if the deficiency is not remediated. Management concludes that the system of internal control for this objective is not effective. | |||
* If it is determined that there is a major deficiency, management must conclude that the principle is not present and functioning and the system of internal control is not effective. |
Generated November 10, 2014 20:30:53 |