COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
The scenarios present several practical examples of how the templates can be used to support an assessment of effectiveness of a system of internal control based on the requirements set forth in the Framework. Each scenario is designed to illustrate a particular aspect, or set of related aspects, of the assessment process, and consists of two parts:
-
Background material to provide context for the scenario (e.g., company background, relevant paragraphs of the Framework, summary of key points)
-
Completed templates
The scenarios highlight important considerations in performing an assessment. They do not present a comprehensive view of how an organization would perform the assessment of internal control and they do not present all possible aspects of the assessment process. The templates that accompany the scenarios are intended to serve as examples and should not be viewed as comprehensive documentation depicting all relevant controls to effect principles and assessments. Management should consider the Framework only for designing and implementing a system of internal control.
The content in the templates is meant to enable readers to focus on the concepts illustrated in the scenarios. It does not necessarily show an acceptable level of documentation set by management or established by laws, rules, regulations, and standards. For example, the summary of controls may not be a complete list. Also, only those templates relevant to the purpose of the scenario are included.
Each scenario is pertinent to any type of entity, although specific facts and circumstances may not apply. Each scenario is accompanied by a brief summary of any differences that are likely to exist between the scenario and other types of entities.
The severity of internal control deficiencies contained in the scenarios is included to illustrate considerations in performing an assessment. Except for Scenario C (How does a material weakness impact relevant principles, components, and system of internal control?), the scenarios use the terms "internal control deficiency" and "major deficiency," as defined in the Framework in Chapter 3, Effective Internal Control. The term "internal control deficiency" refers to a shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives. An internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives is referred to as a "major deficiency."
Regulators, standard-setting bodies, and other relevant third parties may establish criteria for defining the severity of, evaluating, and reporting internal control deficiencies. The Framework recognizes and accommodates their authority and responsibility as established through laws, rules, regulations, and external standards.
In those instances where an entity is applying a law, rule, regulation, or external standard, management should use only the relevant criteria contained in those documents to classify the severity of internal control deficiencies rather than relying on the classifications set forth in the Framework. The Framework recognizes that any internal control deficiency that results in a system of internal control not being effective pursuant to such criteria would also preclude management from concluding that the entity has met the requirements for effective internal control in accordance with the Framework (e.g., a major non-conformity relating to operations or compliance objectives, or a material weakness relating to compliance or external reporting objectives).
For example, a company that must comply with the classification criteria established by the United States Securities Exchange Commission (SEC) would use only the definitions and guidance set out for classifying internal control deficiencies as a material weakness, significant deficiency, or control deficiency. If an internal control deficiency is determined to rise to the level of a material weakness, the organization would not be able to determine that a component and relevant principles are present and functioning and, therefore, conclude that the entity's system of internal control over financial reporting has met the requirements for effective internal control as set out in the Framework. If an internal control deficiency does not rise to the level of material weakness the entity could achieve effective internal control over financial reporting. Scenario C uses the SEC classification criteria because the example entity is a US public company subject to SEC rules and regulations.
For internal reporting and other operations objectives, senior management, with board of director oversight, may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving these objectives.
Within the boundaries established by laws, rules, regulations, and standards, management exercises judgment to assess the severity of an internal control deficiency, or combination of deficiencies, in determining whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity's system of internal control.
| Generated November 10, 2014 20:30:53 |