COSO Committee of Sponsoring Organizations of the Treadway Commission
Next |
May 2013
This project was commissioned by COSO, which is dedicated to providing thought leadership through the development of comprehensive frameworks and guidance on internal control, enterprise risk management, and fraud deterrence designed to improve organizational performance and oversight and to reduce the extent of fraud in organizations. COSO is a private sector initiative, jointly sponsored and funded by:
-
American Accounting Association (AAA)
-
American Institute of Certified Public Accountants (AICPA)
-
Financial Executives International (FEI)
-
Institute of Management Accountants (IMA)
-
The Institute of Internal Auditors (IIA)
Table of Contents
-
- Using This Document
- Considerations for External Financial Reporting
- Structure of the Compendium
-
- Demonstrates Commitment to Integrity and Ethical Values
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Establishing Standards of Conduct
- Example: Defining, Communicating, and Regularly Updating the Code of Business Conduct and Ethical Standards
- Approach: Leading by Example on Matters of Integrity and Ethics
- Example: Using a Company Newsletter to Reinforce Expectations of Integrity and Ethics
- Approach: Evaluating Management and Other Personnel, Outsourced Service Providers, and Business Partners for Adherence to Standards of Conduct
- Example: Conducting Ethics Audits
- Example: Evaluating Misconduct Reported through an Anonymous Hotline
- Approach: Developing Processes to Report and Promptly Act on Deviations from Standards of Conduct
- Example: Taking Action when Deviations Occur
- Exercises Oversight Responsibility
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Establishing the Roles, Responsibilities, and Delegation of Authority of the Board of Directors
- Example: Reviewing and Documenting Key Activities of the Audit Committee
- Example: Reviewing Governmental Agency Financial Results and Underlying Internal Control
- Approach: Establishing Policies and Practices for Meetings between the Board of Directors and Management
- Example: Establishing an Audit Committee Meeting Calendar
- Example: Preparing Effectively for Meetings
- Approach: Identifying and Reviewing Board of Director Candidates
- Example: Changing the Board Composition of a Closely Held Company
- Example: Assessing and Disclosing Director Qualifications
- Approach: Reviewing Management's Assertions and Judgments
- Example: Reviewing Financial Statement Estimates
- Approach: Obtaining an External View
- Example: Interacting with Auditors
- Approach: Considering Whistle-Blower Information about Financial Statement Errors and Irregularities
- Example: Assessing the Potential of Management Override
- Example: Investigating and Reporting Whistle-Blower Allegations
- Establishes Structure, Authority, and Responsibility
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Defining Roles and Reporting Lines and Assessing Them for Relevance
- Example: Reorganizing to Support Control Structure
- Example: Redefining Roles with CEO and Board Input
- Approach: Defining Authority at Different Levels of Management
- Example: Maintaining an Authority and Approval Matrix
- Approach: Maintaining Job Descriptions and Service-Level Agreements
- Example: Aligning Roles and Responsibilities with Objectives
- Example: Maintaining Control while Engaging Outside Service Providers
- Approach: Defining the Role of Internal Auditors
- Example: Reviewing and Approving the Internal Audit Plan
- Demonstrates Commitment to Competence
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Establishing Required Knowledge, Skills, and Expertise
- Example: Periodically Reviewing Policies
- Approach: Linking Competence Standards to Established Policies and Practices in Hiring, Training, and Retention Decisions
- Example: Recruiting and Retaining Key Financial Reporting Positions
- Example: Defining Performance Expectations
- Approach: Identifying and Delivering Financial Reporting–Related Training as Needed
- Example: Implementing Complex Accounting Standards
- Approach: Selecting Appropriate Outsourced Service Providers
- Example: Retaining External Tax Assistance
- Approach: Evaluating Competence and Behavior
- Example: Periodically Assessing Performance
- Example: Audit Committee Review of Managers’ Roles
- Approach: Evaluating the Capacity of Finance Personnel
- Example: Assessing the Adequacy of Staffing Levels for Financial Reporting
- Example: Aligning Competencies with Key Financial Reporting Positions
- Approach: Developing Alternate Candidates for Key Financial Reporting Roles
- Example: Addressing Succession Planning
- Enforces Accountability
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approaches: Defining and Confirming Responsibilities
- Example: Cascading Responsibilities throughout the Organization and Certifying Results
- Approach: Developing Balanced Performance Measures, Incentives, and Rewards
- Example: Defining and Communicating the Basis for Reward
- Approach: Evaluating Performance Measures for Intended Influence
- Example: Establishing and Overseeing Performance Measures, Incentives, and Rewards
- Approach: Linking Compensation and Other Rewards to Performance
- Example: Aligning Incentives with Ethics and Values
- Example: Providing Recognition for Suggestions Made to Enhance Internal Control
-
- Specifies Relevant Objectives
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Identifying Financial Statement Accounts, Disclosures, and Assertions
- Example: Linking Accounts, Assertions, and Risks
- Approach: Specifying Financial Reporting Objectives
- Example: Specifying Objectives
- Example: Assessing the Suitability of Specified Objectives
- Approach: Assessing Materiality
- Example: Assessing Materiality for a Private Company Financial Statement
- Approach: Reviewing and Updating Understanding of Applicable Standards
- Example: Reviewing Financial Accounting Policies
- Example: Reviewing and Updating Understanding of Applicable Standards
- Example: Reviewing and Updating Statutory Reporting Requirements
- Approach: Considering the Range of Entity Activities
- Example: Considering the Range of Assessment Activities
- Identifies and Analyzes Risks
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Applying a Risk Identification Process
- Example: Analyzing Risk across Functions
- Approach: Assessing Risks to Significant Financial Statement Accounts
- Example: Assessing Risks to Significant Financial Statement Accounts
- Example: Using Risk Ratings
- Approach: Meeting with Entity Personnel
- Example: Analyzing Risk for Information Technology
- Approach: Assessing the Likelihood and Significance of Identified Risks
- Example: Identifying and Responding to Risk
- Example: Using Benchmark Data to Assess Significance and Response to Risk
- Approach: Considering Internal and External Factors
- Example: Analyzing Risks from External Factors
- Example: Considering Changes in Information Systems
- Approach: Evaluating Risk Responses
- Example: Considering Risk Response in a Revenue Process
- Assesses Fraud Risk
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Conducting Fraud Risk Assessments
- Example: Assessing Fraud Risk
- Approach: Considering Approaches to Circumvent or Override Controls
- Example: Maintaining Oversight
- Approach: Considering Fraud Risk in the Internal Audit Plan
- Example: Identifying and Analyzing Risk of Material Omission and Misstatement Due to Fraud
- Approach: Reviewing Incentives and Pressures Related to Compensation Programs
- Example: Analyzing Compensation Structure
- Identifies and Analyzes Significant Change
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Assessing Change in the External Environment
- Example: Reacting to Significant Change Caused by External Factors
- Approach: Conducting Risk Assessments Relating to Significant Change
- Example: Updating Risk Assessment for a New CEO
- Example: Responding to Significant Change from International Exposure
- Example: Responding to Significant Change from an Acquisition
- Approach: Considering Change through Succession
- Example: Planning for Executive Transition
- Approach: Considering CEO and Senior Executive Changes
- Example: Preparing for a Change in CEO
-
- Selects and Develops Control Activities
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to Control Activities
- Example: Using Workshops to Map Identified Risks to Control Activities
- Example: Using a Risk and Controls Matrix to Map Risks to Control Activities
- Example: Using an Inventory of Risks and Control Activities
- Approach: Implementing or Assessing Control Activities when Outsourcing to a Third Party
- Example: Obtaining a Report on Controls at a Service Organization from a Service Payroll Provider
- Example: Implementing or Assessing Control Activities when a Report on Controls at a Service Organization is Not Available
- Approach: Considering the Types of Control Activities
- Example: Balancing the Types of Control Activities
- Example: Evaluating Preventive versus Detective Control Activities
- Example: Setting the Threshold for Business Performance Reviews
- Example: Controlling Significant Accounting Estimates
- Example: Automating Balance Sheet Reconciliations
- Approach: Considering Alternative Control Activities to the Segregation of Duties
- Example: Using Alternative Control Activities when Access to Purchasing Transactions Are Not Segregated
- Approach: Identifying Incompatible Functions
- Example: Manually Assessing Incompatible Functions Across an Entity
- Example: Using Automated Tools to Enforce the Segregation of Incompatible Functions
- Selects and Develops General Controls over Technology
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Using Risk and Control Matrices to Document Technology Dependencies
- Example: Using a Walkthrough to Understand Technology Dependencies
- Approach: Evaluating End-User Computing
- Example: Evaluating Financial Close End-User Spreadsheet Control Activities
- Approach: Implementing or Assessing Control Activities when Outsourcing IT Functions to a Third Party
- Example: Obtaining a Report on Controls at a Service Organization from a Cloud-Based Service Provider
- Approach: Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties
- Example: Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties
- Approach: Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and Data
- Example: Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and Data
- Approach: Administering Security and Access
- Example: Establishing Logical Security
- Approach: Applying a System Development Life Cycle over Packaged Software
- Example: Managing Changes to Packaged Software
- Approach: Applying a System Development Life Cycle over Software Developed In-House
- Example: Managing Changes to Custom Software
- Example: Varying Control Activities in an SDLC Based on Risk
- Deploys through Policies and Procedures
-
- Points of Focus
- Approaches for Applying the Principle
-
- Approach: Developing and Documenting Policies and Procedures
- Example: Using Templates to Document Policies
- Example: Establishing Policies and Procedures
- Example: Establishing Responsibilities for Reviewing Financial Statements
- Example: Reassessing Policies and Procedures for Revenue Recognition
- Example: Reviewing Cost Overruns by Competent Personnel
- Example: Performing Control Activities in a Timely Manner
- Example: Taking Corrective Action
- Approach: Deploying Control Activities through Business Unit or Functional Leaders
- Example: Deploying Control Activities through a Central Control Function
- Approach: Conducting Regular and Ad Hoc Assessments of Control Activities
- Example: Regularly Assessing Policies and Procedures
- Example: Ad Hoc Assessing of Control Activities
-
- Uses Relevant Information
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Creating an Inventory of Information Requirements
- Example: Evaluating Business Activities to Identify Information Requirements
- Example: Maintaining Data Flow Diagrams, Flowcharts, Narratives, and Procedures Manuals
- Approach: Obtaining Information from External Sources
- Example: Gathering Information from External Sources
- Example: Capturing Information through Electronic Data Interchange
- Approach: Obtaining Information from Non-Finance Management
- Example: Conducting Quarterly Interviews of Operations and Other Management
- Example: Obtaining Operating Information for Financial Reporting
- Approach: Creating and Maintaining Information Repositories
- Example: Using a Data Warehouse to Facilitate Access to Information
- Approach: Using an Application to Process Data into Information
- Example: Data Capture and Processing for the Purchasing and Payables Cycle
- Approach: Enhancing Information Quality through a Data Governance Program
- Example: Validating Data and Information
- Approach: Identifying, Securing, and Retaining Financial Data and Information
- Example: Identifying and Protecting Financial Data and Information
- Example: Identifying and Classifying Data for Financial Reporting
- Communicates Internally
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Communicating Information Regarding External Financial Reporting Objectives and Internal Control
- Example: Using Communications Programs to Reinforce Internal Control
- Example: Using an Internal Accounting and Finance Conference to Reinforce Policy Changes
- Approach: Communicating Internal Control Responsibilities
- Example: Using Governance, Risk, and Compliance Technology to Manage Internal Controls
- Approach: Developing Guidelines for Communication to the Board of Directors
- Example: Facilitating Communication between Executive Management and the Board of Directors
- Approach: Reviewing Financial and Internal Control Information with the Board of Directors
- Example: Preparing Financial and Internal Control Reporting Package for Discussion with the Board
- Approach: Communicating a Whistle-Blower Program to Company Personnel
- Example: Employee Ethics Hotline
- Approach: Communicating through Alternative Reporting Channels
- Example: Establishing a Mentoring Program to Encourage Communicating with Management
- Approach: Establishing Cross-Functional and Multidirectional Internal Control Communication Processes and Forums
- Example: Establishing a Cross-Functional Internal Control Committee
- Communicates Externally
-
- Points of Focus
- Approaches for Applying the Principle
-
- Approach: Communicating Information to Relevant External Parties
- Example: Communicating Internal Control Information to a Federal Agency
- Example: Establishing Periodic Communications with Contractors and Outsourced Service Providers
- Approach: Obtaining Information from Outside Sources
- Example: Communications from Regulatory Bodies
- Example: Obtaining Information from External Sources to Assist with Accounting Estimates
- Approach: Surveying External Parties
- Example: Conducting Discussions with Customers
- Approach: Communicating the Whistle-Blower Program to Outside Parties
- Example: Facilitating Communication with External Parties
- Approach: Reviewing External Audit Communications
- Example: Managing and Assessing External Audit Communications
-
- Conducts Ongoing and/or Separate Evaluations
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Periodically Reviewing the Mix of Monitoring Activities
- Example: Changes in Business Operations
- Example: Changing the Internal Audit Plan
- Approach: Establishing a Baseline
- Example: Establishing a Baseline
- Approach: Identifying and Using Metrics
- Example: Using Metrics to Monitor Payroll
- Example: Using Built-In Operating Measures and Key Control Indicators
- Approach: Designing and Implementing a Dashboard
- Example: Using Dashboards to Relate Operating Information
- Approach: Using Technology to Support Monitoring Activities
- Example: Using Continuous Monitoring
- Example: Using Technology to Identify Trends
- Approach: Conducting Separate Evaluations
- Example: Investigating and Reporting Whistle-Blower Allegations
- Example: Identifying and Protecting Sensitive Financial Data and Information
- Example: Conducting Senior Financial Officer Visits
- Example: Using Self-Assessments
- Approach: Using Internal Audit to Conduct Separate Evaluations
- Example: Identifying and Analyzing Risk of Material Omission and Misstatement due to Fraud
- Example: Conducting Separate Evaluations
- Approach: Understanding Controls at an Outsourced Service Provider
- Example: Reviewing the Service Auditor's Report for Changes in Controls
- Evaluates and Communicates Deficiencies
-
- Points of Focus
- Approaches and Examples for Applying the Principle
-
- Approach: Assessing and Reporting Deficiencies
- Example: Identifying Sources of Deficiencies
- Example: Reporting Protocols for Identified Deficiencies
- Approach: Monitoring Corrective Action
- Example: Establishing Reporting Protocols for Identified Deficiencies
- Example: Follow-Up Reporting on Internal Audit Issues
- Approach: Developing Guidelines for Reporting Deficiencies
- Example: Reporting Deficiencies to the Board
- A: Examples by Topic
-
- Expectations for Governance Oversight
- Globalization of Markets and Operations
- Changes and Greater Complexity in the Business
- Demands and Complexities of Laws, Rules, Regulations, and Standards
- Expectations for Competencies and Accountabilities
- Use of, and Reliance on, Evolving Technologies
- Expectations Relating to Preventing or Detecting Fraud
- B: Public Comment Letters
Foreword
1. Introduction
2. Control Environment
3. Risk Assessment
4. Control Activities
5. Information and Communication
6. Monitoring Activities
Appendices
Next | ||
Copyright © 2013 – 2016 Committee of Sponsoring Organizations of the Treadway Commission and the American Accounting Association. All Rights Reserved. Use of materials is subject to COSO's Policy of Acceptable Use.
COSO FooterTo access this page, please login with your COSO credentials using the button below:
Login to COSOPlease enter your COSO login credentials below
Please contact marybeth.gripshover@aaahq.org with any questions