There are multiple ways to approach this assessment, for example:

Evaluate each component across the entire company.

Evaluate all components for each division and roll them up.

Evaluate all components for each major geography and roll them up.

There is no one right way to do this; it depends on the way the organization is set up. In this scenario, processes and controls are similar across geographies, but differ between divisions as the company is decentralized and each division acts like its own company. Because of this decentralization, management determines that the most logical approach is to evaluate all the components for each division and roll them up to do an overall assessment at the entity level. The scenario illustrates how this rollup occurs for each division in the component summary template, an overall component conclusion, and a list of the deficiencies.

Only the Risk Assessment component is provided to illustrate the scenario.

For this example, management finds that Division 4 has a major deficiency within the Risk Assessment component and determines that this component is not present and functioning for that division.

The major deficiency is that the process to analyze risks to determine how they should be managed is not functioning. It is determined that the major deficiency is isolated to this division.

The scenario illustrates that there is judgment involved in how an internal control deficiency at a division would need to be considered at the overall entity level.

The affected division is relatively small, making up 20% of overall product sales (by number of units) for the company. However, management estimates that the major deficiency has the potential to have 10% of the newly produced products in this division to be outside of specification, so there is a high likelihood that more than 1% of the entity's shipped products would be outside of specification if the deficiency is not remediated. Management concludes that the system of internal control for this objective is not effective.