As the Framework applies to any type of entity—large and small public, private, governmental, and not-for-profit—so do the templates. Management can modify the templates to reflect unique facts and circumstances (e.g., specified objectives and sub-objectives, scope of application, organizational structure) and assessment processes for the entity. For example:

Organizations may leverage the templates to develop or configure technology-based solutions to support separate and/or ongoing evaluations and assessment processes. Technology-based solutions, ranging from a simple spreadsheet to sophisticated, enterprise-wide application software, can help the organization document and monitor the entity's controls and management's effectiveness assessment. Technology-based solutions can provide relevant information through system-generated reports and dashboards, which in turn may be used by stakeholders such as owners, a board of directors, ^{fn 1} senior management, operating unit and functional managers, control and compliance personnel, and auditors. Management considers the outputs of the technology-based solutions to support its assessment of a system of internal control, but management would generally exercise judgment about its overall assessment outside of its technology-based solution.

Organizations can customize the level and amount of detail included in the templates, as they deem necessary. For example, consider Principle 2, Exercises Oversight Responsibility. Controls that effect this principle likely occur at the entity level, and management may determine that documentation relating to these controls may not need to be extensive to support the evaluation. Accordingly, in this example, the templates can be used to fully document and assess whether this relevant principle is present and functioning. In contrast, controls to effect Principle 10, Selects and Develops Control Activities are likely deployed in many business processes throughout the organization and, accordingly, documentation relating to these controls would be expected to be more extensive and detailed. Documentation of management's evaluation of whether this principle is present and functioning would likely require additional templates, such as detailed risk and control matrices, which are not set forth in Illustrative Tools.

In summary, management may use these templates in several important ways:

If the templates are used as suggested, they:

To assist management in assessing whether a system of internal control reduces to an acceptable level the risk of not achieving an objective, the templates are organized to support a risk-based assessment approach. Four different templates are included: ^{fn 2}

The diagram above shows the relationship between each of the templates and the expected flow of key information (i.e., evaluation summaries and internal control deficiencies). An assessment process, as reflected in the templates, would likely proceed as follows:

1.    Principle evaluation—Considering the controls to effect the principle. Internal control deficiencies would be identified along with an initial severity determination.

2.    Component evaluation—Considering the roll up of the results of the component's principle evaluations. The severity of internal control deficiencies is re-evaluated considering whether controls to effect other principles within and across components compensate for the deficiency.

3.    Assessment of the effectiveness of internal control—Considering the roll up of the results of the component evaluations and assessing whether the components are operating together in an integrated manner by evaluating whether any internal control deficiencies aggregate to a major deficiency.

As economic, industry, and regulatory environments change, the scope and nature of an entity's leadership, priorities, business model, organization, business processes, and activities need to adapt and evolve. Internal control effective within one set of conditions may not necessarily be effective when those conditions change significantly. As part of risk assessment, management identifies changes that could significantly impact the entity's system of internal control and takes action as necessary. Accordingly, after an initial assessment, management continually assesses the effectiveness of the system of internal control, and while the process is depicted here as serial, in practice it is likely to be iterative.