1.    Demonstrates Commitment to Integrity and Ethical Values —The organization demonstrates a commitment to integrity and ethical values.

Y

Y

This principle was evaluated at both the entity level and operating unit level.

Determined that this principle was present and functioning at operating unit A, but noted an internal control deficiency (CE 1-1) at the entity level that could impact the objectives at the operating unit level in the long term. Since the objective of this review is focused on the operating unit, and adequate controls exist in the operating unit, it was determined that the principle was present and functioning despite the internal control deficiency.

CE 1-1

There is no requirement at the entity level to regularly confirm that personnel have read and understood the ethics policies.

N

Compensating control: All personnel at operating unit A are annually required to acknowledge that they have read and understand the ethics policies.

2.    Exercises Oversight Responsibility—The board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control.

Y

Y

This principle was evaluated at the entity level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

3.    Establishes Structure, Authority, and Responsibility—Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Y

Y

This principle was evaluated at both the entity level and operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

4.    Demonstrates Commitment to Competence—The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Y

Y

This principle was evaluated at both the entity level and operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

5.    Enforces Accountability—The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Y

Y

This principle was evaluated at the operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

Determined that the internal control deficiency noted in Principle 1 (CE1-1) does not represent a major deficiency. Because the objective of this review is focused on the operating unit, it was determined that the entity-level internal control deficiency was mitigated by the controls at the operating unit. We acknowledge that the internal control deficiency at the entity level could impact the operating unit at some point and plan to implement an entity-level ethics and compliance process.

Yes

All principles are present despite internal control deficiency noted.

Yes

All principles are functioning despite internal control deficiency noted.

* Note: Record deficiencies in Summary of Deficiencies Template.

** If it is determined that there is a major deficiency, management must conclude that the component is not present and functioning and the system of internal control is not effective.

6.    Specifies Suitable Objectives—The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Y

Y

This principle was evaluated at the operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

7.    Identifies and Analyzes Risks—The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

Y

Y

This principle was evaluated at the operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

8.    Assesses Fraud Risk—The organization considers the potential for fraud in assessing risks to the achievement of objectives.

Y

Y

This principle was evaluated at the operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

9.    Identifies and Analyzes Significant Change—The organization identifies and assesses changes that could significantly impact the system of internal control.

Y

Y

This principle was evaluated at the operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

N/A

Yes

No internal control deficiencies noted.

Yes

No internal control deficiencies noted.

* Note: Record deficiencies in Summary of Deficiencies Template.

** If it is determined that there is a major deficiency, management must conclude that the component is not present and functioning and the system of internal control is not effective.

10.    Selects and Develops Control Activities—The organization selects and develops control activities that contributeto the mitigation of risks to the achievement of objectives to acceptable levels.

Y

Y

This principle was evaluated at the operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

11.    Selects and Develops General Controls over Technology—The organization selects and develops general control activities over technology to support the achievement of objectives.

Y

Y

Evaluated this principle at the entity level (centralized data center) and operating unit level. We found an internal control deficiency related to network security control activities (CA11-1) at the centralized data center However, the transaction-level security control activities at the operating unit effectively mitigate this internal control deficiency.

CA 11-1

Control activities are in place over the administration (addition, deletion, and modifications) of user access rights to the corporate network that is managed at the centralized data center. However, there is no periodic review of the network access. If the security administration process allows a user to have unauthorized access to the corporate network this may go undetected for a period of time.

N

Compensating control: Transaction-level access control activities at the operating unit (i.e., application-specific access controls) effectively mitigate this internal control deficiency so it is not a major deficiency at the operating unit. While the internal control deficiency at the entity level may allow users to have unauthorized access to the entity's network, they should not be able to gain access to the operating unit's applications.

12.    Deploys through Policies and Procedures—The organization deploys control activities through policies that establish what is expected and procedures that put the policies in to action.

Y

Y

This principle was evaluated at both the entity level and operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

Determined that the internal control deficiency noted in Principle 11 (CA11-1) is effectively mitigated by the operating unit transaction-level access controls. Consequently, determined that these internal control deficiencies do not represent a major deficiency.

Yes

All principles present despite internal control deficiencies.

Yes

All principles functioning despite internal control deficiencies.

* Note: Record deficiencies in Summary of Deficiencies Template.

** If it is determined that there is a major deficiency, management must conclude that the component is not present and functioning and the system of internal control is not effective.

13.    Uses Relevant Information—The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

Y

Y

This principle was evaluated at both the entity level and operating unit level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

14.    Communicates Internally—The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control

Y

Y

Evaluated this principle at the operating unit level and found no internal control deficiencies. However, noted an internal control deficiency (IC14-1) at the entity level. Determined that there were compensating controls and did not preclude us from concluding that the principle was present and functioning at the operating unit level.

IC14-1

There is no regular communication at the entity level about responsibilities for internal control.

Internal control deficiency

Compensating control: Determined that responsibilities for internal control are established at the operating unit level.

15.    Communicates Externally—The organization communicates with external parties regarding matters affecting the functioning of internal control.

Y

Y

This principle was evaluated at the entity level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

Determined that the entity-level internal control deficiency in Principle 14 (IC14-1) is effectively mitigated by the operating unit controls. As such, determined that this did not represent a major deficiency.

Yes

All principles present despite internal control deficiency.

Yes

All principles functioning despite internal control deficiency.

* Note: Record deficiencies in Summary of Deficiencies Template.

** If it is determined that there is a major deficiency, management must conclude that the component is not present and functioning and the system of internal control is not effective.

16.    Conducts Ongoing and/or Separate Evaluations—The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Y

Y

This principle was evaluated at the entity level.

No internal control deficiencies noted.

N/A

N/A

N/A

N/A

N/A

17.    Evaluates and Communicates Deficiencies—The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Y

Y

This principle was evaluated at the entity level.

No internal control deficiencies noted

N/A

N/A

N/A

N/A

N/A

N/A

Yes

No internal control deficiencies noted.

Yes

No internal control deficiencies noted.

* Note: Record deficiencies in Summary of Deficiencies Template.

** If it is determined that there is a major deficiency, management must conclude that the component is not present and functioning and the system of internal control is not effective.