COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
The following points of focus highlight important characteristics relating to this principle:
-
Establishes Policies and Procedures to Support Deployment of Management's Directives—Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.
-
Establishes Responsibility and Accountability for Executing Policies and Procedures—Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside.
-
Performs in a Timely Manner—Responsible personnel perform control activities in a timely manner as defined by the policies and procedures.
-
Takes Corrective Action—Responsible personnel investigate and act on matters identified as a result of executing control activities.
-
Performs Using Competent Personnel—Competent personnel with sufficient authority perform control activities with diligence and continuing focus.
-
Reassesses Policies and Procedures—Management periodically reviews control activities to determine their continued relevance, and refreshes them when necessary.
Policies reflect management's statement of what should be done to effect control. Such statements may be documented, explicitly stated in communications, or implied through management's actions and decisions. Procedures consist of actions that implement a policy.
Control activities specifically relate to those policies and procedures that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. A policy, for instance, might call for review of customer trading activities by a securities dealer retail branch manager. The procedure is the review itself, performed in a timely manner and with attention given to factors set forth in the policy, such as the nature and volume of securities traded, and their relation to customer net worth and age.
Policies and procedures are often communicated orally. Unwritten policies can be effective where the policy is a long-standing and well-understood practice, and in smaller organizations where communications channels involve limited management layers and close interaction with and supervision of personnel. Though a cost-effective alternative for some entities, unwritten policies and procedures can be easier to circumvent, be costly to the organization if there is turnover in personnel, and can reduce accountability. When subject to external party review, policies and procedures would be expected to be formally documented. fn 24
But whether or not a policy is in writing, it must establish clear responsibility and accountability, which ultimately resides with the management of the entity and subunit where the risk resides. Procedures should be clear on the responsibilities of personnel performing the control activity. Also, policies need to be deployed thoughtfully and conscientiously, and the related procedures must be timely and be performed diligently and consistently by competent personnel.
The procedures should include the timing of when a control activity and any follow-up corrective actions are performed. Untimely procedures can reduce the usefulness of the control activity. For example, a regular review of user accounts for inappropriate access rights is conducted by the business process owner on a timely basis to reduce the risk of unauthorized access to an acceptable level. Longer intervals between reviews increase the potential for untimely detection of unauthorized access.
In conducting a control activity, matters identified for follow-up should be investigated and, if appropriate, corrective action taken. For example, consider a case where a reconciliation of cash accounts detects a discrepancy in one of the accounts. The accounting clerk follows up with the person in charge of recording cash and determines that a cash receipt was not posted properly. The receipt is reapplied and the correction is reflected in the reconciliation.
A well-designed control activity generally cannot be conducted without competent personnel with sufficient authority to perform the control activity. The level of competency required to perform a control activity will depend on factors such as the complexity of the control activity and the complexity and volume of the underlying transactions. Furthermore, a procedure will not be useful if performed by rote, without a sharp, continuing focus on the risks to which the policy is directed. Sufficient authority may be needed to fully perform all aspects of the control such as taking corrective action.
Management should periodically reassess policies and procedures and related control activities for continued relevance and effectiveness, unrelated to being responsive to significant changes in the entity's risks or objectives. Significant changes would be evaluated through the risk assessment process. Changes in people, process, and technology may reduce the effectiveness of control activities or make some control activities redundant. Whenever one of these changes occurs, management should reassess the relevance of the existing controls and refresh them when necessary. For example, management may upgrade the purchasing module of an ERP system and introduce automated transaction control activities that cause the old manual control activities to be redundant and, hence, no longer necessary.
| Generated November 9, 2014 22:46:48 |