Establish an internal control framework (US - COSO)

Click on the image below to navigate:

No foundation for controls (Control Environment) 1. Demonstrates Commitment to Integrity and Ethical Values—The organisation demonstrates a commitment to integrity and ethical value Employees (including board members) damage the reputation of the entity Sets the tone at the top - The board of directors and management at all levels of the entity demonstrate through their directives, actions, and behaviour the importance of integrity and ethical values to support the functioning of the system of internal control Examine documents, the intranet, and other means of publicity which express the board's and managers' views on integrity and ethics During audits, consider if any weaknesses in internal control result from directors and management's failure to support integrity and ethical values Examine directors' and management expenses. Ensure that they comply with the rules set for other employees. Establishes Standards of Conduct—the expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organisation and by outsourced service providers and business partners Examine written standards of conduct Examine standards for the use of e-mails, social media and the internet. Ensure these reflect the required standards of integrity and conduct required by the entity Check standards are publicised to all staff and external suppliers, for example on the entity's intranet, especially as part of induction procedures Evaluates Adherence to Standards of Conduct—processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct Examine the indicators set to identify issues and trends related to the standards of conduct Examine processes, for example within the Human Resources department, which are in place to evaluate the performance of individuals and teams against the organisation's expected standards of conduct Examine IT checks to ensure that users are adhering to the standards covering e-mails, social media and the use of the internet Addresses Deviations in a Timely Manner—deviations of the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner Examine the systems for notifying the board of deviations Check that deviations recorded have been remedied in a timely and consistent manner. Check the entity's written procedures for the handling of complaints and look for evidence that they are followed During audits, check the action taken to remedy deviations and discipline where necessary 2. Exercises Oversight Responsibility—The board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control Directors fail to recognise their responsibilities, or delegate them Establishes Oversight Responsibilities—the board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations Examine evidence that the board has identified the expectations of the entity's stakeholders Examine instructions from the board setting out how internal controls should be developed and implemented Examine instructions from the board which formally retain or delegate its oversight responsibilities Directors fail to carry out duties due to lack of knowledge or independence Applies Relevant Expertise—the board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions Examine records from the last time the directors assessed the essential skills and knowledge they should have Examine the qualifications of the board members Operates Independently-the board of directors has sufficient members who are independent from management and demonstrate they are objective in evaluations and decision making Examine the credentials of the non-executive board members to ensure they are independent Ensure that independent directors are not financially dependent on their compensation as a board member Failure of internal control due to lack of oversight responsibility from directors Control Environment—Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountability to the board. Control environment: During audits, ensure that integrity and ethical values, structure, authority and responsibility, competence and accountability are present in the parts of the organisation being audited Risk Assessment—Overseeing management’s assessment of risks to the achievement of objectives, including the potential impact of significant changes, fraud, and management override of internal control. Risk Assessment: During audits, ensure that directors are reviewing and commenting on management's assessment of risks to the achievement of objectives, including the potential impact of significant changes, fraud and management override of internal control Control Activities—Providing oversight to senior management in the development and performance of control activities. Control Activities: During audits, check for guidance to senior management around the selection, development and deployment of control activities Information and Communication—Analyzing and discussing information relating to the entity’s achievement of objectives. Information and communication: check that the board is obtaining, reviewing and discussing historical information relating to the organisation's achievement of objectives Information and communication: check that the board is obtaining, reviewing and discussing, and acting upon, forecast information relating to the organisation's achievement of objectives Monitoring activities-Assessing and overseeing the nature and scope of monitoring activities and the management's evaluation and remediation of deficiencies Monitoring activities: During audits, examine the information that the board receives to assess and oversee the nature and scope of monitoring activities and management's evaluation and remediation of deficiencies 3. Establishes Structure, Authority, and Responsibility—Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives Failure to achieve objectives due to lack of clear accountability Considers All Structures of the Entity— management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives Compare the accounts, which should list all subsidiary entities, with organisation charts and management circulation lists to ensure all parts of the entity have been identified Examine systems by which third parties are identified and recorded - will they record 100%? Examine lists of major suppliers to check whether they are providing an outsourced service and have been identified Establishes Reporting Lines—management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity Examine the organisation chart to ensure all managers are present and have clear lines of responsibility Examine the accounts to ensure that each cost centre has a manger responsible for setting a budget, controlling expenditure and is answerable to a senior manager Ensure some senior managers have at least 'dotted line' responsibility to the board to allow for open communication on important issues Lines of reporting are regularly reviewed to account for changes to the business model Defines, assigns and limits authorities and Responsibilities— management and the board of directors delegate authority, define responsibilities, use appropriate process and technology to assign responsibilities and segregate duties as necessary at the various levels of the organisation? Board of Directors—Retains authority over significant decisions and reviews management’s assignments and limitations of authorities and responsibilities - examine written authorisation policies, for example over capital and expense projects to ensure they are complete and appropriate Senior Management—Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities - during audits check that managers have written job descriptions which clearly detail their responsibilities Management—Guides and facilitates the execution of senior management directives at entity and its subunits - during audits, examine instructions and how they were implemented Personnel—Understands the entity’s standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives- Human Resources audit - check their knowledge of entity objectives Outsourced Service Providers—Adheres to management’s definition of the scope of authority and responsibility for all non-employees engaged - examine the terms and conditions applied to non-employees and the formal agreement to them Check that delegation only occurs to the extent required to achieve the entity's objectives During audits, check that duties are segregated to reduce the risk of inappropriate conduct Ensure that the responsibilities of third party providers are clearly documented and the extent of their decision making is not excessive and they understand their limits 4. Demonstrates Commitment to Competence—The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives Insufficient qualified staff available to deliver objectives Establishes Policies and Practices— the policies and practices reflect expectations of competence necessary to support the achievement of objectives Examine policies and practices to ensure the achievement of objectives is a required competence Check that the human resources function has been involved with management in setting consistent job descriptions, required qualifications and reward systems across the entity Check that assessments are regularly carried out against objective targets and reviewed by HR and senior management Evaluates Competence and Addresses Shortcomings—the board of directors and management evaluate competence across the organisation and in outsourced providers in relation to established policies and practices and act as necessary to address shortcomings Examine assessments to ensure that staff are judged on their ability to achieve objectives Attracts, Develops, and Retains Individuals—the organisation provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives Examine HR's checks of staff turnover to ensure they follow-up reasons where it is high During audits, check that all managers and staff have induction training which clearly sets out the responsibilities they have in delivering the requirements of this COSO Framework During audits, check that all managers and staff have appropriate training through their career as their needs arise Plans and Prepares for Succession—senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control Check that jobs critical to the entity have been identified Examine succession plans which should be held by HR department Ensure succession plans for staff from external suppliers have been established 5. Enforces Accountability—The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives No performance measures for individuals Enforces Accountability through Structures,Authorities, and Responsibilities—management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organisation and implement corrective action as necessary Examine the instructions, usually issued by HR, to management which detail how targets are to be set and that these include performance of internal control responsibilities Examine the relationship between internal audit and the board and audit committee to ensure there is a close supporting relationship Establishes Performance Measures, Incentives, and Rewards—management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives During audits, examine assessments to ensure that staff have targets set which include the achievement of objectives Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance—management and the board of directors align incentives and rewards with the fulfilment of internal control responsibilities in the achievement of objectives Examine assessments to ensure that staff are judged on their ability to achieve objectives and that incentives and rewards are aligned with these Check whether the opinions (good and bad) from an internal audit are factored into performance assessments Check that there is a mechanism for updating performance measures as the business changes Considers Excessive Pressures—management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance Ensure that HR review completed assessments to judge if targets are being achieved and if not, why not. Examine incentive structures (for example in sales) to ensure that they reinforce the balancing of risks with the potential rewards Evaluates Performance and Rewards or Disciplines Individuals—management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence and provide rewards or exercise disciplinary action as appropriate Check that, at each level of management, adherence to standards of conduct and expected levels of competencies is evaluated and rewarded as appropriate Check that Internal audit reports, or a summary of them, are sent to the board so they can evaluate performance of internal control responsibilities Examine reports to the board where they are made aware of disciplinary action and the reasons for it. Risks not identified (Risk Assessment) 6. Specifies Suitable Objectives—The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives Operations objectives not defined Reflects Management’s Choices—The operations objectives reflect management’s choices about structure, industry considerations, and performance of the entity Check that objectives, as noted in the RAU, are consistent with the entity's structure and required performance Considers tolerances for risk- Management consider the acceptable levels of variation relative to the achievement of operations objectives Ensure that a risk appetite has been defined Includes operations and financial performance goals-the organisation reflects the desired level of operations and financial performance for the entity within operations objectives Check that top-level operations and financial performance goals, which should be in the RAU, are included in sub-objectives Forms Basis for Committing of Resources—Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance Examine the calculations which determine the staff numbers required to deliver the objectives Financial objectives not defined Complies with Applicable Accounting Standards—Management ensures that the financial reporting objectives are consistent with accounting principles suitable and available for that entity and that the accounting principles selected are appropriate in the circumstances Check that the financial objectives set and recorded in the RAU are consistent with appropriate financial principles and legislation Considers Materiality—Management considers Materiality in financial statement presentation Check that the objectives for financial statements take into account the level of materiality applicable to those statements Reflects Entity Activities—External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions Ensure that all external reporting is subject to checks that it reliably represents the underlying transactions and other factors taken into consideration when calculating the figures External Non-Financial Reporting objectives not defined Complies with Externally Established Standards and Frameworks—management establish objectives consistent with laws and regulations or standards and frameworks of recognised external organisations Ensure that there are adequate systems to capture the laws and regulations which apply to the entity (for example, taxation, product safety) Ensure that objectives are set which require adherence to these regulations Considers the Required Level of Precision—management reflects the required level of precision and accuracy suitable for user needs and as based on criteria established by third parties in non-financial reporting Check that objectives set meet the external reporting requirements Reflects Entity Activities—external reporting reflects the underlying transactions and events within a range of acceptable limits During audits, ensure that all external non-financial reporting is subject to checks that it reliably represents the underlying transactions Internal reporting objectives not defined Reflects Management’s Choices—internal reporting provides management with accurate and complete information regarding management’s choices and information needed in managing the entity During audits, examine the processes used by management to determine the information they need (www.managing-information.org.uk for ideas) Considers the Required Level of Precision—management reflects the required level of precision and accuracy suitable for user needs in non-financial reporting objectives and materiality within financial reporting objectives During audits, examine the processes used by management to determine the accuracy and timeliness of the information they need (www.managing-information.org.uk for ideas) Reflects Entity Activities—internal reporting reflects the underlying transactions and events within a range of acceptable limits During audits, examine the processes used to gather information to ensure it is relevant, complete and accurate to the materiality levels required to make decisions Compliance objectives not defined Reflects external laws and regulations-The entity integrates into compliance, objectives, laws and regulations that establish minimum standards of conduct for the entity Ensure that there are adequate systems to capture the laws and regulations which apply to the entity (for example, taxation, product safety) Examine the communications systems to ensure appropriate management receive information which they can build into objectives Ensure that objectives are updated as legislation changes Considers tolerances for risk-management considers the acceptable levels of variation relative to the achievement of compliance objectives Examine the tolerances allowed when judging if compliance objectives have been achieved 7. Identifies and Analyzes Risk—The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed. All risks threatening objectives are not identified or managed Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels—the organisation identifies and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives Ensure that policies have been written and communicated which set out the responsibilities for managers to determine the risks which threaten their objectives Examine the processes used at all levels of the entity to ensure risks to the objectives have been identified and recorded During audits, check that risks have been properly identified before commencing audit testing of controls Analyzes Internal and External Factors—management ensures that risk identification considers both internal and external factors and their impact on the achievement of objectives Ensure that the risk assessment process looks at all risks, internal and external During audits, check that risks have been properly identified before commencing audit testing of controls Involves Appropriate Levels of Management—The organisation puts into place effective risk assessment mechanisms that involve appropriate levels of management Ensure that all levels of management are involved, particularly the board, then senior management, then departmental management During audits, check that risks have been properly identified before commencing audit testing of controls Estimates Significance of Risks Identified—management ensures that identified risks are analysed through a process that includes estimating the potential significance of the risk Check that a system for measuring the significance of risks has been established throughout the entity Check that the board have defined a risk appetite in the same terms that assess the significance of risk During audits, check that risks have been properly assessed according the entity's rules before commencing audit testing of controls Determines How to Respond to Risks—management ensures that the risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk Check that a system for responding to risks (acceptance, avoidance, reduction, sharing) has been established throughout the entity During audits check that controls have been established to bring risks below the risk appetite 8. Assess Fraud Risk—The organisation considers the potential for fraud in assessing risks to the achievement of objectives. The opportunities for fraud are not completely analysed Considers Various Types of Fraud—the assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur? Ensure that the risk of fraud has been considered throughout the risk assessment process for all objectives and parts of the entity, including the board and senior management Assesses Incentive and Pressures—the assessment of fraud risk considers incentives and pressures During audits, ensure that risks which might arise from a desire to acquire incentives have been identified and that appropriate controls are in place Assesses Opportunities—the assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate acts During audits of systems involving assets (fixed assets, cash - sales, purchasing and expenses) ensure that all risks have been identified and appropriate controls, including monitoring controls are present Assesses Attitudes and Rationalisations—the assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions During audits of processes such as sales, purchasing and expenses check that directors, management and staff are not using their position to benefit from transactions not normally allowed to employees, or which compromise their integrity or ability to manage objectively 9. Identifies and Analyzes Significant Change—The organisation identifies and assesses changes that could significantly impact the system of internal control Risks and associated controls not updated to reflect changes to the business and its environment Assesses Changes in the External Environment—the risk identification process consider changes to regulatory, economic, and the physical environment in which the entity operates Examine the systems which detect changes in the external environment to ensure they guarantee completeness Examine the communications systems to ensure appropriate management receive information which they can assess for new risks Assesses Changes in the Business Model—the organisation considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies and new technologies Ensure that policies exist and are implemented which ensure that major projects put before the board for approval have been assessed for risk and have had risk modelling (e.g. @RISK) applied Ensure that policies exist and are implemented which ensure that major projects have embedded risk management procedures Check that procedures exist to ensure that risks at all levels are re-examined when any major changes impact any part of the organisation During audits, check procedures exist to regularly revisit the risk assessment in order to update it as a result of changes in the internal or external environments Assesses Changes in Leadership—the organisation considers changes in management and their respective attitudes and philosophies on the system of internal control Ensure that policies exist and are implemented to assess the risks of major management reorganisations before they take place Ensure that when appointing managers, any relevant reports are checked to ascertain the proposed new manager's ability to properly manage risks Controls not implemented (Control Activities) 10. Selects and Develops Control Activities—The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Controls are inappropriate to the risks Integrates with Risk Assessment—the control activities help ensure that responses that address and mitigate risks are carried out Ensure instructions exist and are implemented which require the management to ensure controls activities mitigate risks to below the risk appetite Carry out audits to check that risks are mitigated by controls, or other appropriate action, to bring them below the risk appetite Determines Relevant Business Processes—management determines which relevant business processes require control activities Ensure management have identified all business processes Confirm that any business processes identified as not requiring control activities have no risks Considers Entity-Specific Factors—management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organisation, affect the selection and development of control activities Carry out audits to ensure that all risks resulting from the environment and operations have suitable controls which are operating to bring them below the risk appetite Evaluates a Mix of Control Activity Types—the control activities include a range and variety of controls and a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls Carry out audits to ensure that risks are mitigated by efficient and effective controls Considers at What Level Activities Are Applied—management considers control activities at various levels in the entity Carry out audits to ensure that risks have been determined at all levels of the entity and are mitigated by controls Addresses Segregation of Duties—management segregates incompatible duties, and where such segregation is not practical, does management select and develop alternative control activities During audits ensure that management have identified alternative controls where the expected segregation of duties is not practical 11. Selects and Develops General Controls over Technology—The organisation selects and develops general control activities over technology to support the achievement of objectives. Risks from technology are uncontrolled Determines Dependency between the Use of Technology in Business Processes and Technology General Controls—management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls Examine the training and methods used by management to identify risks arising in business processes from risks in the technology used Establishes Relevant Technology Infrastructure Control Activities—management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing During audits, check that all risks arising from the use of technology have been identified and suitable controls applied Establishes Relevant Security Management Process Control Activities—management selects and develops control activities that are designed and implemented to restrict technology access rights to authorised users commensurate with their job responsibilities and to protect the entity’s assets from external threats. During audits check software access controls to ensure they restrict appropriate access to staff commensurate with their job responsibilities Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities—management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives Audit technology projects to ensure that risks which will be present after implementation have been identified and controls will be implemented from the go-live date Audit all aspects of technology support (communications, computer hardware, operating software) to ensure risks have been identified and are being managed 12. Deploys through Policies and Procedures—The organisation deploys control activities through policies that establish what is expected and procedures that put the policies into action.. Systems and responsibilities for risks and internal controls not defined Establishes Policies and Procedures to Support Deployment of Management’s Directives—management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected, and relevant procedures specifying actions Ensure that policies have been written and communicated which set out the responsibilities for managers to determine the controls necessary to bring the associated risk to below the risk appetite Check policies exist which require projects to ensure that risks which will be present after implementation have been identified and controls will be implemented from the go-live date Management ensure that policies and procedures contain control processes and are properly documented Establishes Responsibility and Accountability for Executing Policies and Procedures—management establishes responsibility and accountability for control activities with management (or other designated personnel) of the operating unit or function in which the relevant risks reside During audits, check that management have identified key controls over their relevant risks During audits, examine evidence that management are regularly receiving confirmations that controls are operating Performs in a Timely Manner—responsible personnel perform control activities in a timely manner as defined by the policies and procedures During audits, check that controls are operated when necessary Takes Corrective Action—responsible personnel investigate and act on matters identified as a result of executing control activities During audits, check that training materials properly record the controls which should be operated During audits, examine documentation which records exceptional matters arising from controls and ensures appropriate action is taken Performs Using Competent Personnel—competent personnel perform control activities with diligence and continuing focus During audits, check that personnel have appropriate induction training (including the operation of controls)when commencing new tasks If audit work detects failures in controls, determine the reasons Reassesses Policies and Procedures—management periodically reviews control activities to determine their continued relevance, and refresh them when necessary During audits, determine the last time management reviewed controls to check their relevance During audits, ensure that controls being operated are still relevant Controls not operated (Information and Communication) 13. Uses Relevant Information—The organisation obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. Poor quality information produced Identifies Information Requirements—management considers if a process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of entity’s objectives Check to ensure that management at all levels has carried out an exercise to determine the information it needs to achieve its objectives (www.managing-information.org.uk for ideas) During audits, check that information required for appropriate monitoring controls has been identified Captures Internal and External Sources of Data—the information systems capture internal and external sources of data During audits, check to ensure that all relevant data sources have been identified During audits, check that data extracted from information sources is relevant (including completeness), timely and to the level of accuracy required Processes Relevant Data into Information—the information systems process and transform relevant data into information During audits, check that data from information sources is processed and transformed into information Maintains Quality throughout Processing—the information systems produce information that is timely, current, accurate, complete, accessible, protected, and verifiable and retained? Consider if the information is reviewed to assess its relevance in supporting the internal control components During audits, check that the information produced is relevant, timely and is not spuriously accurate During audits, check that decisions are made in a timely manner based on the information received Considers Costs and Benefits—management considers if the nature, quantity, and precision of information communicated are commensurate with and support the achievement of objectives During audits, check that information results in benefits which outweigh the costs 14. Communicates Internally—The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control Inadequate internal communication Communicates Internal Control Information with Personnel—process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities Check that information requirements of all personnel have been determined During audits, check that personnel (including 3rd party employees) receive relevant information as soon as it is required Communicates with the Board of Directors—communication exists between management and the board of directors so that both have information needed to fulfil their roles with respect to the entity’s objectives Ensure all departments responsible for the quality of information on internal controls (not only internal audit but also quality control, risk management, legal and taxation) regularly inform the board and management about the status of internal controls Check instructions from the board to management to ensure they clearly set out the board's requirement for internal controls Provides separate communication lines-separate communication channels, such as whistle-blower hotlines, in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective? Examine procedures in place for 'whistle blowers' Ensure that publicity of these communication channels is as widespread as necessary If available, examine action taken in the event of whistle-blowing to ensure it was appropriate Selects Relevant Method of Communication—the method of communication considers the timing, audience, and nature of the information Check that all appropriate methods of communication exist, are regularly checked and are publicised 15. Communicates Externally—The organisation communicates with external parties regarding matters affecting the functioning of other components of internal control. Inadequate external communication Communicates to External Parties—processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, and financial analysts and other external parties Check that information requirements of all third parties have been determined Check that external parties receive relevant information as soon as it is required, using check lists if necessary Check that all functions of the entity (including outsourced functions) required to communicate to external parties have been identified Check that the responsibilities for communicating with external parties are complete, clearly documented and there is no overlap between functions Enables Inbound Communications—open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information Check that all types of inbound communications have been identified Check that these communication routes are well publicised (on the web for example) Check that these communication routes are always available (staff answering phones and e-mails for example) Communicates with the Board of Directors—relevant information resulting from assessments conducted by external parties is communicated to the board of directors Examine the information gathered and ensure it is passed to the appropriate level of management. who act on it Provides Separate Communication Lines—separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective Examine procedures in place for 'whistle blowers' Ensure that publicity of these communication channels is as widespread as necessary If available, examine action taken in the event of whistle-blowing to ensure it was appropriate Selects Relevant Method of Communication—the method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations Check that all appropriate methods of communication exist, are regularly checked and are publicised Control deficiencies not corrected (Monitoring Activities) 16. Conducts Ongoing and/or Separate Evaluations—The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning Components of internal control not operated Considers a Mix of Ongoing and Separate Evaluations—management includes a balance of ongoing and separate evaluations During audits, check that ongoing evaluations (if possible using computer software) have been established to ensure key controls are operating During audits, check that management have instigated separate evaluations to ensure controls are operating During audits, check that all control deficiencies found are corrected as soon as possible Internal audit, and other checking functions, carry out separate evaluations dependent on the risks involved Considers Rate of Change—management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations Ensure that major projects, and other business changes, have ongoing evaluations to mitigate the risks occurring Establishes Baseline Understanding—the design and current state of an internal control system is used to establish a baseline for ongoing and separate evaluations During audits, establish that ongoing and separate evaluations are based on the current systems in operation Uses Knowledgeable Personnel—management helps ensure that the evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated During audits, ensure that all staff and managers have been properly trained to perform evaluations Carry out internal audits of other evaluation functions (such as quality control) Integrates with Business Processes—the ongoing evaluations built into the business processes adjust to changing conditions During audits, ensure that ongoing evaluations are set up to adjust to changes in the business environment Adjusts Scope and Frequency—management varies the scope and frequency of separate evaluations depending on risk Check that internal audit and similar functions base their separate evaluations on inherent risks to the objectives Objectively Evaluates—separate evaluations performed periodically provide objective feedback Examine separate evaluations (including internal audit's) to check that opinions are based on verifiable data obtained objectively Ensure opinions from separate evaluations have been made independently and not been subject to changes made by interested parties 17. Evaluates and Communicates Deficiencies—The organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate Failures of internal controls not detected or remedied Assesses Results—management and the board of directors, as appropriate, assess results of ongoing and separate evaluations Check that a system of regular reports from management is established to confirm controls are operating and to provide details where they are not Check that reports from internal audit and other departments carrying out separate evaluations are assessed and action taken as necessary Check that the underlying reasons for any control deficiencies are identified Communicates deficiencies-deficiencies are communicated to parties responsible for taking corrective action and to senior management and to the board of directors, as appropriate Check that managers and staff (including IT) carrying out ongoing evaluations, clearly understand what the evaluation is checking, what the range is for 'normal' and the impact of abnormal results Ensure that all staff carrying out ongoing evaluations know who to inform of abnormal results and that failure to do this may result in disciplinary action Monitors corrective action-management track whether deficiencies are remediated on a timely basis Check that the board and management receive regular reports on the progress made to eliminate control deficiencies

No foundation for controls (Control Environment)

1. Demonstrates Commitment to Integrity and Ethical Values—The organisation demonstrates a commitment to integrity and ethical value

Employees (including board members) damage the reputation of the entity

Sets the tone at the top - The board of directors and management at all levels of the entity demonstrate through their directives, actions, and behaviour the importance of integrity and ethical values to support the functioning of the system of internal control

Examine documents, the intranet, and other means of publicity which express the board's and managers' views on integrity and ethics
During audits, consider if any weaknesses in internal control result from directors and management's failure to support integrity and ethical values
Examine directors' and management expenses. Ensure that they comply with the rules set for other employees.

Establishes Standards of Conduct—the expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organisation and by outsourced service providers and business partners

Examine written standards of conduct
Examine standards for the use of e-mails, social media and the internet. Ensure these reflect the required standards of integrity and conduct required by the entity
Check standards are publicised to all staff and external suppliers, for example on the entity's intranet, especially as part of induction procedures

Evaluates Adherence to Standards of Conduct—processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct

Examine the indicators set to identify issues and trends related to the standards of conduct
Examine processes, for example within the Human Resources department, which are in place to evaluate the performance of individuals and teams against the organisation's expected standards of conduct
Examine IT checks to ensure that users are adhering to the standards covering e-mails, social media and the use of the internet

Addresses Deviations in a Timely Manner—deviations of the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner

Examine the systems for notifying the board of deviations
Check that deviations recorded have been remedied in a timely and consistent manner.
Check the entity's written procedures for the handling of complaints and look for evidence that they are followed
During audits, check the action taken to remedy deviations and discipline where necessary

2. Exercises Oversight Responsibility—The board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control

Directors fail to recognise their responsibilities, or delegate them

Establishes Oversight Responsibilities—the board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations

Examine evidence that the board has identified the expectations of the entity's stakeholders
Examine instructions from the board setting out how internal controls should be developed and implemented
Examine instructions from the board which formally retain or delegate its oversight responsibilities

Directors fail to carry out duties due to lack of knowledge or independence

Applies Relevant Expertise—the board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions

Examine records from the last time the directors assessed the essential skills and knowledge they should have
Examine the qualifications of the board members

Operates Independently-the board of directors has sufficient members who are independent from management and demonstrate they are objective in evaluations and decision making

Examine the credentials of the non-executive board members to ensure they are independent
Ensure that independent directors are not financially dependent on their compensation as a board member

Failure of internal control due to lack of oversight responsibility from directors

Control Environment—Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountability to the board.

Control environment: During audits, ensure that integrity and ethical values, structure, authority and responsibility, competence and accountability are present in the parts of the organisation being audited

Risk Assessment—Overseeing management’s assessment of risks to the achievement of objectives, including the potential impact of significant changes, fraud, and management override of internal control.

Risk Assessment: During audits, ensure that directors are reviewing and commenting on management's assessment of risks to the achievement of objectives, including the potential impact of significant changes, fraud and management override of internal control

Control Activities—Providing oversight to senior management in the development and performance of control activities.

Control Activities: During audits, check for guidance to senior management around the selection, development and deployment of control activities

Information and Communication—Analyzing and discussing information relating to the entity’s achievement of objectives.

Information and communication: check that the board is obtaining, reviewing and discussing historical information relating to the organisation's achievement of objectives
Information and communication: check that the board is obtaining, reviewing and discussing, and acting upon, forecast information relating to the organisation's achievement of objectives

Monitoring activities-Assessing and overseeing the nature and scope of monitoring activities and the management's evaluation and remediation of deficiencies

Monitoring activities: During audits, examine the information that the board receives to assess and oversee the nature and scope of monitoring activities and management's evaluation and remediation of deficiencies

3. Establishes Structure, Authority, and Responsibility—Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives

Failure to achieve objectives due to lack of clear accountability

Considers All Structures of the Entity— management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives

Compare the accounts, which should list all subsidiary entities, with organisation charts and management circulation lists to ensure all parts of the entity have been identified
Examine systems by which third parties are identified and recorded - will they record 100%?
Examine lists of major suppliers to check whether they are providing an outsourced service and have been identified

Establishes Reporting Lines—management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity

Examine the organisation chart to ensure all managers are present and have clear lines of responsibility
Examine the accounts to ensure that each cost centre has a manger responsible for setting a budget, controlling expenditure and is answerable to a senior manager
Ensure some senior managers have at least 'dotted line' responsibility to the board to allow for open communication on important issues
Lines of reporting are regularly reviewed to account for changes to the business model

Defines, assigns and limits authorities and Responsibilities— management and the board of directors delegate authority, define responsibilities, use appropriate process and technology to assign responsibilities and segregate duties as necessary at the various levels of the organisation?

Board of Directors—Retains authority over significant decisions and reviews management’s assignments and limitations of authorities and responsibilities - examine written authorisation policies, for example over capital and expense projects to ensure they are complete and appropriate
Senior Management—Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities - during audits check that managers have written job descriptions which clearly detail their responsibilities
Management—Guides and facilitates the execution of senior management directives at entity and its subunits - during audits, examine instructions and how they were implemented
Personnel—Understands the entity’s standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives- Human Resources audit - check their knowledge of entity objectives
Outsourced Service Providers—Adheres to management’s definition of the scope of authority and responsibility for all non-employees engaged - examine the terms and conditions applied to non-employees and the formal agreement to them
Check that delegation only occurs to the extent required to achieve the entity's objectives
During audits, check that duties are segregated to reduce the risk of inappropriate conduct
Ensure that the responsibilities of third party providers are clearly documented and the extent of their decision making is not excessive and they understand their limits

4. Demonstrates Commitment to Competence—The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives

Insufficient qualified staff available to deliver objectives

Establishes Policies and Practices— the policies and practices reflect expectations of competence necessary to support the achievement of objectives

Examine policies and practices to ensure the achievement of objectives is a required competence
Check that the human resources function has been involved with management in setting consistent job descriptions, required qualifications and reward systems across the entity
Check that assessments are regularly carried out against objective targets and reviewed by HR and senior management

Evaluates Competence and Addresses Shortcomings—the board of directors and management evaluate competence across the organisation and in outsourced providers in relation to established policies and practices and act as necessary to address shortcomings

Examine assessments to ensure that staff are judged on their ability to achieve objectives

Attracts, Develops, and Retains Individuals—the organisation provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives

Examine HR's checks of staff turnover to ensure they follow-up reasons where it is high
During audits, check that all managers and staff have induction training which clearly sets out the responsibilities they have in delivering the requirements of this COSO Framework
During audits, check that all managers and staff have appropriate training through their career as their needs arise

Plans and Prepares for Succession—senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control

Check that jobs critical to the entity have been identified
Examine succession plans which should be held by HR department
Ensure succession plans for staff from external suppliers have been established

5. Enforces Accountability—The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives

No performance measures for individuals

Enforces Accountability through Structures,Authorities, and Responsibilities—management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organisation and implement corrective action as necessary

Examine the instructions, usually issued by HR, to management which detail how targets are to be set and that these include performance of internal control responsibilities
Examine the relationship between internal audit and the board and audit committee to ensure there is a close supporting relationship

Establishes Performance Measures, Incentives, and Rewards—management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives

During audits, examine assessments to ensure that staff have targets set which include the achievement of objectives

Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance—management and the board of directors align incentives and rewards with the fulfilment of internal control responsibilities in the achievement of objectives

Examine assessments to ensure that staff are judged on their ability to achieve objectives and that incentives and rewards are aligned with these
Check whether the opinions (good and bad) from an internal audit are factored into performance assessments
Check that there is a mechanism for updating performance measures as the business changes

Considers Excessive Pressures—management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance

Ensure that HR review completed assessments to judge if targets are being achieved and if not, why not.
Examine incentive structures (for example in sales) to ensure that they reinforce the balancing of risks with the potential rewards

Evaluates Performance and Rewards or Disciplines Individuals—management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence and provide rewards or exercise disciplinary action as appropriate

Check that, at each level of management, adherence to standards of conduct and expected levels of competencies is evaluated and rewarded as appropriate
Check that Internal audit reports, or a summary of them, are sent to the board so they can evaluate performance of internal control responsibilities
Examine reports to the board where they are made aware of disciplinary action and the reasons for it.

Go to top of page. Go to top of page.

Risks not identified (Risk Assessment)

6. Specifies Suitable Objectives—The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

Operations objectives not defined

Reflects Management’s Choices—The operations objectives reflect management’s choices about structure, industry considerations, and performance of the entity

Check that objectives, as noted in the RAU, are consistent with the entity's structure and required performance

Considers tolerances for risk- Management consider the acceptable levels of variation relative to the achievement of operations objectives

Ensure that a risk appetite has been defined

Includes operations and financial performance goals-the organisation reflects the desired level of operations and financial performance for the entity within operations objectives

Check that top-level operations and financial performance goals, which should be in the RAU, are included in sub-objectives

Forms Basis for Committing of Resources—Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance

Examine the calculations which determine the staff numbers required to deliver the objectives

Financial objectives not defined

Complies with Applicable Accounting Standards—Management ensures that the financial reporting objectives are consistent with accounting principles suitable and available for that entity and that the accounting principles selected are appropriate in the circumstances

Check that the financial objectives set and recorded in the RAU are consistent with appropriate financial principles and legislation

Considers Materiality—Management considers Materiality in financial statement presentation

Check that the objectives for financial statements take into account the level of materiality applicable to those statements

Reflects Entity Activities—External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions

Ensure that all external reporting is subject to checks that it reliably represents the underlying transactions and other factors taken into consideration when calculating the figures

External Non-Financial Reporting objectives not defined

Complies with Externally Established Standards and Frameworks—management establish objectives consistent with laws and regulations or standards and frameworks of recognised external organisations

Ensure that there are adequate systems to capture the laws and regulations which apply to the entity (for example, taxation, product safety)
Ensure that objectives are set which require adherence to these regulations

Considers the Required Level of Precision—management reflects the required level of precision and accuracy suitable for user needs and as based on criteria established by third parties in non-financial reporting

Check that objectives set meet the external reporting requirements

Reflects Entity Activities—external reporting reflects the underlying transactions and events within a range of acceptable limits

During audits, ensure that all external non-financial reporting is subject to checks that it reliably represents the underlying transactions

Internal reporting objectives not defined

Reflects Management’s Choices—internal reporting provides management with accurate and complete information regarding management’s choices and information needed in managing the entity

During audits, examine the processes used by management to determine the information they need (www.managing-information.org.uk for ideas)

Considers the Required Level of Precision—management reflects the required level of precision and accuracy suitable for user needs in non-financial reporting objectives and materiality within financial reporting objectives

During audits, examine the processes used by management to determine the accuracy and timeliness of the information they need (www.managing-information.org.uk for ideas)

Reflects Entity Activities—internal reporting reflects the underlying transactions and events within a range of acceptable limits

During audits, examine the processes used to gather information to ensure it is relevant, complete and accurate to the materiality levels required to make decisions

Compliance objectives not defined

Reflects external laws and regulations-The entity integrates into compliance, objectives, laws and regulations that establish minimum standards of conduct for the entity

Ensure that there are adequate systems to capture the laws and regulations which apply to the entity (for example, taxation, product safety)
Examine the communications systems to ensure appropriate management receive information which they can build into objectives
Ensure that objectives are updated as legislation changes

Considers tolerances for risk-management considers the acceptable levels of variation relative to the achievement of compliance objectives

Examine the tolerances allowed when judging if compliance objectives have been achieved

7. Identifies and Analyzes Risk—The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.

All risks threatening objectives are not identified or managed

Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels—the organisation identifies and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives

Ensure that policies have been written and communicated which set out the responsibilities for managers to determine the risks which threaten their objectives
Examine the processes used at all levels of the entity to ensure risks to the objectives have been identified and recorded
During audits, check that risks have been properly identified before commencing audit testing of controls

Analyzes Internal and External Factors—management ensures that risk identification considers both internal and external factors and their impact on the achievement of objectives

Ensure that the risk assessment process looks at all risks, internal and external
During audits, check that risks have been properly identified before commencing audit testing of controls

Involves Appropriate Levels of Management—The organisation puts into place effective risk assessment mechanisms that involve appropriate levels of management

Ensure that all levels of management are involved, particularly the board, then senior management, then departmental management
During audits, check that risks have been properly identified before commencing audit testing of controls

Estimates Significance of Risks Identified—management ensures that identified risks are analysed through a process that includes estimating the potential significance of the risk

Check that a system for measuring the significance of risks has been established throughout the entity
Check that the board have defined a risk appetite in the same terms that assess the significance of risk
During audits, check that risks have been properly assessed according the entity's rules before commencing audit testing of controls

Determines How to Respond to Risks—management ensures that the risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk

Check that a system for responding to risks (acceptance, avoidance, reduction, sharing) has been established throughout the entity
During audits check that controls have been established to bring risks below the risk appetite

8. Assess Fraud Risk—The organisation considers the potential for fraud in assessing risks to the achievement of objectives.

The opportunities for fraud are not completely analysed

Considers Various Types of Fraud—the assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur?

Ensure that the risk of fraud has been considered throughout the risk assessment process for all objectives and parts of the entity, including the board and senior management

Assesses Incentive and Pressures—the assessment of fraud risk considers incentives and pressures

During audits, ensure that risks which might arise from a desire to acquire incentives have been identified and that appropriate controls are in place

Assesses Opportunities—the assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate acts

During audits of systems involving assets (fixed assets, cash - sales, purchasing and expenses) ensure that all risks have been identified and appropriate controls, including monitoring controls are present

Assesses Attitudes and Rationalisations—the assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions

During audits of processes such as sales, purchasing and expenses check that directors, management and staff are not using their position to benefit from transactions not normally allowed to employees, or which compromise their integrity or ability to manage objectively

9. Identifies and Analyzes Significant Change—The organisation identifies and assesses changes that could significantly impact the system of internal control

Risks and associated controls not updated to reflect changes to the business and its environment

Assesses Changes in the External Environment—the risk identification process consider changes to regulatory, economic, and the physical environment in which the entity operates

Examine the systems which detect changes in the external environment to ensure they guarantee completeness
Examine the communications systems to ensure appropriate management receive information which they can assess for new risks

Assesses Changes in the Business Model—the organisation considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies and new technologies

Ensure that policies exist and are implemented which ensure that major projects put before the board for approval have been assessed for risk and have had risk modelling (e.g. @RISK) applied
Ensure that policies exist and are implemented which ensure that major projects have embedded risk management procedures
Check that procedures exist to ensure that risks at all levels are re-examined when any major changes impact any part of the organisation
During audits, check procedures exist to regularly revisit the risk assessment in order to update it as a result of changes in the internal or external environments

Assesses Changes in Leadership—the organisation considers changes in management and their respective attitudes and philosophies on the system of internal control

Ensure that policies exist and are implemented to assess the risks of major management reorganisations before they take place
Ensure that when appointing managers, any relevant reports are checked to ascertain the proposed new manager's ability to properly manage risks

Go to top of page. Go to top of page.

Controls not implemented (Control Activities)

10. Selects and Develops Control Activities—The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Controls are inappropriate to the risks

Integrates with Risk Assessment—the control activities help ensure that responses that address and mitigate risks are carried out

Ensure instructions exist and are implemented which require the management to ensure controls activities mitigate risks to below the risk appetite
Carry out audits to check that risks are mitigated by controls, or other appropriate action, to bring them below the risk appetite

Determines Relevant Business Processes—management determines which relevant business processes require control activities

Ensure management have identified all business processes
Confirm that any business processes identified as not requiring control activities have no risks

Considers Entity-Specific Factors—management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organisation, affect the selection and development of control activities

Carry out audits to ensure that all risks resulting from the environment and operations have suitable controls which are operating to bring them below the risk appetite

Evaluates a Mix of Control Activity Types—the control activities include a range and variety of controls and a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls

Carry out audits to ensure that risks are mitigated by efficient and effective controls

Considers at What Level Activities Are Applied—management considers control activities at various levels in the entity

Carry out audits to ensure that risks have been determined at all levels of the entity and are mitigated by controls

Addresses Segregation of Duties—management segregates incompatible duties, and where such segregation is not practical, does management select and develop alternative control activities

During audits ensure that management have identified alternative controls where the expected segregation of duties is not practical

11. Selects and Develops General Controls over Technology—The organisation selects and develops general control activities over technology to support the achievement of objectives.

Risks from technology are uncontrolled

Determines Dependency between the Use of Technology in Business Processes and Technology General Controls—management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls

Examine the training and methods used by management to identify risks arising in business processes from risks in the technology used

Establishes Relevant Technology Infrastructure Control Activities—management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing

During audits, check that all risks arising from the use of technology have been identified and suitable controls applied

Establishes Relevant Security Management Process Control Activities—management selects and develops control activities that are designed and implemented to restrict technology access rights to authorised users commensurate with their job responsibilities and to protect the entity’s assets from external threats.

During audits check software access controls to ensure they restrict appropriate access to staff commensurate with their job responsibilities

Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities—management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives

Audit technology projects to ensure that risks which will be present after implementation have been identified and controls will be implemented from the go-live date
Audit all aspects of technology support (communications, computer hardware, operating software) to ensure risks have been identified and are being managed

12. Deploys through Policies and Procedures—The organisation deploys control activities through policies that establish what is expected and procedures that put the policies into action..

Systems and responsibilities for risks and internal controls not defined

Establishes Policies and Procedures to Support Deployment of Management’s Directives—management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected, and relevant procedures specifying actions

Ensure that policies have been written and communicated which set out the responsibilities for managers to determine the controls necessary to bring the associated risk to below the risk appetite
Check policies exist which require projects to ensure that risks which will be present after implementation have been identified and controls will be implemented from the go-live date
Management ensure that policies and procedures contain control processes and are properly documented

Establishes Responsibility and Accountability for Executing Policies and Procedures—management establishes responsibility and accountability for control activities with management (or other designated personnel) of the operating unit or function in which the relevant risks reside

During audits, check that management have identified key controls over their relevant risks
During audits, examine evidence that management are regularly receiving confirmations that controls are operating

Performs in a Timely Manner—responsible personnel perform control activities in a timely manner as defined by the policies and procedures

During audits, check that controls are operated when necessary

Takes Corrective Action—responsible personnel investigate and act on matters identified as a result of executing control activities

During audits, check that training materials properly record the controls which should be operated
During audits, examine documentation which records exceptional matters arising from controls and ensures appropriate action is taken

Performs Using Competent Personnel—competent personnel perform control activities with diligence and continuing focus

During audits, check that personnel have appropriate induction training (including the operation of controls)when commencing new tasks
If audit work detects failures in controls, determine the reasons

Reassesses Policies and Procedures—management periodically reviews control activities to determine their continued relevance, and refresh them when necessary

During audits, determine the last time management reviewed controls to check their relevance
During audits, ensure that controls being operated are still relevant

Go to top of page. Go to top of page.

Controls not operated (Information and Communication)

13. Uses Relevant Information—The organisation obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.

Poor quality information produced

Identifies Information Requirements—management considers if a process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of entity’s objectives

Check to ensure that management at all levels has carried out an exercise to determine the information it needs to achieve its objectives (www.managing-information.org.uk for ideas)
During audits, check that information required for appropriate monitoring controls has been identified

Captures Internal and External Sources of Data—the information systems capture internal and external sources of data

During audits, check to ensure that all relevant data sources have been identified
During audits, check that data extracted from information sources is relevant (including completeness), timely and to the level of accuracy required

Processes Relevant Data into Information—the information systems process and transform relevant data into information

During audits, check that data from information sources is processed and transformed into information

Maintains Quality throughout Processing—the information systems produce information that is timely, current, accurate, complete, accessible, protected, and verifiable and retained? Consider if the information is reviewed to assess its relevance in supporting the internal control components

During audits, check that the information produced is relevant, timely and is not spuriously accurate
During audits, check that decisions are made in a timely manner based on the information received

Considers Costs and Benefits—management considers if the nature, quantity, and precision of information communicated are commensurate with and support the achievement of objectives

During audits, check that information results in benefits which outweigh the costs

14. Communicates Internally—The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control

Inadequate internal communication

Communicates Internal Control Information with Personnel—process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities

Check that information requirements of all personnel have been determined
During audits, check that personnel (including 3rd party employees) receive relevant information as soon as it is required

Communicates with the Board of Directors—communication exists between management and the board of directors so that both have information needed to fulfil their roles with respect to the entity’s objectives

Ensure all departments responsible for the quality of information on internal controls (not only internal audit but also quality control, risk management, legal and taxation) regularly inform the board and management about the status of internal controls
Check instructions from the board to management to ensure they clearly set out the board's requirement for internal controls

Provides separate communication lines-separate communication channels, such as whistle-blower hotlines, in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective?

Examine procedures in place for 'whistle blowers'
Ensure that publicity of these communication channels is as widespread as necessary
If available, examine action taken in the event of whistle-blowing to ensure it was appropriate

Selects Relevant Method of Communication—the method of communication considers the timing, audience, and nature of the information

Check that all appropriate methods of communication exist, are regularly checked and are publicised

15. Communicates Externally—The organisation communicates with external parties regarding matters affecting the functioning of other components of internal control.

Inadequate external communication

Communicates to External Parties—processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, and financial analysts and other external parties

Check that information requirements of all third parties have been determined
Check that external parties receive relevant information as soon as it is required, using check lists if necessary
Check that all functions of the entity (including outsourced functions) required to communicate to external parties have been identified
Check that the responsibilities for communicating with external parties are complete, clearly documented and there is no overlap between functions

Enables Inbound Communications—open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information

Check that all types of inbound communications have been identified
Check that these communication routes are well publicised (on the web for example)
Check that these communication routes are always available (staff answering phones and e-mails for example)

Communicates with the Board of Directors—relevant information resulting from assessments conducted by external parties is communicated to the board of directors

Examine the information gathered and ensure it is passed to the appropriate level of management. who act on it

Provides Separate Communication Lines—separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective

Examine procedures in place for 'whistle blowers'
Ensure that publicity of these communication channels is as widespread as necessary
If available, examine action taken in the event of whistle-blowing to ensure it was appropriate

Selects Relevant Method of Communication—the method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations

Check that all appropriate methods of communication exist, are regularly checked and are publicised

Go to top of page. Go to top of page.

Control deficiencies not corrected (Monitoring Activities)

16. Conducts Ongoing and/or Separate Evaluations—The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning

Components of internal control not operated

Considers a Mix of Ongoing and Separate Evaluations—management includes a balance of ongoing and separate evaluations

During audits, check that ongoing evaluations (if possible using computer software) have been established to ensure key controls are operating
During audits, check that management have instigated separate evaluations to ensure controls are operating
During audits, check that all control deficiencies found are corrected as soon as possible
Internal audit, and other checking functions, carry out separate evaluations dependent on the risks involved

Considers Rate of Change—management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations

Ensure that major projects, and other business changes, have ongoing evaluations to mitigate the risks occurring

Establishes Baseline Understanding—the design and current state of an internal control system is used to establish a baseline for ongoing and separate evaluations

During audits, establish that ongoing and separate evaluations are based on the current systems in operation

Uses Knowledgeable Personnel—management helps ensure that the evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated

During audits, ensure that all staff and managers have been properly trained to perform evaluations
Carry out internal audits of other evaluation functions (such as quality control)

Integrates with Business Processes—the ongoing evaluations built into the business processes adjust to changing conditions

During audits, ensure that ongoing evaluations are set up to adjust to changes in the business environment

Adjusts Scope and Frequency—management varies the scope and frequency of separate evaluations depending on risk

Check that internal audit and similar functions base their separate evaluations on inherent risks to the objectives

Objectively Evaluates—separate evaluations performed periodically provide objective feedback

Examine separate evaluations (including internal audit's) to check that opinions are based on verifiable data obtained objectively
Ensure opinions from separate evaluations have been made independently and not been subject to changes made by interested parties

17. Evaluates and Communicates Deficiencies—The organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate

Failures of internal controls not detected or remedied

Assesses Results—management and the board of directors, as appropriate, assess results of ongoing and separate evaluations

Check that a system of regular reports from management is established to confirm controls are operating and to provide details where they are not
Check that reports from internal audit and other departments carrying out separate evaluations are assessed and action taken as necessary
Check that the underlying reasons for any control deficiencies are identified

Communicates deficiencies-deficiencies are communicated to parties responsible for taking corrective action and to senior management and to the board of directors, as appropriate

Check that managers and staff (including IT) carrying out ongoing evaluations, clearly understand what the evaluation is checking, what the range is for 'normal' and the impact of abnormal results
Ensure that all staff carrying out ongoing evaluations know who to inform of abnormal results and that failure to do this may result in disciplinary action

Monitors corrective action-management track whether deficiencies are remediated on a timely basis

Check that the board and management receive regular reports on the progress made to eliminate control deficiencies

Go to top of page. Go to top of page.

16 January 2015 17:54 +0000