Internal Control — Integrated Framework Framework and Appendices CES aeLoa edThis project was commissioned by COSO, which is dedicated to providing thought lead- ership through the development of comprehensive frameworks and guidance on internal control, enterprise risk management, and fraud deterrence designed to improve organ zational performance and oversight and to reduce the extent of fraud in organizations. (COSO is a private sector initiative, jointly sponsored and funded by: ‘+ American Accounting Association (AAA) ‘American Institute of Certified Public Accountan (aloay ‘+ Financial Executives International (FEI) ‘+ Institute of Management Accountants (IMA) +The Institute of Internal Auditors (lA) say 972.1-24795-299-4 ‘e201 Al hans Reserved, No par ofthe publeation may be reoreduoed. recat buted ransmied or caplayes In ary form ory any cana whol writes permson, rer morraton regan lensing and vent perm ‘lon sleane contac he AavcanIsille ol Cerca Pune Necounart, heensing avd permissions age! foe ‘C059 eopyrgrtes mateale Dict a nquves fo cooyrigh@acpa.org orto APA. Ati Manager igri 2° Pemasons, 229 nigh Farm Pk. thar, Ne 27707. Tseohone messes may be srctea to $88-77 7707or Otpn of Sponsoring Organizations of the Treadwa Internal Control — Integrated Framework Framework and Appendices May 2013Committee of Sponsoring Organizations of the Treadway Commission Board Members David L. Landsittel Mark S. Beasley 6080 char Douglas F. Prawitt ‘Amerean Account Associaton Charles E. Landes Marie N. Hollein JAaeroan nattite of Carte) Face Executes Intemational Pc Accountants PwC—Author Principal Contributors Miles E,A, Everson ‘Stephen E, Soske Engagement Leacer Project Lead Parner New York, USA elon, USA Cara M. Beston Charies E. Harris Parner Partner ‘San Jo8e, USA, Floren Pak, USA, Catherine Jourdan Jay A, Posklensky Director Director Pars, France orham Park USA. Richard F. Chambers The inst of ermal stor Sandra Richtermeyer Jeffrey C. Thomson Instute of Management Accountants Frank J, Martens Project Lead Director Vancouver, Canada J. Aaron Garcia San Diego, USA Sallie Jo Perraglia Manager New York, USAAdvisory Council Sponsoring Organizations Representatives ‘Audrey A. Gramling Balarrine University Fe Raymond Teece Endowed Chair Ray Purcell Preer DBeectr of Financia Contos Members at Large Jennifer Bums. Detotie Parner Coos Kiumper The Global Fens to Fight IDS, Tberuosis end Malora| Che Fisk Oricer Thomas Ray Baruch Calege Kenneth L. Vander Wal Isaca, a Prosi T2012 Steven E. Jameson CGommuiy Ts Bar Enecuave Yoo President and Chit Intema ud & Fak Oncor William D. Schneider Sr. aa Dect of counting James DeLoach Prot Managing Dvector Thomas Montminy Puc Parner Dr. Lany E. Rittenberg Uniersty of Wisconsin Char Emantis COSO ng J. Stephen McNally ‘Ganpoel Soup Compary France DrectorCortrler Trent Gazzaway (eat Thorton Pacer Alan Paulus Ema & Young uP Parner ‘Sharon Todd reve Regulatory Observers and Other Observers James Dalkin ‘Government Accovnianiy Ofiee Deectorin the Francis) Management ano ‘Aesurarce Team Amy Steele Secures and Exchange (Comrission Associate Chet Accountant {Cammeneng vay 2012) Harrison E. Greene Jr. Federal Depatitinaurance Corporation pestetant Net Accountant Vincent Tophott Ireemstinal Federation cof Aosourants Senior Tectriea Manager Christian Peo Secuites ane Exonange Conmssion Professional Aecountng Feow (Mrrough ue 2072) Keith Wilson Publ Compary Accounting versign Bow Deputy Cet auctorAdditional PwC Contributors Joseph Atkinson Joffrey Boyle Glenn Brady New York, USA Tosyo,vapan ‘Su Lowis, USA. James Chang ‘Mark Cohen ‘Andrew Dale Partner Parrer Parrer Boing. hr San Francisco, USA ‘tleage, USA Mary Grace Davenport. Megan Haas Junya Hakoda Parner Parner Paerfetred) New York, USA Heng Kong, China Tog aan Diana Hillier Steve Hirt Brian Kinman Pater Pater Paver London, Engine Boston, USA St Lois, USA, Barbara Kipp Hans Koopmans Sachin Mandal Paver Partner Parter Boston, USA Srgavere lara Park, USA ‘Alan Martin Pat McNamee Jonathan Mullins Parner aerer acre feted) Franca, Gomory Foran Park, USA, Dates, USA ‘Simon Perry ‘Andrew Reinsel Kristin Rivera, Pater Parner Paver London, Eagan Cincinnat, USA San Francisco, USA Valerie Wieran ‘Alexander Young David Albright Parner Parner Pree! mam Park USA, Tororo, Canada Washington, 0, USA ‘Charles Yovino Eric M, Bloesch Christopher Michaelson Prncpal Managing Bvetor Dreet nla, USA Pinca, USA Minreapots, USA John Morrow “Tracy Walker Qiao Pan DBeector Brector Senior Assocte Florham Park USA Bangkok Thaland New Yor USA,Table of Contents Foreword .. Framework 1 Definition of Internal Contrel.. 2. Objectives, Components, and Principles 5 3. Effective Intemal Control 8 4, Additional Considerations. 23 5. Control Environment a 6. Risk Assessment 50 7. Control Activites. 87 8, Information and Communication 105 2. Monitoring Activities 123 10. Limitations of Internal Control. 137 Appendices A, Glossary .. 13 8. Roles and Responsibitties, “7 ©. Considerations for Smaller Entities. 159 D, Methodology for Revising the Framework. 163 E. Public Comment Letters 165 F. Summary of Changes to the COSO internal Control —integrated Framework (1992) 173 G. Comparison with COSO Enterprise Risk Management —integrated Framework. tat motel betedFonemt «sfForeword In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its interna Contro!—Integrated Framework (the original framework) The original framework has gained broad acceptance and is widely used around the world. Its recognized as a leading framework for designing, implementing, and con- ‘ducting internal control and assessing the effectiveness of internal control In the twenty years since the inception of the original framework, business and operat ing environments have changed dramatically, becoming increasingly complex, techno- logically driven, and global, At the same time, stakeholders are more engaged, seeking ‘greater transparency and accountability for the integrity of systems of internal control that support business decisions and governance of the organization. COSO is pleased to present the updated Internal Contro!—Integrated Fraimework (Framework). COSO believes the Framework will enable organizations to effectively and efficiently develop and maintain systems of internal control that can enhance the likelihood of achieving the entity's objectives and adapt to changes in the business and operating environments. The experienced reader will find much that is familiar in the Framework, which builds ‘on what has proven useful in the original version. It retains the core definition of internal control and the five components of internal control. The requirement to consider the five components to assess the effectiveness of a system of internal control remains funda- ‘mentally unchanged, Also, the Framework continues to emphasize the importance of management judgment in designing, implementing, and conducting internal control, and in assessing the effectiveness of a system of internal control. At the same time, the Framework includes enhancements and clarifications that are intended to ease use and application, One of the more significant enhancements is the formalization of fundamental concepts that were introduced in the original frame- work, In the Framework, these concepts are now principles, which are associated with the five components, and which provide clarity for the user in designing and imple~ ‘menting systems of internal control and for understanding requirements for effective internal control. The Framework has been enhanced by expanding the financial reporting category of ‘objectives to include other important forms of reporting, such as non-financial and Internal reporting, Also, the Framework reflects considerations of many changes in the business and operating environments over the past several decades, including: + Expectations for governance oversight + Globalization of markets and operations + Changes and greater complexities in business. = Demands and complexities in laws, rules, regulations, and standards + Expectations for competencies and accountabilities + Use of, and reliance on, evolving technologies ‘= Expectations relating to preventing and detecting fraud enalcnnd—biegtettanennt - Hov5 ff‘An Executive Summary provides a high-level overview intended for the board of direc- tors, chief executive officer, and other senior management, This Framework and Appen- dices publication sets out the Framework, including the defintion of internal control, requirements for effective internal control including components and relevant principles, and direction forall levels of management in designing, implementing, and conducting internal control and in assessing its effectiveness. Included within the Framework and Appendices publication are ten chapters that constitute the Framework, Appendices within the Framework and Appendices publication provide reference, but are not considered a part of the Framework, The ilustrative Tools for Assessing Etfec- tiveness of a System of Internal Control provides templates and scenarios that may be Useful in applying the Framework. In addition to the Framework, internal Control over External Financial Reporting: A Compendium of Approaches and Examples has been published concurrently to provide practical approaches and examples that illustrate how the components and principles set forth in this Framework can be applied in preparing external financial statements. COSO previously issued Guidance on Monitoring Internal Control Systems to assist organizations in understanding and applying monitoring activities within a system of internal control. While this guidance was prepared to help in applying the original framework, COSO believes that it has similar applicabillty to the updated Framework. ‘COSO may, in the future, issue other documents to provide assistance in applying the Framework, However, neither the Internal Control over External Financial Reporting: A ‘Compendium of Approaches and Examples, Guidance on Monitoring Internal Control ‘Systems, nor any other past or future guidance takes precedence over the Framework. ‘Among other publications published by COSO is the Enterprise Risk Management— Integrated Framework (ERM Framework). The ERM Framework and the Framework are intended to be complementary, and neither supersedes the other. Yet, while these frameworks are distinct and provide a different focus, they do overlap. The ERM Framework encompasses internal contro, with several portions of the text of the original framework reproduced within that document. The ERM Framework remains a viable and suitable framework for designing, implementing, and conducting and assessing the effectiveness of enterprise risk management, Finally, the COSO Board would like to thank Pw0 and the Advisory Counell for their contributions in developing the Framework and related dacuments. The full consid+ eration of input provided by many stakeholders and their insight were instrumental in ensuring that the core strengths of the original framework have bean preserved, clari- fied, and strengthened, David L, Landsittel COSO Chair Bp entcnie-egsesemuen = noy081. Definition of Internal Control The purpose of this internal Contro!—Integrated Framework (Framework) is to help management better control the organization and to provide a board of directors’ with an added ability to oversee internal control. A system of internal contral allows man- ‘agement to stay focused on the organization's pursuit ofits operations and financial performance goals, while operating within the confines of relevant laws and minimizing surprises along the way. Internal control enables an organization to deal more effec- tively with changing economic and competitive environments, leadership, priorities, and evolving business models. Understanding Internal Control Internal control is defined as follows: Internal controls a process, eftected by an entity's board of directors, manage- ‘ment, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. This definition emphasizes that internal contol is: * Geared to the achievement of objectives in one or more separate but overlap= ping categories—operations, reporting, and compliance * Aprocess consisting of ongoing tasks and activities—a means to an end, not an end in itself + Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people anc the actions they take at every level of an organization to effect internal control + Able to provide reasonable assurance—but not absolute assurance entity's senior management and board of directors toan + Adaptable to the entity structure—flexible in application for the entire er for a particular subsidiary, division, operating unit, or business process yor This definition of internal control i intentionally broad for two reasons. First, it captures, important concepts that are fundamental to how organizations design, implement, and conduct internal control and assess effectiveness of thelr system of internal control providing a basis for application across various types of organizations, industries, and geographic regions, Second, the definition accommodates subsets of Internal control Those who want to may focus separately, for example, on internal control over reporting or controls relating to complying with laws and regulations, Similarly, a directed focus, (on controls in particular units or activities of an entity can be accommodated, 7 The Faniomork ses tho tem “board ot diectors,” which encompasses the qoverring body. including the board Boar ct rustees, genera partners, owner of supersory Boas nena —reytet Fanon wfnn Conmaneton anong Aaies ma Frome Cento Enomer Ri sess Cnt! Aes om also provides flexibility in application, allowing an organization to sustain internal control across the entire entity; at a subsidiary, division, or operating unit level or within a function relevant to the entity's operations, reporting, or compliance objectives, based Con the entity's specific needs or circumstances. Geared to the Achievement of Objectives The Framework sets forth three categories of objectives, which allow organizations to focus on separate aspects of internal control + Operations Objectives—These pertain to effectiveness and efficiency of the entity's operations, including operational and financial performance goals, and safeguarding assets against loss. + Reporting Objectives—These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, trans parency, or other terms as set forth by regulators, standard setters, or the entity's policies. + Compliance Objectives—These pertai to which the entity is subject. adherence to laws and regulations These distinct but overlapping categories—a particular objective can fall under more than one category—address different needs and may be the ditect responsibilty of different individuals. The three categories also indicate what can be expected from internal control. A system of internal control is expected to provide an organization with reasonable assurance that those objectives relating to external reporting and compliance with laws and regulations will be achieved, Achieving those objectives, which are based largely on laws, rules, regulations, or standards established by legislators, regulators, and stan- dard setters, depends on how activities within the entity's control are performed. Gener= ally, management andlor the board have greater discretion in setting Internal reporting objectives that are not driven primatily by such external parties. However, the organiza- ton may choose to align its internal and external reporting objectives to allow internal reporting to better support the entity's external reporting. Achievement of some operations objectives—such as a particular return on investment, ‘market share, or maintaining safe operations—is not always within the organization's control. For instance, suppose an airline has specified an objective to depart 90% of, all fights on time, Adverse weather such as hurricanes and snowstorms are extemal events beyond management's control that have the potential to significantly impact the achievement of that objective, For these types of operations objectives, systems of Internal control can only provide reasonable assurance that management and the board are made aware, in a timely manner, of the extent to which the entity is moving toward those objectives. Where external events are unlikely to have a significant impact on the achievement of specified operations objectives or where the organization can reasonably predict, the nature and timing of external events and mitigate the impact to an acceptable level tity may be able to attain reasonable assurance that these objectives can Bp rertcnte veges enue» novosbe achieved. For instance, suppose management specifies an objective to conduct, routine servicing of equipment every 600 hours of operation, Management believes that achievement of this objective is largely within its control, while recognizing that there ‘may be external events—such as a pandemic that could cause significant reductions in the workforce and related reductions in maintenance hours—that have the potential to Impact the achievement of the objective, but that are unlikely to occur. A Process Internal control is not one event or circumstance, but a dynamic and iterative process*— actions that permeate an entity's activities and that are inherent in the way management runs the entity. Embedded within this process are controls consisting of policies and procedures. These policies reflect management or board statements of what should be done to effect internal control, Such statements may be documented, explicitly stated in ‘other management communications, or implied through management actions and dec» sions, Procedures consist of actions that implement a policy. Business processes, which are conducted within or across operating units or functional ‘areas, are managed through the fundamental management activities, such as planning executing, and checking. Internal control is integrated with these processes. Internal control embedded within these business processes and activities are likely more tive and efficient than stand-alone controls. Effected by People Internal control is effected by the board of directors, management, and other personnel. Itis accomplished by the people of an organization, by what they do and say. People establish the entity’s objectives and put actions in place to achieve specified objectives. The board's oversight responsibilies include providing advice and direction to manag ‘ment, constructively challenging management, approving policies and transactions, and monitoring management's activities. Consequently, the board of directors is an important element of internal control. The board and senior management establish the tone for the organization concerning the importance of internal control and the expected standards of conduct across the entity. Issues arise every day in managing an entity. People may not fully understand the nature tively, or perform consistently. Each individual brings to the workplace a unique background and ability, and each has different needs and prioities. These individual differences can be inher- ently valuable and beneficial to innovation and productivity, but if not properly aligned With the entity’s objectives they can be counterproductive, Yet, people must know thelr responsibilities and limits of authority, Accordingly, a clear and close linkage needs to exist between people's roles and responsibilities and the way in which these duties are communicated, carried out, and aligned with the entity's objectives. 7 Aihough wfared to a8 a process, hteral contol comprises many processes. nena —reytet Fanon wfnn Conmaneton anong Aaies ma Frome Cento Enomer Ri sess Cnt! Aes om Provides Reasonable Assurance {An effective system of internal control provides management and the board of directors with reasonable assurance regarding achievement of an entity's objectives. The term “reasonable assurance” rather than “absolute assurance” acknowledges that limitations ‘xis in all systems of internal control, and that uncertainties and risks may exist, which no one can confidently predict with precision, Absolute assurance is not possible. Reasonable assurance does not imply that an entity will always achieve its objectives, Etfective internal control increases the likelihood of an entity achieving its objectives. However, the likelihood of achievernent is affected by limitations inherent in all systems. of internal control, such as human error, the uncertainty inherent in judgment, and the potential impact of external events outside management's control. Additionally, a system of internal control can be circumvented if people collude, Further, if manage ‘ments able to override controls, the entire system may fal, Even though an entity's, system of internal control should be designed to prevent and detect collusion, human ‘error, and management override, an effective system of internal control can experience a failure. Adaptable to the Entity Structure Entities may be structured along various dimensions, The management operating model may follow product or service lines, and reporting may be done for a consolidated entity, division, or operating unit, wth geographic markets providing for further subdivi- sions or aggregations of performance. The management operating model may utilize outsourced service providers to support the achievement of objectives. The legal entity structure is typically designed to follow regulatory reporting require ‘ments, limit risk, or provide tax benefits. Often the organization of legal entities is quite different from the management operating model used to manage operations, allocate resources, measure performance, and report results. Internal control can be applied, based on management's decisions and in the context of legal or regulatory requirements, to the management operating model, legal entity struc+ ture, or a combination of these. Bp rertcnte veges enue» novos2. Objectives, Components, and Principles Introduction An organization adopts a mission and vision, sets strategies, establishes objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole or be targeted to specific activities within the entity. Though many objectives are specific to a particular entity, some are widely shared. For example, objectives common to most entities are sustaining organizational success, reporting to stakeholders, recruiting and retaining motwvated and competent employees, achieving and maintaining a positive reputation, and complying with laws and regulations. ‘Supporting the organization in its efforts to achieve objectives are five components of Internal control: + Control Environment + Risk Assessment + Control Activities + Information and Communication + Monitoring Activities These components are relevant to an entire entity and to the entity level, ts subsidiaries, ivisions, or any of its individual operating units, functions, or other subsets of the entity. Relationship of Objectives, Components, and the Entity A direct relationship exists between objectives, which are what an entity strives to achieve, components, vihich represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube. ~ The three categories of objectives are represented by the columns. - Punctiog i + The five components are represented by the rows. Se + The entity structure, which represents the overall entity, divisions, subsidiaries, operating units, or functions, including business processes such as sales, purchasing, production, and matket- ing and to which internal control relates, are depicted by the third dimension of the cube? Throughout the Framework, the term he ently ad its eubumt re oneal erty, cisions, subsiciars, operating unt, ard Kanctons. nena —reytet Fanon wfnn Conmaneton anong Aaies ma Frome Cento Enomer Ri sess Cnt! Aes om Each component cuts across and applies to all three categories of objectives. For example, attracting, developing, and retaining competent people who are able to conduct internal control—part of the control environment component—Is relevant to all three objectives categories. The three categories of objectives are not parts or units of the entity. For instance, operations objectives relate to the efficiency and effectiveness of operations, not specific operating units or functions such as sales, marketing, procurement, or human resources. Accordingly, when considering the category of objectives related to reporting, for example, knowledge of a wide array of information about the entity's operations is needed. In that case, focus is on the middle colurnn of the model—reporting abjec- tives—rather than on the operations objectives category. Internal control is a dynamic, iterative, and integrated process. For example, risk assessment not only influences the control environment and control activities, but also ‘may highlight a need to reconsider the entity's requirements for information and com- munication, or for its monitoring activities. Thus, internal controls not a linear process where one component affects only the next. Itis an integrated process in which compo= nents can and will impact another 'No two entities will, or should, have the same system of internal control. Entities, objec tives, and systems of internal control differ by industry and regulatory environment, as well as by internal considerations such as the size, nature of the management operat- ing model, tolerance for risk, reliance on technology, and competence and number of personnel. Thus, while all entities require each of the components to maintain effective internal control over their activities, one entity's system of internal control will look difer- tent from another's, Objectives Management, with board oversight, sots entity-level objectives that align with the entity's mission, vision, and strategies. These high-level objectives reflect choices made by management and board of directors about how the organization seeks to create, pre- serve, and realize value for its stakeholders, Such objectives may focus on the entity's Unique operations needs, o align with laws, rules, regulations, and standards imposed by legislators, regulators, and standard setters, or some combination of the two. Setting objectives is a prerequisite to internal control and a key part of the management process relating to strategic planning. Individuals who are part of the system of internal control need to understand the overall strategies and objectives set by the organization. As part of internal control, manage~ ‘ment specifies suitable objectives so that risks to the achieverent of such objectives can be identified and assessed, Specifying objectives includes the articulation of spe- cific, measurable or observable, attainable, relevant, and time-bound objectives. Bp rertcnte veges enue» novosHowever there may be instances where an entity might not explicitly dacument an objective, Objectives specified in appropriate detail can be readily understood by the people who are working toward achieving them, Categories of Objectives The Framework groups entity objectives into the three categories of operations, report- Ing, and compliance. Operations Objectives Operations objectives relate to the achievement of an entity's basic mission and vision— the fundamental reason for its existence. These objectives vary based on manage- ‘ment’s choices relating to the management operating model. industry considerations, and performance. Entity-level objectives cascade into related sub-objectives for opera- tions within divisions, subsidiaries, operating units, and functions, directed at enhancing effectiveness and efficiency in moving the entity toward its ultimate goal. {As such, operations objectives may relate to improving financial performance, produc= tivity (e.g, avoiding waste and rework}, quality, environmental practices, innovation, and customer and employee satisfaction. These objectives pertain to all types of entities. For example, a for-profit entity may focus on revenue, profitability, return on assets, and liquidity. In contrast, a not-for-profit entity, though certainly concerned with revenues or levels of spending, may focus more on increasing donor participation. A governmental ageney may focus on achieving the mission established by the legislature or govern- ing body, by effectively and efficiently managing specific governmant programs and its spending in line with the designated purposes of its appropriators to ensure objec- tives are supported. If an entity's operations objectives are not well conceived or clearly specifi, its resources may be misdirected, Safeguarding of Assets The operations category of objectives includes safeguarding of assets, in other words, protecting and preserving entity assets. For instance, an entity may set objectives relating to the prevention of loss of assots and the timely detection and reporting of any such losses. These objectives form the basis of assessing risk relating to safeguarding of assets and selecting and developing controls needed to mitigate such risk. The efficient use of an entity's assets and prevention of loss through waste, inefficiency, ‘or poor business decisions (e.g, selling product at too low a price, extending oredi bad risks, falling to retain key employees, allowing patent infringement to occur, incur- ring unforeseen liabilities) relate to broader operations objectives and are not a specific consideration relating to safeguarding of assets. Laws, rules, regulations, and external standards have created an expectation that ‘management reporting on internal control includes controls relating to preventing and detecting unauthorized acquisition, use, or disposition of entity assets. In adaition, some entities consider safeguarding of assets a separate category of objective, and that view can be accommodated within the application of the Framework. eealcnid beget tanenst - ov25 ff ens, a4 ds wima Frome antl eves Ri Aessnent» ot Ais» omson a Cmmein Moo Ate Reporting Objectives Reporting objectives pertain to the preparation of reports for use by organizations and stakeholders. Reporting objectives may relate to financial or non-financial reporting and to internal or external reporting, Internal reporting objectives are driven by internal requirements in response to a variety of potential needs such as the entiy’s strategic Girections, operating plans, and performance metrics at various levels. External report- ing objectives are driven primarily by regulations and/or standards established by regu- lators and standard-setting bodies. ‘+ External Financial Reporting Objectives— Entities need to achieve external financial reporting objectives to meet obligations to and expectations of stake~ holders. Financial statements are necessary for accessing capital markets and may be critical to being awarded contracts or in dealing with suppliers and vendors. Investors, analysts, and creditors often rely on an entity's exter- nal financial statements to assess its performance against peers and alterna- tive investments, Management may also be required to publish financial state- ments using objectives set forth by rules, regulations, and external standards. ‘+ External Non-Financial Reporting Objectives— Management may report exter- ral non-financial information in accordance with laws, rules, regulations, stan- dards, or other frameworks, Non-financial reporting requirements as set forth by regulations and standards for management reporting on the effectiveness of internal control over financial reporting are part of external non-financial reporting objectives. For purposes of the Framework, external reporting in the absence of a law, rule, regulation, standard, or framework represents external, communication. + Internal Financial and Non-Financial Reporting Objectives —Internal reporting to management and the board of directors includes information deemed nec- essary to manage the organization, It supports dec'sion making and assess- ment of the entity's activities and performance. Internal reporting objectives are based on preferences and judgments of management and the board, Internal reporting objectives vary among entities because different organiza tions have different strategic directions, operating plans, and expectations. ‘neal ane — tented ewok + Moy 203ns, a4 chs wi Relationship within Reporting Category of Objectives The overall relationship between the four sub-categories of reporting objectives is. shown in the graphic below. Financial/Non Characteristics External Finaniat ee cen ny Used to meet external role: anual Fnanclel Semen Interna contol Reporte Prepac in acordance arin anil ‘Sustnaby Reports with extemal standarés es Suppl Craintustoty May be quires by Essig oss those regu, convats, 5 agreaneris E tnerat Financial Reporting internat Non-Financial objectives may relate tw: Reporting Objectives may vsosin manaing the = owisontFarcattets mate Dire antes CcurtmerPotaty Seas rang Peay Customer Satstten castles koa cactins MERRIE rraragemen end bod Heathen att ensures Reporting objectives are different from the Information and Communication component cf internal control. Management establishes, with board oversight, reporting objectives When the organization needs reasonable assurance of achieving a particular report- Ing objective, In these situations all fve components of internal control are needed For instance, in preparing internal nonefinancial reporting to the board on the status of ‘merger integration efforts, the organization specifies internal reporting objectives (¢.9. prepares reliable, relevant, and useful reports), assigns competent individuals, assesses risks relating to specified objectives, selacts and develops controls within the five com- ponents necessary to mitigate such risks, and moritors components of internal control supporting the specified nonefinancial reporting objective, In contrast, the information and Communication component supports the functioning of all components of reporting objectives, a8 well as operations and compliance objec- tives. For instance, controls within Information and Communication support the prepa- ration of the above report, helping to provide relevant and quality information underlying the report, but these controls are only part of the overall system of intemal control. Compliance Objectives Entities must conduct activities, and often take specitic actions. in accordance with applicable laws and regulations. As part of specifying compliance objectives, the orga- nization needs to understand which laws, rules and regulations apply across the entity, Many laws and regulations are generally well known, such as those relating to human resources, taxation, and environmental compliance, but others may be more obscure, such as those that apply to an entity conducting operations in a remote foreign territory. es |ma Frome Cento Enomes Ri sess Cnt Aes om nn Coneveion« Naniog ales Laws and regulations establish minimum standards of conduct expected of the entity. The organization is expected to incorporate these standards into the objectives set for the entity. Some organizations will set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. For instance, a particu lar law may limit minors working outside schoo! hours to eighteen hours in a schoo! week. However, a retail food service company may choose to limit its minorage staff to working fifteen hours per week. For purposes of the Framework, compliance with an entity's internal policies and pro- cedures, as opposed to compliance with external laws and regulations as discussed above, relates to operations objectives. Overlap of Objectives Categories ‘An objective in one category may overlap or support an objective in another. For example, “closing financial reporting period within five workdays” may be a goal sup porting primarily an operations objective—to support management in reviewing busi- ness performance, Butit also supports timely reporting and filings with regulatory agencies. The category in which an objective falls may vary depending on the circumstances, For instance, controls to prevent thett of assets—such as maintaining a fence around inven- tory, or having a gatekeeper to verity proper authorization of requests for movement of goods—fall under the operations category. These controls may not be relevant to reporting where inventory losses are detected after a periodic physical inspection and recordled in the financial statements, However, if for reporting purposes management relies solely on perpetual inventory records, as ray be the case for interim or internal financial reporting, the physical security controls would then also fall within the report= ing category. These physical security controls, along with controls over the perpetual Inventory records, are needed to achieve reporting objectives. A clear understanding is needed of the entity's business processes, policies and procedures, and the respective impact on each category of objectives. Basis of Objectives Categories ‘Some objectives are derived from the regulatory or industry environments in which the entity operates. For example: ‘= Some entities submit information to environmental agencies. + Publicly traded companies fle information with securities regulators. ‘Universities report grant expenditures to government agencies. These objectives are established largely by law or regulation, and fall into the category of compliance, external reporting, of, in these examples, both. Bp eetcnie-teegesemuen «nas emens, a4 ds wi Conversely, operations and internal reporting objectives are based more on the orgae nization’s preferences, judgments, and choices, These objectives vary widely among entities simply because informed and competent people may select different objectives, For example, one organization might choose to be an early adopter of emerging tech- nologies in developing new products, whereas another might be a quick follower, and yet another a late adopter. These choices would refiect the entity's strategies and the competencies, technologies, and controls within its research and development function, Consequently, no one formulation of objectives can be optimal for all entities. Objectives and Sub-Objectives Management links specified entity-level objectives to more specific sub-objectives that cascade throughout the organization. Sub-objectives also are established as part of cr flowing from the strategy-setting process, and relate to the entity and its subunits and functional activities such as sales, production, engineering, marketing, produc- tivity, employee engagement, innovation, and information technology. Management aligns these sub-objectives with entity-level objectives and coordinates these across the entity. Where entity-level objectives are consistent with prior practice and performance, the linkage between actvities is usually known, Where objectives depart from an entity's past practices, managemont addresses the linkages or accepts increased risks. For example, an entity-level objective relating to customer satisfaction depends on linked ‘sub-objectives dealing with the introduction of services that use a newer and less proven technology infrastructure. These sub-objectives might need to be substantially changed if past practice used older, proven technologies. ‘Sub-objectives for operating units and functional activities also need to be specific, ‘measurable or observable, attainable, relevant, and time-bound, In addition, they must be readily understood by the people who are working toward achieving them. Manage~ ment and other personnel require a mutual understanding of both what is to be accom- plished and the means of determining to what extent its accomplished in order to ‘ensure individual and team accountability. Entities may specify multiple sub-objectives for each activity, lowing both from the entity-level objectives and from established standards relating to compliance ang reporting objectives, as deemed suitable in the circumstances. For example, procure ment operations objectives may be to: ‘= Purchase goods that meat engineering specifications * Purchase goods from companies that meet environmental, health, and safety specifications (e.g., no child labor, good working conditions) + Negotiate acceptable prices and other terms ‘As another example, when specifying suitable external reporting objectives relating to the preparation of external nancial statements, management considers account ing standards, financial statement assertions, and qualitative characteristics that are eealcnid beget tanenst - ov25 ffnan Coneveaion« anoing Aes ma Frome Enomes Ri sess Cnt! Aes om applicable to the entity and its subunits. For example, management may set an entity level external financial reporting objective as follows: “Our company prepares reliable financial statements reflecting transactions and events in accordance with generally accepted accounting principles.” Management also specifies suitable sub-objectives for divisions, subsidiaries, operat- ing units, and functions with sufficient clarity to support entity-level objectives. For instance, management specifies sub-objectives for sales transactions that apply appro- priate accounting standards based on the circumstances and that address relevant financial statement assertions and qualitative characteristics, such as: ‘+ All sales transactions that occur are recorded on a timely basis. + Sales transactions are recorded at correct amounts in the right accounts. + Sales transactions are accurately and completely summarized in the entity's books and records. + Presentation and disclosures relating to sales are properly described, sorted, and classified, Components and Principles of Internal Control The Framework sets out five components of internal control and seventeen principles representing the fundamental concepts associated with components. Those compo- rents and principles of internal control are suitable for al entities. All seventeen prin- ciples apply to each category of objective, as well as to objectives and sub-objectives within a category. For instance, an entity may apply the Framework relative to complying with a specific law regarding commercial arrangements with foreign entities, a sub- category of the compliance category of objectives. Below is a summary of each of the five components of internal control and the prin- ciples relating to each component. Each of the principles is covered in the respective component chapters.* Control Environment The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization, The board of direc- tors and senior management establish the tone at the top regarding the Importance of internal control and expected standards of conduct. There are five principles relating to Contral Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exer cises oversight of the development and performance of internal contro 7 For purposes othe Framework, when describing principles the term “rganation is used to capture the rearing of, cllctveby, he board of directors, management, and clr perconnel, Typical the boar of rectors saves in an oversight eapacty wai this tem Bp ertcnie ees emuen «nosns, a4 chs wi 3, Management establ’shes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives, 4. The organization demonstrates a commitment to attract, develop, and retain com- petent individuals in alignment with objectives, 5. The organization holds individuals accountable for their internal control responsibill= ties in the pursuit of objectives. Risk Assessment Risk assessment involves a dynamic and iterative process for identifying and ana- Iyzing risks to achieving the entity's objectives, forming a basis for determining how risks should be managed, Management considers possible changes in the external environment and within its own business model that may impede its abity to achieve its objectives. There are four principles relating to Risk Assessment: 6. The organization specifies objectives with sufficient clarity to enable the identifica tion and assessment of risks relating to objectives. 7, The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed: 8, The organization considers the potential for fraud in assessing risks to the achieve- ment of objectives, 9, The organization identities and assesses changes that could significantly impact the system of internal control, Control Activ S Control activites are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are cartied out. Control activites are performed at all levels ofthe entity and at various stages within business processes, and over the technology environment. There are three principles relating to Control Activities: 10, The organization selects and develoos control activities that contribute to the miti- gation of risks to the achievement of objectives to acceptable levels, 11. The organization selects and develops general control activities over technology to ‘support the achievement of objectives. 12, The organization deploys control activities through policies that establish what is expected and procedures that put policies into action, tenant eeytet Fanon wnma Frome Cobol Enomes Ri sess Cnt Ales orm nan Conmanaton anny Ailes Information and Communication Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day controls. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives. There are three principles relating to Information and Communication: 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14, The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 18, Tho organization communicates with external parties regarding matters affecting ‘the functioning of internal control Moni coring Activities Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious mi reported to senior management and to the board. There aro two principles relating to Monitoring Activities: 16. The organization selects, develops, and performs ongoing and/or separate eval alions to ascertain whether the components of internal control are present and functioning. 117, The organization evaluates and communicates internal control deficiencies in a ‘timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Bp rertcnte veges eee» woosInternal Control and the Management Process Because internal control is a part of management's overall responsibilty, the five com- ponents are discussed in the context of the management of the entity. Not every deci- sion of action of management, however, is part of internal control: + Having a board that comprises directors with sufficient independence from management and that catries out its oversight role is part of internal control. However, many decisions reached by the board are not part of internal control; for example approving a particular mission or vision, The board also fulfils a variety of governance responsibilities in addition to its responsibilities for oversight of internal control. + Making strategic decisions impacting the entity's objectives is not part of internal control, An organization may apoly enterprise risk management approaches or other approaches in setting objectives, + Setting the overall level of acceptable risk and associated risk appetitet is part of strategic planning and enterprise risk management, not part of internal control. Similarly, setting risk tolerance levels in relation to specific objectives is also not part of internal control + Selecting and developing controls designed to mitigate risks based on the organization's risk assessment process is a part of internal control; however, choosing which risk response Is preferred to address specific risks is not part of internal control, Internal Control and Objective-Setting Itis not practical to design and implement a system of internal control unless the entity’s objectives are established, set, and specified for the organization. Establishing and setting objectives and related sub-objectives are parts of or flow ‘rom the strategic planning process, with consideration given to laws, rules, regulations, and standards as, \well as managements own choices. However, internal control cannot dictate or estab- lish what an entity's objectives should be. ‘As part of internal control, an organization specifies objectives by: * Articulating and codifying specific, measurable or observable, attainable, relevant and time-based objectives + Assessing suitability of objectives and sub-objectives for internal control based on facts, circumstances, and established laws, rules, regulations, and standards = Communicating objectives and sub-objectives throughout the entity, FR appellee dots as tho arount of rk ona broaatevel, an enti ling to accep in pure of emai -bieptettanenst «yfnan Coneveaion anoing Ailes ma Frome contol Enomes i sessment Cnt Aes om The following diagram illustrates establishing and setting objectives as part of the ‘management process outside of internal control, and specifying and using objec- tives as part of internal control in the context of an external financial reporting and an operations objective. Extoral Panes Patol the Par of internal Control Management Process. | Tn External partes establish Sel strategic objectives Articulate specific, mes- Use specified objec- laws, rues, andstan- and select strategy surable or observable, _tves and sub-obctes dards (where applicable) within the context of. allainale relevant and asthe bass forrisk relatngto compliance anentiy’s established time-based objectives assessment. and exersal financial mission or sion. and sub-obectives. ‘reporting objectives. Set emtty-wide objec- Assess and affirm thes ad develop sk suitably of objectves ‘erances based on entity and sub-objectives for requirement suteble nineral cone based theciearstancs, on fet, ckeumstances, _ and sit seslaws Align objectives with 7 ey ues, and stands. overlie apps, Communist obj i “ves and sub-objectves objectives and su betes rte enaty toute ety and ts subunit, and its subunitssutable Inthose crcumstances, Examples of Financial Reporting Objectives and Sub-Objectves The Financial Accounting Ourcompary pre- | Managementassesses Management identifies Standards Board (FASB) pares celable financial and afirms that US _ and assesses sk to pre established account--statementsrefiecting _GAAPl sultale nthe parngrelable financial ing principles generaly transactions and events ccumstances.fnat, statements reflecting acceptedin the United in accordance with US management provides activites in accordance Stale oAmerica US GAAP. “fredackto tie objec- wih US GAAP, om, _tv-ating proces. Aromat body Ourcompanyecognzes | Operating unt nancial Operating unt rani establishes an account- sales revenue upon | Management assesses management identifies: Ingstandardon events instlaton of equpment andaffs sutabity and asesss riko recon forsls-ypecapil of appeal aczoun- receding everue on leases or recognizes ing standards eating eqipment sls n accor rental everue over iheioalleuipmest sales. dance with US GAAP. aperaing las ter, nat opting nt “nancial management | provides feedback to “Ae objective-stting prose Example of Operations Objectives Nt applicable fr opera- Our company secks to | Operating untrmanage- Operating unit manage ‘tons objectives, improve performance ment assesses suitablty ment identities and byincreasing ventory of operations objectives. assesses risk othe tumover ratio to twelve relating to inventory ‘2chievernent ofan invan- times per year, ecogn2- turnover and customer tory turnover rato of ing thatlower ventory backorder goals tact, twelve times per yea. levee may esultin more operating unt ancl backorder fms for” management proves castes _feodackta the bjs ie-sating proves Bp rentcnie-eges eee» wyns, a4 chs wi Limitations of Internal Control The Framework recognizes that while an effective system of internal control provides reasonable assurance of achieving the entity's objectives, inherent limitations do exist. Even an effective system of internal control can experience a fallure, These limitations. ‘may result from the: + Suitability of objectives established as a precondition to internal control + Reality that human judgment in decision making can be faulty and subject tobias + Breakdowns that can occur because of human failures such as errors * Ability of management to override internal control * Ability of management, other personnel, and/or third parties to circumvent controls through collusion * External events beyond the organization's control These limitations preclude the board and management from having absolute assurance of the achievement of the entity's objectives—that Is, internal control provides reason able but not absolute assurance. nea eeytet foment we3. Effective Internal Control Requirements for Effective Internal Control {An effective system of internal control provides reasonable assurance of achievement of an entity's objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the orga- rizational structure. An effective system of internal control reduces, to an acceptable level, he risk of not achieving an objective relating to one, two, or all three categories. it requires that: + Each of the five components of internal control and relevant principles is. present and funetioning® + The five components are operating together in an integrated manner In determining whether a system of internal control is effective, management exercises judgment in assessing whether each of the components and relevant principles is present and functioning and components are operating together. When internal control is determined to be effective, senior management and the board of directors have reasonable assurance of the following categories of objectives: + Operations~the organization = achioves effective and efficient operations when external events are con- ‘sidered unlikely to have a significant impact on the achievement of objec- tives or when the organization can reasonably predict the nature and timing of external events and mitigate the Impact to an acceptable level = understands the extent to which operations are managed effectively and efficiently when external events may have a significant impact on the achievement of objectives and the impact cannot be mitigated to an acceptable level = Reporting-the organization prepares reports in conformity with applicable laws, rules, regulations, and standards established by legislators, regula tors, and standard setters, or with the entity's specified objectives and related policies = Compliance-the organization complies with applicable laws, rules, and regulations. The Framework sets forth that components and relevant principles are requisite to an effective system of internal contro. It does not prescribe the process for how manage- ment assesses ils effectiveness, Fle, Adional Considerations, irtuces points of focus as Important characteris of prin ples. The Framewevk doos not rogue that management assoss separately nether points Of oo¥s a i place. Bp estcnie-toegesemeen «nosrte ont wi Suitability and Relevance of Components and Principles The Framework views all components of internal control as suitable and relevant to all entities, Principlas are fundamental concepts associated with components. As such, the Frame- work views the seventeen principles as suitable to all entities. The Framework presumes that principles are relevant because they have a significant bearing on the presence and functioning of an associated component. Accordingly if a relevant principle is not present and functioning, the assoclated component cannot be present and functioning. There may be a rare industry, operating, or regulatory situation in which management hhas determined that a principle is not relevant to a component. Considerations in apply- ing this judgment may include the entity structure recognizing any legal, regulatory, industry, or contractual requirements for governance of the entity, and the level of use and dependence on technology used by the entity. Management must support its deter- rmination that a principle is not relevant with the rationale of how, in the absence of that principle, the associated component can be present and functioning, Present and Functioning The phrase “present and functioning” applies to components and principles. resent” refers to the determination that components and relevant principles ‘oxist in the design and implementation of the system of internal control to achieve specified objectives. + “Functioning” refers to the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives. In determining whether a component is present and functioning, senior management, with board of director oversight, needs to determine to what extent relevant principles are present and functioning. However, a principle belng present and functioning does rot imply that the organization strives for the highest level of performance in applying that particular principle. Rather, management exercises judgment in balancing the cost and benefit of designing, implementing, and conducting internal control Operating Together ‘The Framework requites that all components operate together in an integrated manne, “Operating together" refers to the determination that all ive components collectively reduce, to an acceptable level, the risk of not achieving an objective. Components are interdependent with a multitude of interrelationships and linkages. ‘among them, particularly the manner in which principles interact within and across components. Components that are present and functioning capture the inherent tenant eeytet Fanon m8ma Frome Cento Enomer Ri sess Cnt! Aes om » nn Conmaneton anong Aaies interdependencies and linkages among them. Examples of components operating together include the following: ‘The organization establishes expected standards of conduct and sets perfor mance measures and incentives within the Control Environment to reduce the potential for fraudulent behavior and may impact the assessed level of fraud risk evaluated within Risk Assessment, ‘+ The development and deployment of policies and procedures as part of Control Activities contributes to the mitigation of risks identified and analyzed within Risk Assessment. ‘+ The processing of relevant, quality information within Information and Com- munication supports deployment of business process and transaction con- ‘trols within Control Activities and performance of ongoing and separate evalu- ations of such controls within Monitoring Activities. ‘+ The communication of internal control deficiencies to those responsible for taking corrective actions as part of Monitoring Activities requires a full under= standing of the entity's structures, reporting lines, authorities and responsi- bilties as set forth in the Control Environment and as communicated within Information and Communication. Accordingly, management can demonstrate that components operate together when: + Components are present and functioning + Internal control deficiencies aggregated across components do not result in ‘the determination that one or more major deficiencies exist Deficiencies in Internal Control There are many potential sources for identiying internal control deficiencies, including the entity's monitoring activities, other components, and external parties that provide input relative tothe presence and functioning of components and relevant principles, The term “internal control deficiency" refers to a shortcoming in a component or components and relevant principle(s) that reduces the ikelinoad of an entity achieving its objectives. An internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives is referred to as a “major deficiency.” As illustrated below, a major deficiency is a subset of internal control deficiencies, As such, a major deficiency is by definition also an internal control deficiency. Internal Conte Deficiencies Mejor Deficiencies Bf) teatcnte- veges eee» nyoWhen a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control. A major deficiency exists in the system of internal control when management determines that a component and one ‘or more relevant principles are not prasent or functioning or that components are not operating together. ‘Amajor deficiency in one component cannot be mitigated to an acceptable lavel by the presence and functioning of another component. Similarly, a major deficiency in a relevant principle cannot be mitigated to an acceptable level by the presence and func- tioning of other principles. In determining whether components and relevant prineiplas are present and function- ing, management can consider controls to effect principles.’ For instance, in assessing whether the principle Assesses Fraud Risk may not be present and functioning, the organization can consider controls to effect other principles, such as those relating to Establishes Structure, Authority, and Responsibility and Enforces Accountabilly. By considering controls initially considered in the context of other principles, manage- ment may be able to determine that the principle Assesses Fraud Risk is present and functioning, Management exercises judgment to assess the severity of an internal control deft ciency, or combination of deficiencies, in determining whether components and relevant principles are present and functioning, and components are operating together, and ult- ‘mately in determining the effectiveness of the entity's system of internal control. Further, these judgments may vary depending on the eategory of objectives. Regulators, standard-setting bodies, and other relevant third parties may establish criteria for defining the severity of, evaluating, and reporting internal control deficiencies. The Framework recognizes and accommodates their authority and responsibilty as established through lav, rules, regulations, and external standards. In those instances where an entity is applying a law, rule, regulation, or external stan- dard, management should use only the relevant criteria contained in those documents to classify the severity of internal control deficiencies, rather than relying on the classifi= cations set forth in the Framework. The Framework recognizes that any internal control deficiency that results in a system of internal control not being effective pursuant to such criteria would also preclude management from concluding that the entity has met. the requirements for effective internal control in accordance with the Framework (e.g, ‘a major non-conformity relating to operations or compliance objectives, or a material weakness relating to compliance or external reporting objectives). For internal reporting and operations objectives, senior management, with board of itector oversight, may establish objective criteria for evaluating internal contol deti= ciencies and for how deficiencies should be reported to those responsible for achieving these objectives. 7 There "Toe ane how they fect princes i ther describe in Ghapter 4, Aston nena —reytet Fanon wfnn Conmanetion« anong Aies ma rane Enomes Ri sess Cnt Ales om Other Considerations Although the organization may rely on an outsourced service provider to conduct business processes, policies, and procedures on behalf of the entity, management retains ultimate responsibilty for meeting the requirements for an effective system of Internal control Management's assessment of the effectiveness of internal control occurs within the entity's system of internal control. Other parties interacting with the entity, such as external auditors and regulators, are not part of the enlily’s system of internal ‘control and thus cannot be part of management's process for assessing effective Internal control Bp eeatcnte veges eee» novos4. Additional Considerations Judgment The Framework requires judgment in designing, implementing, and conducting internal control and assessing its effectiveness. The use of judgment enhances management's ability to make better decisions about intemal control, but cannot guarantee parfect ‘outcomes. Within the boundaries established by laws, rules, regulations, and standards, manage ‘ment exercises judgement in important areas such as: + Applying internal control components relative to categories of objectives = Applying internal control components and principles within the entity structure * Specifying suitable objectives and sub-objectives and assessing risks to achieving these objectives + Selecting, developing, and deploying controls necessary to etfect principles + Assessing whether components are present, functioning, and operating together ‘+ Assessing whether principles are relevant to the entity and present and functioning Assessing the severity of one or more internal control deficiencies in accor- dance with applicable laws, rules, regulations, and external standards, or with the Framework For example, in preparing financial statements, management exercises judgment in complying with external financial reporting requirements. Management considers how Identified risks to specified financial reporting objectives and sub-objectives should be ‘managed. Management's alternatives for responding to risks may be more limited com- pared with some other categories of objectives. That is, management is less likely to accept a risk than to reduce the risk. For external nancial reporting objectives relating to financial statements prepared for extemal purposes, risk acceptance should occur only when identified risks could not, individually or in aggregate, exceed the risk thresh- ‘old and result in a material omission or misstatement. Management also exercises judgment in specifying and using suitable accounting principles, particularly those relating to subjective measurements and complex transac tions. For instance, management exercises judgment in making assumptions and using {data in developing accounting estimates, in applying accounting principles to complex transactions, and in preparing rellable and transparent presentations and disclosures. Internal control over external financial reporting addresses the potential for bias in exercising judgment that could lead to a material omission or misstatement in external financial reporting tenant eeytet Fanon m8ma Frameless sess Cnt Ales lm » nan Coneveaion« anoing Aes Points of Focus The Framework describes points of focus that are important characteristics of prin- ciples. Management may determine that some of these points of focus are not suitable or relevant and may identify and consider others based on specific circumstances of the entity. Points of focus may assist management in designing, implementing, and conducting internal control and in assessing whether the relevant principles are, in ‘act, present and functioning. The Framework does not require that management assess separately whether points of focus are in place. Controls to Effect Principles Embedded within the internal control process are controls, which consist of policies and procedures. Policies reflect management or board statements of what should be done to effect control, Procedures are actions that implement policies. Organizations select and develop controls within each component to effect relevant principles, Controls are interrelated and may support mukiple objectives and principles. The Framework does not prescribe specitic controls that must be selected, developed, and deployed for an effective system of internal control. That determination is a function of management judgment based on factors unique to each entity, such as: + Laws, rules, regulations, and standards applicable to the entity + Nature of the entity's business and markets in which it operates + Scope and nature of the management operating model + Competency of the personnel responsible for internal control + Use of and dependence on technology ‘+ Management's responses to assessed risks Management is expected to obtain persuasive evidence to support its determination that components and relevant principles are present and functioning. Management considers controls in conjunction with its assessment of components and relevant principles. Understanding how controls effect principles through their selection, devel- ‘opment, and deployment can provide persuasive evidence to support management's assessment of whether the entity's system of internal control is effective. The absence of controls necessary to effect relevant principles would represent an internal control deficiency. The Framework allows judgment in assessing the potential impact of a control deficiency on the presence and functioning of a relevant principle, Management ‘may consider other controls {whether or not associated with that particular component of principle) that compensate for an internal control deficiency. Organizational Boundaries Many organizations choose to shift some business processes and activities to outside service providers. This approach has become prevalent because of the bene'ts of obtaining access to low-cost human resources, reducing costs in the day-to-day Bp entcnie vegesemuen «noimanagement of certain functions, obtaining access to better processes and systems, {and allowing management to focus more on the entity's mission Outsourced service providers can help organizations to perform business processes, such as procurement, payables management, payroll, pension and benefit manage- ‘ment, investment management, and stock-based compensation programs. Outside service providers may also perfor technology activities that support business pro- cesses, providing services to procure, manage, and maintain previously internally managed technology systems. Advances in technology have created cost-saving ‘opportunities through access to comprehensive architectures providing on-demand and scalable shared technology that supports more complex and changing business opera tions and that may be cost prohibitive for management as an internal investment. This dependence on outsourced service providers changes the risks of business activi- ties, increases the importance of the quality of information and communications from ‘outside the organization, and creates greater challenges in overseeing its activities and related controls, While management can use others to execute business processes, activities, and controls for or on behalf of the entity, it retains responsibilty for the system of Internal control, For instance, management retains responsibilty for specity- ing objectives, managing associated risks, and selecting, developing, and deploying control to effect components and relevant principles. The Framework can be applied to the entire entity regardless of what choices manage- ‘ment makes about how it will execute business activities that support its objectives, elther directly or through external relationships. Technology Technology may be essential to support management's pursuit of the entity's objec- tives and to better control the organization's activities, The number of entities that use technology continues to grow as does the extent that technology is used. Technology is often referred to by other terms, such as “management information systems” or “information technology.” These terms share the ideas of using a combi- nation of automated and manuial processes, and computer hardware and software, methodologies, and processes. The Framework uses the term “technology to refer to all computerized systems, including software applications running on a computer and operational control systems. Technology environments vary significantly in size, complexity, and extent of integration, They range from large, centralized, and integrated systems to decentralized systems: that operate independently within a specific operating unit. They may involve real-time processing environments that enable immediate access to information, Including mobile ‘computer applications that can cut across many systems, organizations, and geog- raphies, Technology enables organizations to process high volumes of transactions, transform data into information to support sound decision making, share information efficiently across the entity and with business partners, and secure confidential informa- tion from inappropriate use. In addition, technology can allow an entity to share opera~ tional and performance data with the publi. nea eeytet foment wenn Conmanaton- anong Ailes ma Frome Enomes +R ses Cnt Aes om Technology innovation creates both opportunities and risks. it can enable the develop- ment of new business markets and models, generale efficiencies through automation, and enable entities to do things that were previously hard to Imagine. It may increase ‘complexity, which makas identifying and managing risks more difficult The principles presented in the Framework do not change with the application of technology. This is not to say that technology does not change the internal control landscape. Certainly, it affects how an organization designs, implements, and conducts internal control, considering the greater availabilty of information and the use of auto- mated procedures, but the same principles remain suitable and relevant.* Larger versus Smaller Entities The principles underlying components of internal control are just as applicable for smaller entities as for larger ones, However, Implementation approaches may vary for smaller entities, regardless of whether the entity is publicly traded, privately held, gov- ‘ernmental, or not-for-profit. For exampla, all public companies have boards of directors, or other similar governing bodies, with oversight responsibilities related to reporting. A smaller entity may have a less complex management operating model and entity struc ture, and more frequent communication with directors, enabling a different approach to board oversight, Similarly, while many public companies are often required to have a whistle-blower program, there may be a difference in the reporting procedures between other types of smaller and larger entities. In a large entity, for example, the volume of reported events may require initial reporting to an identified internal staff function, but a smaller entity may allow direct reporting to the audit committee chair. ‘Smaller entities typically have unique advantages, which can contribute to effective internal control. These may include a wider span of control by senior management and greater direct interaction with personnel, For instance, smaller companies may {ind informal staff meetings highly effective for communicating information relevant to operating per‘ormance, whereas larger companies may nead more formal mechanisms such as written reports, intranet portals, periodic formal meetings, or conference calls to communicate similar matters. Conversely, larger entities may enjoy certain economies of scale, which often affect, support functions. For example, establishing an internal audit function within a smaller, domestic entity Ikely would require a larger percentage of the entity's economic resources than would be the case for a larger, multinational entity. A smaller entty ‘may not have an internal audit function or might rely on co-sourcing or outsourcing to provide needed skills, where the larger entity's function might have a significantly broader range of experienced in-house personnel. But in all ikelinood the relative cost for the smaller entity would be higher than for the larger one, 3 Ae Wisin a pincples-based tarnonork and hocause technology contrualy ovobing, the Framework ‘does not adckess specie technaloges, such as cloud comautng or socal media, Bp ertcnte-eesemuon «nosBenefits and Costs of Internal Control Benefits Internal control provides many benefits to an entity It provides management and boards of directors with added confidence regarding the achievement of objectives, t provides feedback on how a business is functioning, and it helps to reduce surprises. Among the ‘most significant benefits of effective internal control for many entities is the ability to meet certain requirements to access capital markets, providing capital-driven innova- tion and economic growth. Such access of course comes with responsibilities to effect timely and reliable reporting for shareholders, creditors, capital providers, regulators, and other third parties with which an entity has direct contractual relationships, For instance, effective internal control supports reliable external financial reporting, which in tum enhances investor confidence in providing the requisite capital, Other benefits of effective internal control include: * Reliable reporting that supports management and board decision making on matters such as product pricing, capital investment, and resource deployment + Consistent mechanisms for processing transactions, supporting quality of information and communications across an organization, enhancing speed and reliability at which transactions are initiated and settled, and providing reliable recordkeeping and ongoing integrity of data + Increased efficiency within functions and processes A basis for decisions where highly subjective and substantial judgment is needed + Ability and confidence to accurately communicate business performance with business partners and customers, which supports continuity of relationships Further, the Framework enables management to enhance efficiency in the design, Implementation, and conduct of a system of internal control. For example: + Understanding the importance of specifying suitable objectives may focus management's attention on those risks and controls most important to achiev- ing these objectives. ‘+ Focusing on those areas of risk that exceed acceptance levels and need to be managed across the entity may reduce efforts spent mitigating risks in areas, of lesser significance, * Coordinating offorts for identifying and assessing risks actoss multiple objec- tives may reduce the number of discrete risks assessed and mitigated, + Selecting, developing, and deploying controls to effect multiple principles may also reduce the number of discrete, layered-on controls, + Applying a common language—the Framework— encompassing operations, reporting, and compliance processes and controls may lessen the number of languages used to describe internal control across the entity. nena eeytet Fanon m8nan Coneveaion« anoing Aes ma Frome Cento Enomes Ri sess Cnt Aes om Entities always have limits on human and capital resources and constraints on how much they can spend, and therefore they will often consider the costs relative to the benefits of alternative approaches in managing internal control options, Costs Generally, itis easier to deal with the cost aspect in the cost-benefit equation because Inmost cases financial costs can be quantified faily precisely. Usually considered are all direct costs associated with implementing internal control actions and responses, plus indirect costs, where practically measurable, Some entities also include opportu- nity costs associated with use of resources, Overall, management considers a variety of cost factors in relation to expected benefits when selecting and developing internal controls. These may include: ‘+ Considering the trade-offs between recruiting and retaining statt with a higher level of competency and the related higher compensation costs, For instance, a smaller, stable, privately held company may not want to, or be able ‘to, hire a chief financial officer with the experience of working for a publicly ‘traded company. + Assessing the efforts required to select, develop, and perform control activi ties; the potential incremental efforts that the activity adds to the bus ness process; and the efforts to maintain and update the control activity when needed ‘+ Assessing the impacts of added reliance on technology. While the effort to perform the control and the impact of added technology-based controls on the business process may be small, the cost associated with selecting, devel- oping, maintaining, and updating the technology could be substantial, ‘Understanding how changes in information requirements may call for greater data collection, processing, and storage that could trigger exponential growth in data volume, With more data available, an organization faces the challenge of avoiding information everlaad by ensuring flow of the right information, in ‘the right form, at the right level of detail, to the right people, at the right time. Establishing an information system that balances costs and benefits depends (on thoughtful consideration of information requirements. Other Considerations in Determining Benefits and Costs The benefit side of the cost-benefit equation often involves even more subjective evalu- ation, For example, benefits of effective training programs usually are apparent but dificult to quantity, Training programe are not often designed to measure the benefits oF to capture the necessary data to evaluate the program. Sales training programs may not be structured to measure before-and-after employee sales results, making it dificult to determine whether the training is effective and accomplishing its objectives. Further, evaluating the benefits in relation to stakeholder expectations may be more difficult to assess. In many cases, however, the benefit of developing actions within any of the five components of intemal control can be evaluated in the context of the benefit assoclated with achievement of the related objective. Bp eetcnie-egesemuen «nasThe complexity of cost-benefit determinations is compounded by the interrelationship of controls with business operations. Where controls are integrated with management and business processes, Itis difficult to isolate either their costs or benefits. Itis up to management to decide how an entity evaluates the costs versus benefits of alternative approaches to implementing a system of internal control, and what action it ultimately takes. However, cost alone is not an acceptable reason to avoid implement- ing internal control, The cost versus benefits considerations support management's ability to develop and maintain a system of intemal control that balances the allocation ‘of human resources in relation to the areas of greatest risk, complexity, of other factors: relevant to the entity's objectives, Documentation Entities develop and maintain documentation for their internal control system for a number of reasons. One Is to provide clarity around roles and responsibilities, which promotes consistency in adhering to the entity's practices, policies, and procedures in ‘managing the business. E'fective documentation assists in capturing the design of inter= nal control and communicating the who, what, when, where, and why of internal control execution, and creates standards and expectations of performance and conduct. ‘Another purpose of documentation Is to assist in training new personnel and to offer a refresher or reference for other employees. Documentation also provides evidence of the conduct of internal control, enables proper monitoring, and supports reporting on internal control effectiveness, particularly when evaluated by other parties interacting with the entity, such as regulators, auditors, or customers. Documentation also provides ‘a means to retain organizational knowledge and mitigate the risk of having the knowl edge within the minds of a limited number of employees. Management must also determine how much documentation is needed to assess the effectiveness of internal control. Some level of documentation is always necessary to assure management that each of the components and relevant principles is present and functioning and components are operating together. This may include, for example, documents showing that all shipments are billed or that periodic reconciliations are performed, Two specific levels of documentation requirements must be considered in relation to external financial and non-financial reporting: + In cases where management asserts to regulators, shareholders, or other third parties on the design and operating effectiveness of its system of internal control, management has a higher degree of responsibility. Typically, this requires documentation to support the assertion that components and relevant principles are present and functioning and components are operating together. The nature and extent of the documentation may be influenced by the entity's regulatory requirements. This does not necessarily mean that all documentation is or should be more formal, but that persuasive evidence to show that the components and relevant principles are present and functioning and components are operating together is available and appropriate to satisty the entity's objectives. puemlcnod beget tonenst «ov ffnn Coneveion« Naniog ales ma Frome Cento Eomes Ri sess Cnt Aes om + In cases where an external aucitor attests to the effectiveness of the system of internal control, management will likely be expected to provide the auditor with support for its assertion on the effectiveness of internal control. That support includas evidence that the system of internal control is properly designed and operating effectively to provide reasonable assurance of achiev- ing the entity's objective. In considering the nature and extent of documen- ‘ation needed, management should remember that the documentation to support the assertion will ikely be used by the external auditor as part of his or her audit evidence, including the sufficiency of such documentation for ‘those assertions. Management would also need to document significant judg- ments, how such decisions were considered, and how the final decisions were reached. There may stillbe instances where controls are informal and implied through manage- ‘ment actions and decisions. This may be appropriate where management is able to obtain evidence captured through the normal conduct of the business that indicates personnel regularly performed those controls, However, i s important to keep in rind that controls, such as those embedded within monitoring activities or risk assessments, cannot be performed entirely in the minds of senior management without some docu ‘mentation of management's thought process and analyses. The level and nature of documentation can also vary by the size of the organization and the complexity of the control, Larger entities usually have a more extensive system of Internal control and greater complexity in business processes, and therefore typically find it necessary to have more extensive documentation, such as in-depth policy and procedure manuals, flowcharts of processes, organizational charts, and job descrip tions. Small entities often find less need for formal documentation. In smaller compa- nies, typically there are fewer people and levels of management, closer working rela~ tionships, and more frequent interaction, all of which promote communication of what is expected and what is being done, Consequently, management of a smaller entity can often determine that controls are in place through direct observation, Documentation of internal control should meet business needs and be commensu- rate with circumstances. The extent of documentation supporting the presence and functioning of each of the components and relevant principles of internal control and components operating together is a matter of judgment, and should be done with cost-effectiveness in mind, In addition, the organization may benefit from some form of formal documentation that enables management to reflect on the rationale for the judg ment and alignment with entity objectives. Bp eetcnie-teegesemuen «nas