coso internal control evaluation tool_blank

8/11/2019 COSO Internal Control Evaluation Tool_blank

1/32

INTRODUCTION

This volume contains a set of tools that may be useful in conducting an evaluation of an entity'sinternal control system. The tools may be used in any of several ways:

Individually, when evaluating a particular component, or together when evaluating allcomponents.

In evaluating controls related to one category of controls, such as reliability of nancialreporting, or more than one category.

When focusing on certain activities, such as procurement or sales, or all activities.

The evaluation tools are presented as follows:

A set of blan tools, organi!ed by component, along with one to assist in assembling theresults in ma ing an overall evaluation.

A "eference #anual designed to assist the evaluator in completing the $"is Assessment

and %ontrol Activities Wor sheet.$ Also presented is a generic business model which servesas the organi!ational basis for the "eference #anual. &illed in tools, depicting how they might be completed for a hypothetical company.

These evaluation tools are intended to provide guidance and assistance in evaluating internalcontrol systems in relation to criteria for e(ective internal control set forth in the Framework volume of this report. Accordingly, users of these materials should be familiar with that volume.

These tools are presented for purely illustrative purposes. They are not an integral part of the&ramewor , and their presentation here in no way suggests that all matters addressed in themneed to be considered in evaluating an internal control system, or that all such matters must bepresent in order to conclude that a system is e(ective. )imilarly, there is no suggestion that thesetools are preferred method to conduct and document an evaluation. *ecause facts and

circumstances vary between entities and industries, evaluation methodologies and documentationtechni+ues will also vary. Accordingly, entities may use di(erent evaluation tools, or use othermethodologies utili!ing di(erent evaluative techni+ues. &or those entities that do plan to use thesetools in some way, it is suggested that they be used only as a starting point, and be modi ed tore ect the particular facts, conditions and ris s relevant to their own circumstances.

These evaluation tools can be used by entities of any si!e. When used by small or mid si!eentities, the tailoring process should recogni!e that smaller entities tend to be less formal and lessstructured than large organi!ations, that fewer organi!ation levels will li ely result in the %- andother ey managers communicating more directly and continuously with lower level personnel,and that these factors will a(ect the way control is e/ercised. The sample lled in tools containedin this volume have been completed using a hypothetical mid si!e company and may provideguidance to companies of such si!e in completing the tools.

/var/www/apps/conversion/tmp/scratch_2/243147083.doc 1


2/32

BLANK TOOLS

Component Tools

&ive evaluation tools are presented, one for each internal control component. A heading and briefintroduction identify each factor or signi cant element within a component.

)ubstantive issues to be addressed are contained under the column heading $points of focus.$ Thepoints of focus are identi ed by the symbol , and represent some of the more important issuesrelevant to the component. 0ot all points of focus are relevant to every entity, and additionalissues will be relevant to some entities. It is suggested that the evaluator tailor the points of focusto t the entity's facts and circumstances by adding, deleting or modifying those provided in thetool.

Included under each point of focus are e/amples of subsidiary issues that might be considered inaddressing the point of focus. It is important to recogni!e that only a few e/amples of suchsubsidiary issues are provided. #any others usually are relevant. The e/amples provided areintended only to illustrate the types of items to consider.

The evaluator addresses each point of focus, considering the e/ample subsidiary issues as well asothers not presented. Although one could record a response for each e/ample subsidiary issue, itis suggested that a response be provided only to the point of focus. The $description1comments$column provides space to record a description of how matters addressed in the point of focus areapplied in the entity, and to record relevant comments. The response generally will not be a $yes$or $no$ answer, but rather information on how the entity addresses the matter.

At the end of each section is a space to record a conclusion on the e(ectiveness of the relatedcontrols, and any actions that might need to be ta en or considered. )pace is provided at the endof each tool for similar information on the entire component.

Risk Assessment And Control Activities Worksheet

As noted in the evaluation tools for "is Assessment and %ontrol Activities, managementestablishes ob2ectives for each signi cant activity3 analy!es ris s to their achievement3 establishesplans, programs and other actions to address the ris 3 and puts in place control activities to ensurethat the actions are carried out. The tools for "is Assessment and %ontrol Activities do not providea vehicle to evaluate this process at the activity level. A separate wor sheet is provided to assist inthis regard.

#anagement may or may not have already documented this process. If not, the wor sheet 4pages56 and 789 provides a vehicle to assist management in performing and documenting the process.An evaluator then can review the completed wor sheet. If management has no documentation,the evaluator might consider preparing the wor sheet 4with the assistance of management9 inorder to evaluate the process and associated lin ages.

The "eference #anual 4beginning on page 779 is designed to assist in identifying activity levelob2ectives, analy!ing the ris s, and determining what actions might be ta en and what controlactivities put in place.

Overall Internal Control S stem !val"ation

An evaluation tool is provided to serve as a summary of the ndings and conclusions for each ofthe components, and to facilitate review of the preliminary results by more senior e/ecutives and



3/32

their addition of further information. )pace for an overall conclusion on the internal control systemis provided.

CONTROL !N#IRON$!NT

%oints o& 'oc"s Description(Comments

Integrity and Ethical Values

Management must convey the message that integrity and ethical values cannot ecompromised! and employees must receive and understand that message.Management must continually demonstrate! through words and actions! acommitment to high ethical standards.

!)istence and implementation o& codes o& cond"ct andother policies re*ardin* accepta+le +"siness practice,con-icts o& interest, or e)pected standards o& ethicaland moral +ehavior. &or e/ample, consider whether:

%odes are comprehensive, addressing con icts ofinterest, illegal or other improper payments, anticompetitive guidelines, insider trading.%odes are periodically ac nowledged by all employees.-mployees understand what behavior is acceptable orunacceptable, and now what to do if they encounterimproper behavior.If a written code of conduct does not e/ist, themanagement culture emphasi!es the importance ofintegrity and ethical behavior. This may becommunicated orally in sta( meetings, in one on oneinterface, or by e/ample when dealing with day to dayactivities.

!sta+lishment o& the /tone at the top/ 00 incl"din*e)plicit moral *"idance a+o"t 1hat is ri*ht and 1ron*00 and e)tent o& its comm"nication thro"*ho"t theor*ani2ation. &or e/ample, consider whether:

%ommitment to integrity and ethics is communicatede(ectively throughout the enterprise, both in words anddeeds.-mployees feel peer pressure to do the right thing, or cutcorners to ma e a $+uic buc .$#anagement appropriately deals with signs thatproblems e/ist, e.g. potential defective products orha!ardous wastes, especially when the cost of identifyingproblems and dealing with the issues could be large.

Dealin*s 1ith emplo ees, s"ppliers, c"stomers,investors, creditors, ins"rers, competitors, anda"ditors, etc. 3e.*., 1hether mana*ement cond"cts+"siness on a hi*h ethical plane, and insists that



4/32

others do so, or pa s little attention to ethical iss"es4.&or e/ample, consider whether:

-veryday dealings with customers, suppliers, employeesand other parties are based on honesty and fairness 4e.g.,customer's overpayment or a supplier's underbilling arenot ignored, no e(orts are made to nd a way to re2ect anemployee's legitimate claim for bene ts, and reports tolenders are complete, accurate and not misleading9.

Appropriateness o& remedial action taken in responseto depart"res &rom approved policies and proced"resor violations o& the code o& cond"ct. !)tent to 1hichremedial action is comm"nicated or other1ise+ecomes kno1n thro"*ho"t the entit . &or e/ample,consider whether:

#anagement responds to violations of behavioralstandards.isciplinary actions ta en as a result of violations arewidely communicated in the entity. -mployees believethat, if caught violating behavioral standards, they'llsu(er the conse+uences.

$ana*ement5s attit"de to1ards intervention oroverridin* esta+lished controls . &or e/ample, considerwhether:

#anagement has provided guidance on the situationsand fre+uency with which intervention may be needed.#anagement intervention is documented and e/plainedappropriately.#anager override is e/plicitly prohibited.eviations from established policies are investigated anddocumented.

%ress"re to meet "nrealistic per&ormance tar*ets 00partic"larl &or short0term res"lts 00 and e)tent to1hich compensation is +ased on achievin* thoseper&ormance tar*ets. &or e/ample, consider whether:

%onditions such as e/treme incentives or temptationse/ist that can unnecessarily and unfairly test people'sadherence to ethical values.%ompensation and promotions are based solely onachievement of short term performance targets.%ontrols are in place to reduce temptations that mightotherwise e/ist.

Concl"sions(Actions Needed



5/32

Commitment to Competence

#anagement must specify the level of competence needed forparticular 2obs, and translate the desired levels of competence intore+uisite nowledge and s ills.

'ormal or in&ormal 6o+ descriptions or other means o&de7nin* tasks that comprise partic"lar 6o+s. &ore/ample, consider whether:

#anagement has analy!ed, on a formal or informal basis,the tas s comprising particular 2obs, considering suchfactors as the e/tent to which individuals must e/ercise

2udgment and the e/tent of related supervision.

Anal ses o& the kno1led*e and skills needed toper&orm 6o+s ade8"atel . &or e/ample, consider whether:

#anagement has determined to an ade+uate e/tent the

nowledge and s ills needed to perform particular 2obs.-vidence e/ists indicating that employees appear to havethe re+uisite nowledge and s ills.


Board of Directors or Audit Committee

An active and e(ective board, or committees thereof, provides animportant oversight function and, because of management's abilityto override system controls, the board plays an important role inensuring e(ective internal control.

Independence &rom mana*ement, s"ch that necessar ,even i& di9c"lt and pro+in*, 8"estions are raised. &ore/ample, consider whether:

The board constructively challenges management'splanned decisions, e.g., strategic initiatives and ma2ortransactions, and probes for e/planations of past results4e.g., budget variances9.A board that consists solely of an entity's o;cers andemployees 4e.g., a small corporation9 +uestions andscrutini!es activities, presents alternative views and ta esappropriate action if necessary.

Use o& +oard committees 1here 1arranted + theneed &or more in0depth or directed attention to

/var/www/apps/conversion/tmp/scratch_2/243147083.doc "


6/32

partic"lar matters . &or e/ample, consider whether:

*oard committees e/ist. They are su;cient, in sub2ect matter and membership, todeal with important issues ade+uately.

Kno1led*e and e)perience o& directors. &or e/ample,consider whether:

irectors have su;cient nowledge, industry e/perienceand time to serve e(ectively.

're8"enc and timeliness 1ith 1hich meetin*s areheld 1ith chie& 7nancial and(or acco"ntin* o9cers,internal a"ditors and e)ternal a"ditors . &or e/ample,consider whether:

The audit committee meets privately with the chiefaccounting o;cer and internal and e/ternal auditors todiscuss the reasonableness of the nancial reportingprocess, system of internal control, signi cant commentsand recommendations, and management's performance.

The audit committee reviews the scope of activities of theinternal and e/ternal auditors annually.

S"9cienc and timeliness 1ith 1hich in&ormation isprovided to +oard or committee mem+ers, to allo1monitorin* o& mana*ement5s o+6ectives andstrate*ies, the entit 5s 7nancial position andoperatin* res"lts, and terms o& si*ni7canta*reements. &or e/ample, consider whether:

The board regularly receives ey information, such asnancial statements, ma2or mar eting initiatives,signi cant contracts or negotiations.irectors believe they receive the proper information.

S"9cienc and timeliness 1ith 1hich the +oard ora"dit committee is apprised o& sensitive in&ormation,investi*ations and improper acts 3e.*., travele)penses o& senior o9cers, si*ni7cant liti*ation,investi*ations o& re*"lator a*encies, de&alcations,em+e22lement or mis"se o& corporate assets,violations o& insider tradin* r"les, political pa ments,ille*al pa ments4. &or e/ample, consider whether:

A process e/ists for informing the board of signi cantissues.Information is communicated timely.

Oversi*ht in determinin* the compensation o&e)ec"tive o9cers and head o& internal a"dit, and theappointment and termination o& those individ"als. &ore/ample, consider whether:

/var/www/apps/conversion/tmp/scratch_2/243147083.doc #


7/32

The compensation committee approves all managementincentive plans tied to performance.

The compensation committee, in 2oint consultation withthe audit committee, deals with compensation andretention issues regarding the chief internal auditor

Role in esta+lishin* the appropriate /tone at the top./ &or e/ample, consider whether:

The board and audit committee are involved su;cientlyin evaluating the e(ectiveness of the $tone at the top.$

The board ta es steps to ensure an appropriate $tone.$ The board speci cally addresses management'sadherence to the code of conduct.

Actions the +oard or committee takes as a res"lt o& its7ndin*s, incl"din* special investi*ations as needed. &or e/ample, consider whether:

The board has issued directives to management detailingspeci c actions to be ta en.

The board oversees and follows up as needed.


Management's Philosophy and Operating Style

The philosophy and operating style of management normally have apervasive e(ect on an entity. These are, of course, intangibles, butone can loo for positive or negative signs.

Nat"re o& +"siness risks accepted, e.*., 1hethermana*ement o&ten enters into partic"larl hi*h0riskvent"res, or is e)tremel conservative in acceptin*risks. &or e/ample, consider whether:

#anagement moves carefully, proceeding only aftercarefully analy!ing the ris s and potential bene ts of aventure.

%ersonnel t"rnover in ke &"nctions, e.*., operatin*,acco"ntin*, data processin*, internal a"dit. &ore/ample, consider whether:

There has been e/cessive turnover of management orsupervisory personnel.


8/32

$ana*ement5s attit"de to1ard the data processin*and acco"ntin* &"nctions, and concerns a+o"t therelia+ilit o& 7nancial reportin* and sa&e*"ardin* o&assets. &or e/ample, consider whether:

The accounting function is viewed as a necessary groupof $bean counters,$ or as a vehicle for e/ercising controlover the entity's various activities.

The selection of accounting principles used in nancialstatements always results in the highest reported income.If the accounting function is decentrali!ed, operatingmanagement $sign o($ on reported results.=nit accounting personnel also have responsibility tocentra nancial o;cers.>aluable assets, including intellectual assets andinformation, are protected from unauthori!ed access oruse.

're8"enc o& interaction +et1een senior mana*ementand operatin* mana*ement, partic"larl 1henoperatin* &rom *eo*raphicall removed locations. &ore/ample, consider whether:

)enior managers fre+uently visit subsidiary or divisionaloperations.?roup or divisional management meetings are heldfre+uently.

Attit"des and actions to1ard 7nancial reportin*,incl"din* disp"tes over application o& acco"ntin*treatments 3e.*., selection o& conservative vers"sli+eral acco"ntin* policies: 1hether acco"ntin*principles have +een misapplied, important 7nancialin&ormation not disclosed, or records manip"lated or&alsi7ed4. &or e/ample, consider whether:

#anagement avoids obsessive focus on short termreported results.@ersonnel do not submit inappropriate reports to meettargets 4e.g., salespeople submitting orders to meettargets, nowing customers will return goods in the ne/tperiod9.#anagers do not ignore signs of inappropriate practices.-stimates do not stretch facts to the edge ofreasonableness and beyond.


Organi ational Structure



9/32

The organi!ational structure shouldn't be so simple that it cannotade+uately monitor the enterprise's activities nor so comple/ that itinhibits the necessary ow of information. -/ecutives should fullyunderstand their control responsibilities and possess the re+uisitee/perience and levels of nowledge commensurate with theirpositions.

Appropriateness o& the entit 5s or*ani2ationalstr"ct"re, and its a+ilit to provide the necessarin&ormation -o1 to mana*e its activities. &or e/ample,consider whether:

The organi!ational structure is appropriately centrali!edor decentrali!ed, given the nature of the entity'soperations.

The structure facilitates the ow of information upstream,downstream and across all business activities.

Ade8"ac o& de7nition o& ke mana*ers5responsi+ilities, and their "nderstandin* o& theseresponsi+ilities. &or e/ample, consider whether:

"esponsibilities and e/pectations for the entity's businessactivities are communicated clearly to the e/ecutives incharge of those activities.

Ade8"ac o& kno1led*e and e)perience o& kemana*ers in li*ht o& responsi+ilities. &or e/ample,consider whether:

The e/ecutives in charge have the re+uired nowledge,e/perience and training to perform their duties.

Appropriateness o& reportin* relationships . &ore/ample, consider whether:

-stablished reporting relationships formal or informal,direct or matri/ are e(ective, and they providemanagers information appropriate to their responsibilitiesand authority.

The e/ecutives of the business activities have access tocommunication channels to senior operating e/ecutives.

!)tent to 1hich modi7cations to the or*ani2ational

str"ct"re are made in li*ht o& chan*ed conditions. &ore/ample, consider whether:

#anagement periodically evaluates the entity'sorgani!ational structure in light of changes in thebusiness or industry.

S"9cient n"m+ers o& emplo ees e)ist, partic"larl inmana*ement and s"pervisor capacities. &or e/ample,consider whether:

/var/www/apps/conversion/tmp/scratch_2/243147083.doc $


10/32

#anagers and supervisors have su;cient time to carryout their responsibilities e(ectively.#anagers and supervisors wor e/cessive overtime, andare ful lling the responsibilities of more than oneemployee.


Assignment of Authority and !esponsi"ility

The assignment of responsibility, delegation of authority andestablishment of related policies provide a basis for accountabilityand control, and set forth individuals' respective roles.

Assi*nment o& responsi+ilit and dele*ation o&a"thorit to deal 1ith or*ani2ational *oals ando+6ectives, operatin* &"nctions and re*"latorre8"irements, incl"din* responsi+ilit &or in&ormations stems and a"thori2ations &or chan*es. &or e/ample,consider whether:

Authority and responsibility are assigned to employeesthroughout the entity."esponsibility for decisions is related to assignment ofauthority and responsibility.@roper information is considered in determining the levelof authority and scope of responsibility assigned to anindividual.

Appropriateness o& control0related standards andproced"res, incl"din* emplo ee 6o+ descriptions . &ore/ample, consider whether:

ob descriptions, for at least management andsupervisory personnel, e/ist.

They contain speci c references to control relatedresponsibilities.

Appropriate n"m+ers o& people, partic"larl 1ithrespect to data processin* and acco"ntin* &"nctions,

1ith the re8"isite skill levels relative to the si2e o& theentit and nat"re and comple)it o& activities ands stems . &or e/ample, consider whether:

The entity has an ade+uate wor force in numbers ande/perience to carry out its mission.

Appropriateness o& dele*ated a"thorit in relation toassi*ned responsi+ilities. &or e/ample, consider whether:

There is an appropriate balance between authority



11/32

needed to $get the 2ob done$ and the involvement ofsenior personnel where needed.-mployees at the $right$ level are empowered to correctproblems or implement improvements, andempowerment is accompanied by appropriate levels ofcompetence and clear boundaries of authority.


#uman !esource Policies and Practices

Buman resource policies are central to recruiting and retainingcompetent people to enable the entity's plans to be carried out soits goals can be achieved.

!)tent to 1hich policies and proced"res &or hirin*,trainin*, promotin* and compensatin* emplo ees arein place. &or e/ample, consider whether:

-/isting personnel policies and procedures result inrecruiting or developing competent and trustworthypeople necessary to support an e(ective internal controlsystem.

The level of attention given to recruiting and training theright people is appropriate.When formal documentation of policies and practicesdoes not e/ist, management communicates e/pectationsabout the type of people to be hired or participatesdirectly in the hiring process.

!)tent to 1hich people are made a1are o& theirresponsi+ilities and e)pectations o& them . &or e/ample,consider whether:

0ew employees are made aware of their responsibilitiesand management's e/pectations of them.)upervisory personnel meet periodically with employeesto review 2ob performance and suggestions forimprovement.

Appropriateness o& remedial action taken in responseto depart"res &rom approved policies and proced"res .&or e/ample, consider whether:

#anagement's response to failures to carry out assignedresponsibilities is appropriate.Appropriate corrective action is ta en as a result of nonadherence to established policies.-mployees understand that ine(ective performance willresult in remedial conse+uences.



12/32

!)tent to 1hich personnel policies address adherenceto appropriate ethical and moral standards. &ore/ample, consider whether:

Integrity and ethical values is a criterion in performanceappraisals.

Ade8"ac o& emplo ee candidate +ack*ro"nd checks,partic"larl 1ith re*ard to prior actions or activitiesconsidered to +e "naccepta+le + the entit . &ore/ample, consider whether:

%andidates with fre+uent 2ob changes or gaps inemployment history are sub2ected to particularly closescrutiny.Biring policies re+uire investigation for a criminal record.

Ade8"ac o& emplo ee retention and promotioncriteria and in&ormation0*atherin* techni8"es 3e.*.,per&ormance eval"ations4 and relation to the code o&cond"ct or other +ehavioral *"idelines . &or e/ample,consider whether:

@romotion and salary increase criteria are detailed clearlyso that individuals now what management e/pects priorto promotions or advancement.%riteria re ect adherence to behavioral standards.


Component S"mmar 00 Concl"sions(Actions Needed



13/32

RISK ASS!SS$!NT


Entity$%ide O"&ecti es

&or an entity to have e(ective control, it must have establishedob2ectives. -ntity wide ob2ectives include broad statements of whatan entity desires to achieve, and are supported by related strategicplans. escribe the entity wide ob2ectives and ey strategies thathave been established.

!)tent to 1hich the entit 01ide o+6ectives provides"9cientl +road statements and *"idance on 1hatthe entit desires to achieve, et 1hich are speci7c

eno"*h to relate directl to this entit . &or e/ample,consider whether:

#anagement has established entity wide ob2ectives. The entity wide ob2ectives are di(erent than genericob2ectives that could apply to any entity 4e.g., generatesu;cient cash ow to service debt, or produce areasonable return on investment9.

!;ectiveness 1ith 1hich the entit 01ide o+6ectives arecomm"nicated to emplo ees and +oard o& directors .&or e/ample, consider whether:

Information on the entity wide ob2ectives is disseminatedto employees and the board of directors.#anagement obtains feedbac from ey managers, otheremployees and the board signifying that communicationto employees is e(ective.

Relation and consistenc o& strate*ies 1ith entit 01ide o+6ectives . &or e/ample, consider whether:

The strategic plan supports the entity wide ob2ectives.It addresses high level resource allocations and priorities.

Consistenc o& +"siness plans and +"d*ets 1ith

entit 01ide o+6ectives, strate*ic plans and c"rrentconditions. &or e/ample, consider whether:

Assumptions inherent in the plans and budgets re ect theentity's historical e/perience and current conditions.@lans and budgets are at an appropriate level of detail foreach management level.



14/32


Acti ity$(e el O"&ecti es

Activity level ob2ectives ow from and are lin ed with the entitywide ob2ectives and strategies. Activity level ob2ectives arefre+uently stated as goals with speci c targets and deadlines.b2ectives should be established for each signi cant activity, andthose activity level ob2ectives should be consistent with each other.

Linka*e o& activit 0level o+6ectives 1ith entit 01ideo+6ective and strate*ic plans. &or e/ample, considerwhether:

Ade+uate lin age e/ists for all signi cant activities.Activity level ob2ectives are reviewed from time to timefor continued relevance.

Consistenc o& activit 0level o+6ectives 1ith eachother. &or e/ample, consider whether:

They are complementary and reinforcing within activities. They are complementary and reinforcing betweenactivities.

Relevance o& activit 0level o+6ectives to all si*ni7cant+"siness processes . &or e/ample, consider whether:

b2ectives are established for ey activities in the ows of goods and services and support activities.Activity level ob2ectives are consistent with past practicesand performances or with industry or functionalanalogues, or the reasons for variance have beenconsidered.b2ectives are established for each signi cant activity.

These activities may include, among others 4illustrativeob2ectives for each of these activities are presented in the"eference #anual, pages 7C to 6D9:

Inboundperationsutbound#ar eting and )ales)ervice@rocurement

Technology evelopmentBuman "esources#anage the -nterprise



15/32

#anage -/ternal "elations@rovide Administrative )ervices#anage Information Technology#anage "is s 4of accident or other insurable loss9#anage Eegal A(airs@lan@rocess Accounts @ayable@rocess Accounts "eceivable@rocess &unds@rocess &i/ed AssetsAnaly!e and "econcile@rocess *ene ts and "etiree Information@rocess @ayroll@rocess Ta/ %ompliance@rocess @roduct %osts@rovide &inancial and #anagement "eporting

Speci7cit o& activit 0level o+6ectives . &or e/ample,consider whether:

b2ectives include measurement criteria.

Ade8"ac o& reso"rces relative to o+6ectives . &ore/ample, consider whether:

#anagement has identi ed the resources needed toachieve the ob2ectives.@lans e/ist for ac+uiring necessary resources 4e.g.,nancing, personnel, facilities, technology9.

Identi7cation o& o+6ectives that are important 3criticals"ccess &actors4 to achievement o& entit 01ideo+6ectives . &or e/ample, consider whether:

#anagement has identi ed what must go right, or wherefailure must be avoided, for entity wide ob2ectives to beachieved.%apital spending and e/pense budgets are based onmanagement's analysis of the relative importance ofob2ectives.

The ob2ectives serving as critical success factors providea basis for particular management focus.

Involvement o& all levels o& mana*ement in o+6ectivesettin* and e)tent to 1hich the are committed to theo+6ectives. &or e/ample, consider whether:

#anagers participate in establishing activity ob2ectivesfor which they are responsible.@rocedures e/ist to resolve disagreements.#anagers support the ob2ectives, and do not have$hidden agendas.$

/var/www/apps/conversion/tmp/scratch_2/243147083.doc 1"


16/32


!is)s

An entity's ris assessment process should identify and consider theimplications of relevant ris s, at both the entity level and theactivity level. The ris assessment process should consider e/ternaland internal factors that could impact achievement of theob2ectives, should analy!e the ris s, and provide a basis formanaging them.

Ade8"ac o& mechanisms to identi& risks arisin* &rome)ternal so"rces. &or e/ample, consider whethermanagement considers ris s related to:

)upply sources Technology changes%reditor's demands%ompetitor's actions-conomic conditions@olitical conditions"egulation0atural events

Ade8"ac o& mechanisms to identi& risks arisin* &rominternal so"rces. &or e/ample, consider whethermanagement considers ris s related to:

Buman resources, such as retention of ey managementpersonnel or changes in responsibilities that can a(ectthe ability to function e(ectively.&inancing, such as availability of funds for new initiativesor continuation of ey programs.Eabor relations, such as compensation and bene tprograms to eep the entity competitive with others inthe industry.Information systems, such as the ade+uacy of bac upsystems in the event of failure of systems that couldsigni cantly a(ect operations.

Identi7cation o& si*ni7cant risks &or each si*ni7cantactivit 0level o+6ective. 4%onsider ris s identi ed withrespect to each of the activities identi ed under $activitylevel ob2ectives$3 illustrative ris s relative to commonob2ectives are presented in the "eference #anual, pages 7Cto 6D.9

Thoro"*hness and relevance o& the risk anal sisprocess, incl"din* estimatin* the si*ni7cance o& risks,

/var/www/apps/conversion/tmp/scratch_2/243147083.doc 1#


17/32

assessin* the likelihood o& their occ"rrin* anddeterminin* needed actions. &or e/ample, considerwhether:

"is s are analy!ed through formal processes or informalday to day management activities.

The identi ed ris s are relevant to the correspondingactivity ob2ective.Appropriate levels of management are involved inanaly!ing the ris s.


Managing Change

%conomic! industry and regulatory environments change and entities& activitiesevolve. Mechanisms are needed to identi'y and react to changing conditions.

!)istence o& mechanisms to anticipate, identi& andreact to ro"tine events or activities that a;ectachievement o& entit or activit 0 level o+6ectives3"s"all implemented + mana*ers responsi+le &or theactivities that 1o"ld +e most a;ected + thechan*es4 . &or e/ample, consider whether:

"outine changes are addressed as part of the normal risidenti cation and analysis process, or through separatemechanisms."is s and opportunities related to the changes areaddressed at su;ciently high levels in the organi!ationso their full implications are identi ed and appropriateaction plans formulated.All activities within the entity signi cantly a(ected by thechange are brought into the process.

!)istence o& mechanisms to identi& and react tochan*es that can have a more dramatic and pervasivee;ect on the entit , and ma demand the attention o&top mana*ement. &or e/ample, for each of the followingareas of potential change, consider whether:

%hanged operating environment:#ar et research or other programs identify ma2or shifts incostumer demographics, preferences or spendingpatterns.

The entity is aware of signi cant shifts in the wor force e/ternally or internally that could a(ect available s illlevels.Eegal counsel periodically updates management on theimplications of new legislation.



18/32

0ew personnel:)pecial action is ta en to ensure new personnelunderstand the entity's culture and perform accordingly.%onsideration is given to ey control activities performedby personnel being moved.

0ew or redesigned information systems:#echanisms e/ist to assess the e(ects of new systems.@rocedures are in place to reconsider the appropriatenessof e/isting control activities when new computer systemsare developed and go $live.$#anagement nows whether systems development andimplementation policies are adhered to despite pressuresto $short cut$ the process.Attention is given to the e(ect of new systems oninformation ows and related controls, and employeetraining, including focus on employee resistance tochange.

"apid growth:)ystems capability is upgraded to handle rapidlyincreasing volumes of information.Wor force in operations, accounting and data processingis e/panded as needed to eep pace with increasedvolume.A process for revising budgets or forecasts e/ists.A process e/ists for considering interdepartmentalimplications of revised unit ob2ectives and plans.

0ew technology:Information on technological developments is obtainedthrough reporting services, consultants, seminars orperhaps 2oint ventures with companies in the forefront ofresearch and development relevant to the entity.0ew technologies, or applications, developed bycompetitors are monitored.#echanisms e/ist for ta ing advantage, and controllingthe use, of new technology applications, incorporatingthem into production processes or information systems.

0ew lines, products, activities and ac+uisitions: The ability e/ists to reasonably forecast operating and

nancial results. The ade+uacy of e/isting information systems and controlactivities for the new line, product or activity is assessed.@lans are developed for recruiting and training peoplewith the re+uisite e/pertise to deal with new products oractivities.@rocedures are in place to trac early results, and tomodify production and mar eting as needed.&inancial reporting, legal and regulatory re+uirements areidenti ed and complied with.

The e(ects on other company products, and onpro tability, are monitored.verhead allocations are modi ed to re ect productcontribution accurately.



19/32

%orporate restructuring:)ta( reassignments or reductions are analy!ed for theirpotential e(ect on related operations.

Transferred or terminated employees' controlresponsibilities are reassigned.Impact on morale of remaining employees, after ma2ordownsi!ing, considered.)afeguards e/ist to protect against disgruntled formeremployees.

&oreign operations:#anagement eeps abreast of the political, regulatory,business and social culture of areas in which foreignoperations e/ist.@ersonnel are made aware of accepted customs andrules.Alternative procedures e/ist in case activities of orcommunication mechanisms with foreign operations areinterrupted.



/var/www/apps/conversion/tmp/scratch_2/243147083.doc 1$


20/32

CONTROL ACTI#ITI!S


(ontrol activities encompass a wide range o' policies and the related implementation procedures that help ensure that management&s directives are e''ected. )hey helpensure that those actions identi'ied as necessary to address ris*s to achieve the entity&so +ectives are carried out.

!)istence o& appropriate policies and proced"resnecessar 1ith respect to each o& the entit 5sactivities.

,ll relevant o +ectives and associated ris*s 'or each signi'icant activityshould have een identi'ied in con+unction with evaluating -is* ,ssessment.-e'erence may e made to the -e'erence Manual pages 3" to $8 which

presents! 'or common usiness activities! illustrative o +ectives! ris*s! andpoints o' 'ocus 'or actions/control activities. )he listings in that lattercolumn may e use'ul in identi'ying what actions management has directedto address the ris*s! and considering the appropriateness o' control activitiesthe entity applies to see that the actions are carried out. t should erecogni ed that points o' 'ocus 'or general controls or general computercontrols are presented in the -e'erence Manual under the activity Managen'ormation )echnology.

Identi7ed control activities in place are +ein* appliedproperl . &or e/ample, consider whether:

%ontrols described in policy manuals are actually appliedand are applied the way that they're supposed to be.Appropriate and timely action is ta en on e/ceptions orinformation that re+uires follow up.)upervisory personnel review the functioning of controls.




21/32

IN'OR$ATION AND CO$$UNICATION


Information

n'ormation is identi'ied! captured! processed and reported y in'ormation systems.-elevant in'ormation includes industry! economic and regulatory in'ormationo tained 'rom e ternal sources! as well as internally generated in'ormation.

O+tainin* e)ternal and internal in&ormation, andprovidin* mana*ement 1ith necessar reports on theentit 5s per&ormance relative to esta+lishedo+6ectives. &or e/ample, consider whether:

#echanism are in place to obtain relevant e/ternalinformation on mar et conditions, competitors'programs, legislative or regulatory developments andeconomic changes.Internally generated information critical to achievementof the entity's ob2ectives, including that relative to criticalsuccess factors, is identi ed and regularly reported.

The information that managers need to carry out theirresponsibilities is reported to them.

%rovidin* in&ormation to the ri*ht people in s"9cientdetail and on time to ena+le them to carr o"t theirresponsi+ilities e9cientl and e;ectivel . &or e/ample,consider whether:

#anagers receive analytical information that enablesthem to identify what action needs to be ta en.Information is provided at the right level of detail fordi(erent levels of management.Information is summari!ed appropriately, providingpertinent information while permitting closer inspectionof details as needed rather than 2ust a $sea of data.$Information is available on a timely basis to allowe(ective monitoring of events and activities internaland e/ternal and prompt reaction to economic andbusiness factors and control issues.

Development or revision o& in&ormation s stems +asedon a strate*ic plan &or in&ormation s stems 00 linked tothe entit 5s overall strate* 00 and responsive toachievin* the entit 01ide and activit 0level o+6ectives.&or e/ample, consider whether:

A mechanism 4e.g., and information technology steeringcommittee9 is in place for identifying emerginginformation needs.Information needs and priorities are determined by



22/32

e/ecutives with su;ciently broad responsibilities.A long range information technology plan has beendeveloped and lin ed with strategic initiatives.

$ana*ement5s s"pport &or the development o&necessar in&ormation s stems is demonstrated + thecommitment o& appropriate reso"rces 00 h"man and7nancial. &or e/ample, consider whether:

)u;cient resources 4managers, analysts, programmerswith the re+uisite technical abilities9 are provided asneeded to develop new or enhanced informationsystems.


Communication

(ommunication is inherent in in'ormation processing. (ommunication also ta*es place in a roader sense! dealing with e pectations and responsi ilities o' individualsand groups. %''ective communication must occur down! across and up an organi ationand with parties e ternal to the organi ation.

!;ectiveness 1ith 1hich emplo ees5 d"ties andcontrol responsi+ilities are comm"nicated. &or e/ample,consider whether:

%ommunication vehicles formal and informal trainingsessions, meetings and on the 2ob supervision aresu;cient in e(ecting such communication.-mployees now the ob2ectives of their own activity andhow their duties contribute to achieving those ob2ectives.-mployees understand how their duties a(ect, and area(ected by, duties of other employees.

!sta+lishment o& channels o& comm"nication &orpeople to report s"spected improprieties. &or e/ample,consider whether:

There's a way to communicate upstream throughsomeone other than a direct superior, such as anombudsman or corporate counsel.Anonymity is permitted.-mployees actually use the communication channel.@ersons who report suspected improprieties are providedfeedbac , and have immunity from reprisals.

Receptivit o& mana*ement to emplo ee s"**estionso& 1a s to enhance prod"ctivit , 8"alit or othersimilar improvements . &or e/ample, consider whether:

"ealistic mechanisms are in place for employees to



23/32

provide recommendations for improvement. #anagement ac nowledges good employee suggestions

by providing cash awards or other meaningfulrecognition.

Ade8"ac o& comm"nication across the or*ani2ation3&or e)ample, +et1een proc"rement and prod"ctionactivities4 and the completeness and timeliness o&in&ormation and its s"9cienc to ena+le people todischar*e their responsi+ilities e;ectivel . &or e/ample,consider whether:

)alespeople inform engineering, production andmar eting of customer needs.Accounts receivable personnel advise the credit approvalfunction of slow payers.Information on competitors' new products or warrantiesreach engineering, mar eting and sales personnel.

Openness and e;ectiveness o& channels 1ithc"stomers, s"ppliers and other e)ternal parties &orcomm"nicatin* in&ormation on chan*in* c"stomerneeds. &or e/ample, consider whether:

&eedbac mechanisms with all pertinent parties e/ist.)uggestions, complaints and other input are capturedand communicated to relevant internal parties.Information is reported upstream as necessary andfollow up action ta en.

!)tent to 1hich o"tside parties have +een madea1are o& the entit 5s ethical standards. &or e/ample,consider whether:

Important communications to outside parties aredelivered by management level commensurate with thenature and importance of the message 4e.g., seniore/ecutive periodically e/plains in writing the entity'sethical standards to outside parties9.)uppliers, customers and others now the entity'sstandards and e/pectations regarding actions in dealingwith the entity.)uch standards are reinforced in routine dealings withoutside parties.Improprieties by employees of e/ternal parties arereported to the appropriate personnel.

Timel and appropriate &ollo10"p action +mana*ement res"ltin* &rom comm"nications received&rom c"stomers, vendors, re*"lators or other e)ternalparties . &or e/ample, consider whether:

@ersonnel are receptive to reported problems regardingproducts, services or other matters, and such reports areinvestigated and acted upon.-rrors in customer billings are corrected, and the sourceof the error is investigated and corrected.Appropriate personnel independent of those involved



24/32

with the original transactions process complaints.Appropriate actions are ta en and there is follow upcommunication with the original sources.

Top management is aware of the nature and volume ofcomplaints.





25/32

$ONITORIN

coso internal control evaluation tool_blank

Documents