COSO Internal Control Evaluation Tool - Blank

INTRODUCTION
This volume contains a set of tools that may be useful in conducting an evaluation of an entity's
internal control system. The tools may be used in any of several ways:
Individually, when evaluating a particular component, or together when evaluating all
components.
In evaluating controls related to one category of controls, such as reliability of fnancial
reporting, or more than one category.
When focusing on certain activities, such as procurement or sales, or all activities.
The evaluation tools are presented as follows:
A set of blan tools, organi!ed by component, along with one to assist in assembling the
results in maing an overall evaluation.
A "eference #anual designed to assist the evaluator in completing the $"is Assessment
and %ontrol Activities Worsheet.$ Also presented is a generic business model which serves
as the organi!ational basis for the "eference #anual.
&illed'in tools, depicting how they might be completed for a hypothetical company.
These evaluation tools are intended to provide guidance and assistance in evaluating internal
control systems in relation to criteria for e(ective internal control set forth in the Framework
volume of this report. Accordingly, users of these materials should be familiar with that volume.
These tools are presented for purely illustrative purposes. They are not an integral part of the
&ramewor, and their presentation here in no way suggests that all matters addressed in them
need to be considered in evaluating an internal control system, or that all such matters must be
present in order to conclude that a system is e(ective. )imilarly, there is no suggestion that these
tools are preferred method to conduct and document an evaluation. *ecause facts and
circumstances vary between entities and industries, evaluation methodologies and documentation
techni+ues will also vary. Accordingly, entities may use di(erent evaluation tools, or use other
methodologies utili!ing di(erent evaluative techni+ues. &or those entities that do plan to use these
tools in some way, it is suggested that they be used only as a starting point, and be modifed to
re,ect the particular facts, conditions and riss relevant to their own circumstances.
These evaluation tools can be used by entities of any si!e. When used by small or mid'si!e
entities, the tailoring process should recogni!e that smaller entities tend to be less formal and less
structured than large organi!ations, that fewer organi!ation levels will liely result in the %-. and
other ey managers communicating more directly and continuously with lower level personnel,
and that these factors will a(ect the way control is e/ercised. The sample flled'in tools contained
in this volume have been completed using a hypothetical mid'si!e company and may provide
guidance to companies of such si!e in completing the tools.
/var/www/apps/conversion/tmp/scratch_2/243147083.doc 1
BLANK TOOLS
Component Tools
&ive evaluation tools are presented, one for each internal control component. A heading and brief
introduction identify each factor or signifcant element within a component.
)ubstantive issues to be addressed are contained under the column heading $points of focus.$ The
points of focus are identifed by the symbol , and represent some of the more important issues
relevant to the component. 0ot all points of focus are relevant to every entity, and additional
issues will be relevant to some entities. It is suggested that the evaluator tailor the points of focus
to ft the entity's facts and circumstances by adding, deleting or modifying those provided in the
tool.
Included under each point of focus are e/amples of subsidiary issues that might be considered in
addressing the point of focus. It is important to recogni!e that only a few e/amples of such
subsidiary issues are provided. #any others usually are relevant. The e/amples provided are
intended only to illustrate the types of items to consider.
The evaluator addresses each point of focus, considering the e/ample subsidiary issues as well as
others not presented. Although one could record a response for each e/ample subsidiary issue, it
is suggested that a response be provided only to the point of focus. The $description1comments$
column provides space to record a description of how matters addressed in the point of focus are
applied in the entity, and to record relevant comments. The response generally will not be a $yes$
or $no$ answer, but rather information on how the entity addresses the matter.
At the end of each section is a space to record a conclusion on the e(ectiveness of the related
controls, and any actions that might need to be taen or considered. )pace is provided at the end
of each tool for similar information on the entire component.
Risk Assessment And Control Activities Worksheet
As noted in the evaluation tools for "is Assessment and %ontrol Activities, management
establishes ob2ectives for each signifcant activity3 analy!es riss to their achievement3 establishes
plans, programs and other actions to address the ris3 and puts in place control activities to ensure
that the actions are carried out. The tools for "is Assessment and %ontrol Activities do not provide
a vehicle to evaluate this process at the activity level. A separate worsheet is provided to assist in
this regard.
#anagement may or may not have already documented this process. If not, the worsheet 4pages
56 and 789 provides a vehicle to assist management in performing and documenting the process.
An evaluator then can review the completed worsheet. If management has no documentation,
the evaluator might consider preparing the worsheet 4with the assistance of management9 in
order to evaluate the process and associated linages.
The "eference #anual 4beginning on page 779 is designed to assist in identifying activity'level
ob2ectives, analy!ing the riss, and determining what actions might be taen and what control
activities put in place.
Overall Internal Control Sstem !val"ation
An evaluation tool is provided to serve as a summary of the fndings and conclusions for each of
the components, and to facilitate review of the preliminary results by more senior e/ecutives and
their addition of further information. )pace for an overall conclusion on the internal control system
is provided.
CONTROL !N#IRON$!NT
%oints o& 'oc"s Description(Commen
ts
Integrity and Ethical Values
Management must convey the message that integrity and ethical values cannot e
compromised! and employees must receive and understand that message.
Management must continually demonstrate! through words and actions! a
commitment to high ethical standards.
!)istence and implementation o& codes o& cond"ct and
other policies re*ardin* accepta+le +"siness practice,
con-icts o& interest, or e)pected standards o& ethical
and moral +ehavior. &or e/ample, consider whether:
%odes are comprehensive, addressing con,icts of
interest, illegal or other improper payments, anti'
competitive guidelines, insider trading.
%odes are periodically acnowledged by all employees.
-mployees understand what behavior is acceptable or
unacceptable, and now what to do if they encounter
improper behavior.
If a written code of conduct does not e/ist, the
management culture emphasi!es the importance of
integrity and ethical behavior. This may be
communicated orally in sta( meetings, in one'on'one
interface, or by e/ample when dealing with day'to'day
activities.
!sta+lishment o& the /tone at the top/ 00 incl"din*
e)plicit moral *"idance a+o"t 1hat is ri*ht and 1ron*
00 and e)tent o& its comm"nication thro"*ho"t the
or*ani2ation. &or e/ample, consider whether:
%ommitment to integrity and ethics is communicated
e(ectively throughout the enterprise, both in words and
deeds.
-mployees feel peer pressure to do the right thing, or cut
corners to mae a $+uic buc.$
#anagement appropriately deals with signs that
problems e/ist, e.g. potential defective products or
ha!ardous wastes, especially when the cost of identifying
problems and dealing with the issues could be large.
Dealin*s 1ith emploees, s"ppliers, c"stomers,
investors, creditors, ins"rers, competitors, and
a"ditors, etc. 3e.*., 1hether mana*ement cond"cts
+"siness on a hi*h ethical plane, and insists that
others do so, or pas little attention to ethical iss"es4.
&or e/ample, consider whether:
-veryday dealings with customers, suppliers, employees
and other parties are based on honesty and fairness 4e.g.,
customer's overpayment or a supplier's underbilling are
not ignored, no e(orts are made to fnd a way to re2ect an
employee's legitimate claim for benefts, and reports to
lenders are complete, accurate and not misleading9.
Appropriateness o& remedial action taken in response
to depart"res &rom approved policies and proced"res
or violations o& the code o& cond"ct. !)tent to 1hich
remedial action is comm"nicated or other1ise
+ecomes kno1n thro"*ho"t the entit. &or e/ample,
consider whether:
#anagement responds to violations of behavioral
standards.
:isciplinary actions taen as a result of violations are
widely communicated in the entity. -mployees believe
that, if caught violating behavioral standards, they'll
su(er the conse+uences.
$ana*ement5s attit"de to1ards intervention or
overridin* esta+lished controls. &or e/ample, consider
whether:
#anagement has provided guidance on the situations
and fre+uency with which intervention may be needed.
#anagement intervention is documented and e/plained
appropriately.
#anager override is e/plicitly prohibited.
:eviations from established policies are investigated and
documented.
%ress"re to meet "nrealistic per&ormance tar*ets 00
partic"larl &or short0term res"lts 00 and e)tent to
1hich compensation is +ased on achievin* those
per&ormance tar*ets. &or e/ample, consider whether:
%onditions such as e/treme incentives or temptations
e/ist that can unnecessarily and unfairly test people's
adherence to ethical values.
%ompensation and promotions are based solely on
achievement of short'term performance targets.
%ontrols are in place to reduce temptations that might
otherwise e/ist.
Concl"sions(Actions Needed
Commitment to Competence
#anagement must specify the level of competence needed for
particular 2obs, and translate the desired levels of competence into
re+uisite nowledge and sills.
'ormal or in&ormal 6o+ descriptions or other means o&
de7nin* tasks that comprise partic"lar 6o+s. &or
e/ample, consider whether:
#anagement has analy!ed, on a formal or informal basis,
the tass comprising particular 2obs, considering such
factors as the e/tent to which individuals must e/ercise
2udgment and the e/tent of related supervision.
Analses o& the kno1led*e and skills needed to
per&orm 6o+s ade8"atel. &or e/ample, consider whether:
#anagement has determined to an ade+uate e/tent the
nowledge and sills needed to perform particular
2obs.
-vidence e/ists indicating that employees appear to have
the re+uisite nowledge and sills.
Board of Directors or Audit Committee
An active and e(ective board, or committees thereof, provides an
important oversight function and, because of management's ability
to override system controls, the board plays an important role in
ensuring e(ective internal control.
Independence &rom mana*ement, s"ch that necessar,
even i& di9c"lt and pro+in*, 8"estions are raised. &or
The board constructively challenges management's
planned decisions, e.g., strategic initiatives and ma2or
transactions, and probes for e/planations of past results
4e.g., budget variances9.
A board that consists solely of an entity's o;cers and
employees 4e.g., a small corporation9 +uestions and
scrutini!es activities, presents alternative views and taes
appropriate action if necessary.
Use o& +oard committees 1here 1arranted + the
need &or more in0depth or directed attention to
/var/www/apps/conversion/tmp/scratch_2/243147083.doc "
partic"lar matters. &or e/ample, consider whether:
*oard committees e/ist.
They are su;cient, in sub2ect matter and membership, to
deal with important issues ade+uately.
Kno1led*e and e)perience o& directors. &or e/ample,
consider whether:
:irectors have su;cient nowledge, industry e/perience
and time to serve e(ectively.
're8"enc and timeliness 1ith 1hich meetin*s are
held 1ith chie& 7nancial and(or acco"ntin* o9cers,
internal a"ditors and e)ternal a"ditors. &or e/ample,
consider whether:
The audit committee meets privately with the chief
accounting o;cer and internal and e/ternal auditors to
discuss the reasonableness of the fnancial reporting
process, system of internal control, signifcant comments
and recommendations, and management's performance.
The audit committee reviews the scope of activities of the
internal and e/ternal auditors annually.
S"9cienc and timeliness 1ith 1hich in&ormation is
provided to +oard or committee mem+ers, to allo1
monitorin* o& mana*ement5s o+6ectives and
strate*ies, the entit5s 7nancial position and
operatin* res"lts, and terms o& si*ni7cant
a*reements. &or e/ample, consider whether:
The board regularly receives ey information, such as
fnancial statements, ma2or mareting initiatives,
signifcant contracts or negotiations.
:irectors believe they receive the proper information.
S"9cienc and timeliness 1ith 1hich the +oard or
a"dit committee is apprised o& sensitive in&ormation,
investi*ations and improper acts 3e.*., travel
e)penses o& senior o9cers, si*ni7cant liti*ation,
investi*ations o& re*"lator a*encies, de&alcations,
em+e22lement or mis"se o& corporate assets,
violations o& insider tradin* r"les, political paments,
ille*al paments4. &or e/ample, consider whether:
A process e/ists for informing the board of signifcant
issues.
Information is communicated timely.
Oversi*ht in determinin* the compensation o&
e)ec"tive o9cers and head o& internal a"dit, and the
appointment and termination o& those individ"als. &or
/var/www/apps/conversion/tmp/scratch_2/243147083.doc #
The compensation committee approves all management
incentive plans tied to performance.
The compensation committee, in 2oint consultation with
the audit committee, deals with compensation and
retention issues regarding the chief internal auditor
Role in esta+lishin* the appropriate /tone at the top./
The board and audit committee are involved su;ciently
in evaluating the e(ectiveness of the $tone at the top.$
The board taes steps to ensure an appropriate $tone.$
The board specifcally addresses management's
adherence to the code of conduct.
Actions the +oard or committee takes as a res"lt o& its
7ndin*s, incl"din* special investi*ations as needed.
The board has issued directives to management detailing
specifc actions to be taen.
The board oversees and follows up as needed.
Management's Philosophy and Operating Style
The philosophy and operating style of management normally have a
pervasive e(ect on an entity. These are, of course, intangibles, but
one can loo for positive or negative signs.
Nat"re o& +"siness risks accepted, e.*., 1hether
mana*ement o&ten enters into partic"larl hi*h0risk
vent"res, or is e)tremel conservative in acceptin*
risks. &or e/ample, consider whether:
#anagement moves carefully, proceeding only after
carefully analy!ing the riss and potential benefts of a
venture.
%ersonnel t"rnover in ke &"nctions, e.*., operatin*,
acco"ntin*, data processin*, internal a"dit. &or
There has been e/cessive turnover of management or
supervisory personnel.
<ey personnel have +uit une/pectedly or on short notice.
There is a pattern to turnover 4e.g., inability to retain ey
fnancial or internal audit e/ecutives9 that may be an
indicator of the emphasis that management places on
control.
$ana*ement5s attit"de to1ard the data processin*
and acco"ntin* &"nctions, and concerns a+o"t the
relia+ilit o& 7nancial reportin* and sa&e*"ardin* o&
assets. &or e/ample, consider whether:
The accounting function is viewed as a necessary group
of $bean counters,$ or as a vehicle for e/ercising control
over the entity's various activities.
The selection of accounting principles used in fnancial
statements always results in the highest reported income.
If the accounting function is decentrali!ed, operating
management $sign o($ on reported results.
=nit accounting personnel also have responsibility to
centra fnancial o;cers.
>aluable assets, including intellectual assets and
information, are protected from unauthori!ed access or
use.
're8"enc o& interaction +et1een senior mana*ement
and operatin* mana*ement, partic"larl 1hen
operatin* &rom *eo*raphicall removed locations. &or
)enior managers fre+uently visit subsidiary or divisional
operations.
?roup or divisional management meetings are held
fre+uently.
Attit"des and actions to1ard 7nancial reportin*,
incl"din* disp"tes over application o& acco"ntin*
treatments 3e.*., selection o& conservative vers"s
li+eral acco"ntin* policies: 1hether acco"ntin*
principles have +een misapplied, important 7nancial
in&ormation not disclosed, or records manip"lated or
&alsi7ed4. &or e/ample, consider whether:
#anagement avoids obsessive focus on short'term
reported results.
@ersonnel do not submit inappropriate reports to meet
targets 4e.g., salespeople submitting orders to meet
targets, nowing customers will return goods in the ne/t
period9.
#anagers do not ignore signs of inappropriate practices.
-stimates do not stretch facts to the edge of
reasonableness and beyond.
Organiational Structure
The organi!ational structure shouldn't be so simple that it cannot
ade+uately monitor the enterprise's activities nor so comple/ that it
inhibits the necessary ,ow of information. -/ecutives should fully
understand their control responsibilities and possess the re+uisite
e/perience and levels of nowledge commensurate with their
positions.
Appropriateness o& the entit5s or*ani2ational
str"ct"re, and its a+ilit to provide the necessar
in&ormation -o1 to mana*e its activities. &or e/ample,
consider whether:
The organi!ational structure is appropriately centrali!ed
or decentrali!ed, given the nature of the entity's
operations.
The structure facilitates the ,ow of information upstream,
downstream and across all business activities.
Ade8"ac o& de7nition o& ke mana*ers5
responsi+ilities, and their "nderstandin* o& these
responsi+ilities. &or e/ample, consider whether:
"esponsibilities and e/pectations for the entity's business
activities are communicated clearly to the e/ecutives in
charge of those activities.
Ade8"ac o& kno1led*e and e)perience o& ke
mana*ers in li*ht o& responsi+ilities. &or e/ample,
consider whether:
The e/ecutives in charge have the re+uired nowledge,
e/perience and training to perform their duties.
Appropriateness o& reportin* relationships. &or
-stablished reporting relationships '' formal or informal,
direct or matri/ '' are e(ective, and they provide
managers information appropriate to their responsibilities
and authority.
The e/ecutives of the business activities have access to
communication channels to senior operating e/ecutives.
!)tent to 1hich modi7cations to the or*ani2ational
str"ct"re are made in li*ht o& chan*ed conditions. &or
#anagement periodically evaluates the entity's
organi!ational structure in light of changes in the
business or industry.
S"9cient n"m+ers o& emploees e)ist, partic"larl in
mana*ement and s"pervisor capacities. &or e/ample,
consider whether:
/var/www/apps/conversion/tmp/scratch_2/243147083.doc $
#anagers and supervisors have su;cient time to carry
out their responsibilities e(ectively.
#anagers and supervisors wor e/cessive overtime, and
are fulflling the responsibilities of more than one
employee.
Assignment of Authority and !esponsi"ility
The assignment of responsibility, delegation of authority and
establishment of related policies provide a basis for accountability
and control, and set forth individuals' respective roles.
Assi*nment o& responsi+ilit and dele*ation o&
a"thorit to deal 1ith or*ani2ational *oals and
o+6ectives, operatin* &"nctions and re*"lator
re8"irements, incl"din* responsi+ilit &or in&ormation
sstems and a"thori2ations &or chan*es. &or e/ample,
consider whether:
Authority and responsibility are assigned to employees
throughout the entity.
"esponsibility for decisions is related to assignment of
authority and responsibility.
@roper information is considered in determining the level
of authority and scope of responsibility assigned to an
individual.
Appropriateness o& control0related standards and
proced"res, incl"din* emploee 6o+ descriptions. &or
Aob descriptions, for at least management and
supervisory personnel, e/ist.
They contain specifc references to control'related
responsibilities.
Appropriate n"m+ers o& people, partic"larl 1ith
respect to data processin* and acco"ntin* &"nctions,
1ith the re8"isite skill levels relative to the si2e o& the
entit and nat"re and comple)it o& activities and
sstems. &or e/ample, consider whether:
The entity has an ade+uate worforce '' in numbers and
e/perience '' to carry out its mission.
Appropriateness o& dele*ated a"thorit in relation to
assi*ned responsi+ilities. &or e/ample, consider whether:
There is an appropriate balance between authority
needed to $get the 2ob done$ and the involvement of
senior personnel where needed.
-mployees at the $right$ level are empowered to correct
problems or implement improvements, and
empowerment is accompanied by appropriate levels of
competence and clear boundaries of authority.
#uman !esource Policies and Practices
Buman resource policies are central to recruiting and retaining
competent people to enable the entity's plans to be carried out so
its goals can be achieved.
!)tent to 1hich policies and proced"res &or hirin*,
trainin*, promotin* and compensatin* emploees are
in place. &or e/ample, consider whether:
-/isting personnel policies and procedures result in
recruiting or developing competent and trustworthy
people necessary to support an e(ective internal control
system.
The level of attention given to recruiting and training the
right people is appropriate.
When formal documentation of policies and practices
does not e/ist, management communicates e/pectations
about the type of people to be hired or participates
directly in the hiring process.
!)tent to 1hich people are made a1are o& their
responsi+ilities and e)pectations o& them. &or e/ample,
consider whether:
0ew employees are made aware of their responsibilities
and management's e/pectations of them.
)upervisory personnel meet periodically with employees
to review 2ob performance and suggestions for
improvement.
Appropriateness o& remedial action taken in response
to depart"res &rom approved policies and proced"res.
#anagement's response to failures to carry out assigned
responsibilities is appropriate.
Appropriate corrective action is taen as a result of non'
adherence to established policies.
-mployees understand that ine(ective performance will
result in remedial conse+uences.
!)tent to 1hich personnel policies address adherence
to appropriate ethical and moral standards. &or
Integrity and ethical values is a criterion in performance
appraisals.
Ade8"ac o& emploee candidate +ack*ro"nd checks,
partic"larl 1ith re*ard to prior actions or activities
considered to +e "naccepta+le + the entit. &or
%andidates with fre+uent 2ob changes or gaps in
employment history are sub2ected to particularly close
scrutiny.
Biring policies re+uire investigation for a criminal record.
Ade8"ac o& emploee retention and promotion
criteria and in&ormation0*atherin* techni8"es 3e.*.,
per&ormance eval"ations4 and relation to the code o&
cond"ct or other +ehavioral *"idelines. &or e/ample,
consider whether:
@romotion and salary increase criteria are detailed clearly
so that individuals now what management e/pects prior
to promotions or advancement.
%riteria re,ect adherence to behavioral standards.
Component S"mmar 00 Concl"sions(Actions Needed
RISK ASS!SS$!NT
ts
Entity$%ide O"&ecti'es
&or an entity to have e(ective control, it must have established
ob2ectives. -ntity'wide ob2ectives include broad statements of what
an entity desires to achieve, and are supported by related strategic
plans. :escribe the entity'wide ob2ectives and ey strategies that
have been established.
!)tent to 1hich the entit01ide o+6ectives provide
s"9cientl +road statements and *"idance on 1hat
the entit desires to achieve, et 1hich are speci7c
eno"*h to relate directl to this entit. &or e/ample,
consider whether:
#anagement has established entity'wide ob2ectives.
The entity'wide ob2ectives are di(erent than generic
ob2ectives that could apply to any entity 4e.g., generate
su;cient cash ,ow to service debt, or produce a
reasonable return on investment9.
!;ectiveness 1ith 1hich the entit01ide o+6ectives are
comm"nicated to emploees and +oard o& directors.
Information on the entity'wide ob2ectives is disseminated
to employees and the board of directors.
#anagement obtains feedbac from ey managers, other
employees and the board signifying that communication
to employees is e(ective.
Relation and consistenc o& strate*ies 1ith entit0
1ide o+6ectives. &or e/ample, consider whether:
The strategic plan supports the entity'wide ob2ectives.
It addresses high level resource allocations and priorities.
Consistenc o& +"siness plans and +"d*ets 1ith
entit01ide o+6ectives, strate*ic plans and c"rrent
conditions. &or e/ample, consider whether:
Assumptions inherent in the plans and budgets re,ect the
entity's historical e/perience and current conditions.
@lans and budgets are at an appropriate level of detail for
each management level.
Acti'ity$(e'el O"&ecti'es
Activity'level ob2ectives ,ow from and are lined with the entity'
wide ob2ectives and strategies. Activity'level ob2ectives are
fre+uently stated as goals with specifc targets and deadlines.
.b2ectives should be established for each signifcant activity, and
those activity'level ob2ectives should be consistent with each other.
Linka*e o& activit0level o+6ectives 1ith entit01ide
o+6ective and strate*ic plans. &or e/ample, consider
whether:
Ade+uate linage e/ists for all signifcant activities.
Activity'level ob2ectives are reviewed from time to time
for continued relevance.
Consistenc o& activit0level o+6ectives 1ith each
other. &or e/ample, consider whether:
They are complementary and reinforcing within activities.
They are complementary and reinforcing between
activities.
Relevance o& activit0level o+6ectives to all si*ni7cant
+"siness processes. &or e/ample, consider whether:
.b2ectives are established for ey activities in the ,ows of
goods and services and support activities.
Activity'level ob2ectives are consistent with past practices
and performances or with industry or functional
analogues, or the reasons for variance have been
considered.
.b2ectives are established for each signifcant activity.
These activities may include, among others 4illustrative
ob2ectives for each of these activities are presented in the
"eference #anual, pages 7C to 6D9:
Inbound
.perations
.utbound
#areting and )ales
)ervice
@rocurement
Technology :evelopment
Buman "esources
#anage the -nterprise
#anage -/ternal "elations
@rovide Administrative )ervices
#anage Information Technology
#anage "iss 4of accident or other insurable loss9
#anage Eegal A(airs
@lan
@rocess Accounts @ayable
@rocess Accounts "eceivable
@rocess &unds
@rocess &i/ed Assets
Analy!e and "econcile
@rocess *enefts and "etiree Information
@rocess @ayroll
@rocess Ta/ %ompliance
@rocess @roduct %osts
@rovide &inancial and #anagement "eporting
Speci7cit o& activit0level o+6ectives. &or e/ample,
consider whether:
.b2ectives include measurement criteria.
Ade8"ac o& reso"rces relative to o+6ectives. &or
#anagement has identifed the resources needed to
achieve the ob2ectives.
@lans e/ist for ac+uiring necessary resources 4e.g.,
fnancing, personnel, facilities, technology9.
Identi7cation o& o+6ectives that are important 3critical
s"ccess &actors4 to achievement o& entit01ide
o+6ectives. &or e/ample, consider whether:
#anagement has identifed what must go right, or where
failure must be avoided, for entity'wide ob2ectives to be
achieved.
%apital spending and e/pense budgets are based on
management's analysis of the relative importance of
ob2ectives.
The ob2ectives serving as critical success factors provide
a basis for particular management focus.
Involvement o& all levels o& mana*ement in o+6ective
settin* and e)tent to 1hich the are committed to the
#anagers participate in establishing activity ob2ectives
for which they are responsible.
@rocedures e/ist to resolve disagreements.
#anagers support the ob2ectives, and do not have
$hidden agendas.$
/var/www/apps/conversion/tmp/scratch_2/243147083.doc 1"
!is)s
An entity's ris'assessment process should identify and consider the
implications of relevant riss, at both the entity level and the
activity level. The ris'assessment process should consider e/ternal
and internal factors that could impact achievement of the
ob2ectives, should analy!e the riss, and provide a basis for
managing them.
Ade8"ac o& mechanisms to identi& risks arisin* &rom
e)ternal so"rces. &or e/ample, consider whether
management considers riss related to:
)upply sources
Technology changes
%reditor's demands
%ompetitor's actions
-conomic conditions
@olitical conditions
"egulation
0atural events
Ade8"ac o& mechanisms to identi& risks arisin* &rom
internal so"rces. &or e/ample, consider whether
management considers riss related to:
Buman resources, such as retention of ey management
personnel or changes in responsibilities that can a(ect
the ability to function e(ectively.
&inancing, such as availability of funds for new initiatives
or continuation of ey programs.
Eabor relations, such as compensation and beneft
programs to eep the entity competitive with others in
the industry.
Information systems, such as the ade+uacy of bac'up
systems in the event of failure of systems that could
signifcantly a(ect operations.
Identi7cation o& si*ni7cant risks &or each si*ni7cant
activit0level o+6ective. 4%onsider riss identifed with
respect to each of the activities identifed under $activity'
level ob2ectives$3 illustrative riss relative to common
ob2ectives are presented in the "eference #anual, pages 7C
to 6D.9
Thoro"*hness and relevance o& the risk analsis
process, incl"din* estimatin* the si*ni7cance o& risks,
/var/www/apps/conversion/tmp/scratch_2/243147083.doc 1#
assessin* the likelihood o& their occ"rrin* and
determinin* needed actions. &or e/ample, consider
whether:
"iss are analy!ed through formal processes or informal
day'to'day management activities.
The identifed riss are relevant to the corresponding
activity ob2ective.
Appropriate levels of management are involved in
analy!ing the riss.
Managing Change
%conomic! industry and regulatory environments change and entities& activities
evolve. Mechanisms are needed to identi'y and react to changing conditions.
!)istence o& mechanisms to anticipate, identi& and
react to ro"tine events or activities that a;ect
achievement o& entit or activit0 level o+6ectives
3"s"all implemented + mana*ers responsi+le &or the
activities that 1o"ld +e most a;ected + the
chan*es4. &or e/ample, consider whether:
"outine changes are addressed as part of the normal ris
identifcation and analysis process, or through separate
mechanisms.
"iss and opportunities related to the changes are
addressed at su;ciently high levels in the organi!ation
so their full implications are identifed and appropriate
action plans formulated.
All activities within the entity signifcantly a(ected by the
change are brought into the process.
!)istence o& mechanisms to identi& and react to
chan*es that can have a more dramatic and pervasive
e;ect on the entit, and ma demand the attention o&
top mana*ement. &or e/ample, for each of the following
areas of potential change, consider whether:
%hanged operating environment:
#aret research or other programs identify ma2or shifts in
costumer demographics, preferences or spending
patterns.
The entity is aware of signifcant shifts in the worforce ''
e/ternally or internally '' that could a(ect available sill
levels.
Eegal counsel periodically updates management on the
implications of new legislation.
0ew personnel:
)pecial action is taen to ensure new personnel
understand the entity's culture and perform accordingly.
%onsideration is given to ey control activities performed
by personnel being moved.
0ew or redesigned information systems:
#echanisms e/ist to assess the e(ects of new systems.
@rocedures are in place to reconsider the appropriateness
of e/isting control activities when new computer systems
are developed and go $live.$
#anagement nows whether systems development and
implementation policies are adhered to despite pressures
to $short'cut$ the process.
Attention is given to the e(ect of new systems on
information ,ows and related controls, and employee
training, including focus on employee resistance to
change.
"apid growth:
)ystems capability is upgraded to handle rapidly
increasing volumes of information.
Worforce in operations, accounting and data processing
is e/panded as needed to eep pace with increased
volume.
A process for revising budgets or forecasts e/ists.
A process e/ists for considering interdepartmental
implications of revised unit ob2ectives and plans.
0ew technology:
Information on technological developments is obtained
through reporting services, consultants, seminars or
perhaps 2oint ventures with companies in the forefront of
research and development relevant to the entity.
0ew technologies, or applications, developed by
competitors are monitored.
#echanisms e/ist for taing advantage, and controlling
the use, of new technology applications, incorporating
them into production processes or information systems.
0ew lines, products, activities and ac+uisitions:
The ability e/ists to reasonably forecast operating and
fnancial results.
The ade+uacy of e/isting information systems and control
activities for the new line, product or activity is assessed.
@lans are developed for recruiting and training people
with the re+uisite e/pertise to deal with new products or
activities.
@rocedures are in place to trac early results, and to
modify production and mareting as needed.
&inancial reporting, legal and regulatory re+uirements are
identifed and complied with.
The e(ects on other company products, and on
proftability, are monitored.
.verhead allocations are modifed to re,ect product
contribution accurately.
%orporate restructuring:
)ta( reassignments or reductions are analy!ed for their
potential e(ect on related operations.
Transferred or terminated employees' control
responsibilities are reassigned.
Impact on morale of remaining employees, after ma2or
downsi!ing, considered.
)afeguards e/ist to protect against disgruntled former
employees.
&oreign operations:
#anagement eeps abreast of the political, regulatory,
business and social culture of areas in which foreign
operations e/ist.
@ersonnel are made aware of accepted customs and
rules.
Alternative procedures e/ist in case activities of or
communication mechanisms with foreign operations are
interrupted.
/var/www/apps/conversion/tmp/scratch_2/243147083.doc 1$
CONTROL ACTI#ITI!S
ts
(ontrol activities encompass a wide range o' policies and the related implementation
procedures that help ensure that management&s directives are e''ected. )hey help
ensure that those actions identi'ied as necessary to address ris*s to achieve the entity&s
o+ectives are carried out.
!)istence o& appropriate policies and proced"res
necessar 1ith respect to each o& the entit5s
activities.
,ll relevant o+ectives and associated ris*s 'or each signi'icant activity
should have een identi'ied in con+unction with evaluating -is* ,ssessment.
-e'erence may e made to the -e'erence Manual .pages 3" to $8/ which
presents! 'or common usiness activities! illustrative o+ectives! ris*s! and
0points o' 'ocus 'or actions/control activities.0 )he listings in that latter
column may e use'ul in identi'ying what actions management has directed
to address the ris*s! and considering the appropriateness o' control activities
the entity applies to see that the actions are carried out. 1t should e
recogni2ed that points o' 'ocus 'or general controls .or general computer
controls/ are presented in the -e'erence Manual under the activity 0Manage
1n'ormation )echnology.0
Identi7ed control activities in place are +ein* applied
properl. &or e/ample, consider whether:
%ontrols described in policy manuals are actually applied
and are applied the way that they're supposed to be.
Appropriate and timely action is taen on e/ceptions or
information that re+uires follow'up.
)upervisory personnel review the functioning of controls.
IN'OR$ATION AND CO$$UNICATION
ts
Information
1n'ormation is identi'ied! captured! processed and reported y in'ormation systems.
-elevant in'ormation includes industry! economic and regulatory in'ormation
otained 'rom e3ternal sources! as well as internally generated in'ormation.
O+tainin* e)ternal and internal in&ormation, and
providin* mana*ement 1ith necessar reports on the
entit5s per&ormance relative to esta+lished
#echanism are in place to obtain relevant e/ternal
information '' on maret conditions, competitors'
programs, legislative or regulatory developments and
economic changes.
Internally generated information critical to achievement
of the entity's ob2ectives, including that relative to critical
success factors, is identifed and regularly reported.
The information that managers need to carry out their
responsibilities is reported to them.
%rovidin* in&ormation to the ri*ht people in s"9cient
detail and on time to ena+le them to carr o"t their
responsi+ilities e9cientl and e;ectivel. &or e/ample,
consider whether:
#anagers receive analytical information that enables
them to identify what action needs to be taen.
Information is provided at the right level of detail for
di(erent levels of management.
Information is summari!ed appropriately, providing
pertinent information while permitting closer inspection
of details as needed rather than 2ust a $sea of data.$
Information is available on a timely basis to allow
e(ective monitoring of events and activities '' internal
and e/ternal '' and prompt reaction to economic and
business factors and control issues.
Development or revision o& in&ormation sstems +ased
on a strate*ic plan &or in&ormation sstems 00 linked to
the entit5s overall strate* 00 and responsive to
achievin* the entit01ide and activit0level o+6ectives.
A mechanism 4e.g., and information technology steering
committee9 is in place for identifying emerging
information needs.
Information needs and priorities are determined by
e/ecutives with su;ciently broad responsibilities.
A long'range information technology plan has been
developed and lined with strategic initiatives.
$ana*ement5s s"pport &or the development o&
necessar in&ormation sstems is demonstrated + the
commitment o& appropriate reso"rces 00 h"man and
7nancial. &or e/ample, consider whether:
)u;cient resources 4managers, analysts, programmers
with the re+uisite technical abilities9 are provided as
needed to develop new or enhanced information
systems.
Communication
(ommunication is inherent in in'ormation processing. (ommunication also ta*es
place in a roader sense! dealing with e3pectations and responsiilities o' individuals
and groups. %''ective communication must occur down! across and up an organi2ation
and with parties e3ternal to the organi2ation.
!;ectiveness 1ith 1hich emploees5 d"ties and
control responsi+ilities are comm"nicated. &or e/ample,
consider whether:
%ommunication vehicles '' formal and informal training
sessions, meetings and on'the'2ob supervision '' are
su;cient in e(ecting such communication.
-mployees now the ob2ectives of their own activity and
how their duties contribute to achieving those ob2ectives.
-mployees understand how their duties a(ect, and are
a(ected by, duties of other employees.
!sta+lishment o& channels o& comm"nication &or
people to report s"spected improprieties. &or e/ample,
consider whether:
There's a way to communicate upstream through
someone other than a direct superior, such as an
ombudsman or corporate counsel.
Anonymity is permitted.
-mployees actually use the communication channel.
@ersons who report suspected improprieties are provided
feedbac, and have immunity from reprisals.
Receptivit o& mana*ement to emploee s"**estions
o& 1as to enhance prod"ctivit, 8"alit or other
similar improvements. &or e/ample, consider whether:
"ealistic mechanisms are in place for employees to
provide recommendations for improvement.
#anagement acnowledges good employee suggestions
by providing cash awards or other meaningful
recognition.
Ade8"ac o& comm"nication across the or*ani2ation
3&or e)ample, +et1een proc"rement and prod"ction
activities4 and the completeness and timeliness o&
in&ormation and its s"9cienc to ena+le people to
dischar*e their responsi+ilities e;ectivel. &or e/ample,
consider whether:
)alespeople inform engineering, production and
mareting of customer needs.
Accounts receivable personnel advise the credit approval
function of slow payers.
Information on competitors' new products or warranties
reach engineering, mareting and sales personnel.
Openness and e;ectiveness o& channels 1ith
c"stomers, s"ppliers and other e)ternal parties &or
comm"nicatin* in&ormation on chan*in* c"stomer
needs. &or e/ample, consider whether:
&eedbac mechanisms with all pertinent parties e/ist.
)uggestions, complaints and other input are captured
and communicated to relevant internal parties.
Information is reported upstream as necessary and
follow'up action taen.
!)tent to 1hich o"tside parties have +een made
a1are o& the entit5s ethical standards. &or e/ample,
consider whether:
Important communications to outside parties are
delivered by management level commensurate with the
nature and importance of the message 4e.g., senior
e/ecutive periodically e/plains in writing the entity's
ethical standards to outside parties9.
)uppliers, customers and others now the entity's
standards and e/pectations regarding actions in dealing
with the entity.
)uch standards are reinforced in routine dealings with
outside parties.
Improprieties by employees of e/ternal parties are
reported to the appropriate personnel.
Timel and appropriate &ollo10"p action +
mana*ement res"ltin* &rom comm"nications received
&rom c"stomers, vendors, re*"lators or other e)ternal
parties. &or e/ample, consider whether:
@ersonnel are receptive to reported problems regarding
products, services or other matters, and such reports are
investigated and acted upon.
-rrors in customer billings are corrected, and the source
of the error is investigated and corrected.
Appropriate personnel '' independent of those involved
with the original transactions '' process complaints.
Appropriate actions are taen and there is follow'up
communication with the original sources.
Top management is aware of the nature and volume of
complaints.
$ONITORIN<
ts
Ongoing Monitoring
4ngoing monitoring occurs in the ordinary course o' operations! and includes regular
management and supervisory activities! and other actions personnel ta*e in
per'orming their duties that assess the 5uality o' internal control system per'ormance.
!)tent to 1hich personnel, in carrin* o"t their
re*"lar activities, o+tain evidence as to 1hether the
sstem o& internal control contin"es to &"nction. &or
.perating management compares production, inventory,
sales or other information obtained in the course of their
daily activities to systems'generated information.
Integration or reconciliation of operating information used
to manage operations with data generated by the
fnancial reporting system.
.perating personnel are re+uired to $sign o($ on the
accuracy of their units' fnancial statements, and are held
responsible if errors are discovered.
!)tent to 1hich comm"nications &rom e)ternal parties
corro+orate internall *enerated in&ormation, or
indicate pro+lems. &or e/ample, consider whether:
%ustomers implicitly corroborate billing data by paying
their invoices, or customer complaints about billings ''
indicating system defciencies in the processing of sales
transactions '' are investigated for their underlying
causes.
%ommunications from vendors and monthly statements
of accounts payable are used as a control monitoring
techni+ue.
)uppliers' complaints of unfair practices by purchasing
agents are fully investigated.
"egulators communicate information to the entity
regarding compliance or other matters that re,ect on the
functioning of the internal control system.
%ontrols that should have prevented or detected the
problems are reassessed.
%eriodic comparison o& amo"nts recorded + the
acco"ntin* sstem 1ith phsical assets. &or e/ample,
consider whether:
Inventory levels are checed when goods are taen from
inventory storage for shipment, and di(erences between
recorded and actual amounts are corrected.
/var/www/apps/conversion/tmp/scratch_2/243147083.doc 2"
)ecurities held in trust are counted periodically and
compared with e/isting records.
Responsiveness to internal and e)ternal a"ditor
recommendations on means to stren*then internal
controls. &or e/ample, consider whether:
-/ecutives with proper authority decide which of the
auditors' recommendations will be implemented.
:esired actions are followed up to verify implementation.
!)tent to 1hich trainin* seminars, plannin* sessions
and other meetin*s provide &eed+ack to mana*ement
on 1hether controls operate e;ectivel. &or e/ample,
consider whether:
"elevant issues and +uestions raised at training seminars
are captured.
-mployee suggestions are communicated upstream and
acted on as appropriate.
Whether personnel are asked periodicall to state
1hether the "nderstand and compl 1ith the entit5s
code o& cond"ct and re*"larl per&orm critical control
activities. &or e/ample, consider whether:
@ersonnel are re+uired periodically to acnowledge
compliance with the code of conduct.
)ignatures are re+uired to evidence performance of
critical control functions, such as reconciling specifed
amounts.
!;ectiveness o& internal a"dit activities. &or e/ample,
consider whether:
There are appropriate levels of competent and
e/perienced sta(.
Their position within the organi!ation is appropriate.
They have access to the board of directors or audit
committee.
Their scope, responsibilities and audit plans are
appropriate to the organi!ation's needs.
Separate E'aluations
1t is use'ul to ta*e a 'resh loo* at the internal control system 'rom time to time!
'ocusing directly on system e''ectiveness. )he scope and 're5uency o' separate
evaluations will depend primarily on an assessment o' ris*s! and ongoing monitoring
procedures.
/var/www/apps/conversion/tmp/scratch_2/243147083.doc 2#
Scope and &re8"enc o& separate eval"ations o& the
internal control sstem. &or e/ample, consider whether:
Appropriate portions of the internal control systems are
evaluated.
The evaluations are conducted by personnel with the
re+uisite sills.
The scope, depth of coverage and fre+uency are
ade+uate.
Appropriateness o& the eval"ation process. &or
The evaluator gains a su;cient understanding of the
entity's activities.
An understanding is obtained of how the system is
supposed to wor and how it actually does wor.
An analysis is made, using the evaluation results as
measured against established criteria.
Whether the methodolo* &or eval"atin* a sstem is
lo*ical and appropriate. &or e/ample, consider whether:
)uch methodology includes checlists, +uestionnaires or
other tools.
The evaluation team is brought together to plan the
evaluation process and ensure a coordinated e(ort.
The evaluation process is managed by an e/ecutive with
re+uisite authority.
Appropriateness o& the level o& doc"mentation. &or
@olicy manuals, organi!ation charts, operating
instructions and the lie are available.
%onsideration is given to documenting the evaluation
process.
!eporting De*ciencies
1nternal control de'iciencies should e reported upstream with certain matters
reported to top management and the oard.
!)istence o& mechanism &or capt"rin* and reportin*
identi7ed internal control de7ciencies. &or e/ample,
consider whether means e/ist for obtaining reports on
defciencies:
&rom both internal sources and e/ternal sources 4e.g.,
customers, suppliers, auditors, regulators9.
"esulting from ongoing monitoring or separate
evaluations
Appropriateness o& reportin* protocols. &or e/ample,
consider whether:
:efciencies are reported to the person directly
responsible for the activity and to a person at least one
level higher.
)pecifed types of defciencies are reported to more
senior management and to the board.
Appropriateness o& &ollo10"p actions. &or e/ample,
consider whether:
The transaction or event identifed is corrected.
The underlying causes of the problem are investigated.
There is follow'up to ensure the necessary corrective
action is taen.
RISK ASS!SS$!NT AND CONTROL ACTI#ITI!S WORKS=!!T
Activit> ????????????????
Risk Analsis
O+6ectives O,',
C
Risk 'actors Likelihood
/var/www/apps/conversion/tmp/scratch_2/243147083.doc 2$
Actions(Control Activities(
Comments
Other
O+6ectives
A;ected
!val"ation
and
Concl"sion
O#!RALL INT!RNAL CONTROL S@ST!$ !#ALUATION
Internal Control
Components
%reliminar
3see individ"al
eval"ation tools4
Additional Considerations
Control !nvironment '' :oes
management ade+uately
convey the message that
integrity cannot be
compromisedF :oes a positive
control environment e/ist,
whereby there is an attitude of
control consciousness
throughout the organi!ation,
and a positive $tone at the
top$F Is the competence of the
entity's people commensurate
with their responsibilitiesF Are
management's operating style,
the way it assigns authority
and responsibility and
organi!es and develops its
people appropriateF :oes the
board provide the right level of
attentionF
Risk Assessment '' Are
entity'wide ob2ectives and
supporting activity'level
ob2ectives established and
linedF Are the internal and
e/ternal riss that in,uence
the success or failure of the
achievement of the ob2ectives
identifed and assessedF Are
mechanisms in place to
identify changes a(ecting the
entity's ability to achieve its
ob2ectivesF Are policies and
procedures modifed as
neededF
Control Activities '' Are
control activities in place to
ensure adherence to
established policy and the
carrying out of actions to
address the related rissF Are
there appropriate control
activities for each of the
entity's activitiesF
In&ormation and
Comm"nication '' Are
information systems in place to
identify and capture pertinent
information '' fnancial and
nonfnancial, relating to
e/ternal and internal events ''
and bring it to personnel in a
form that enables them to
carry out their responsibilitiesF
:oes communication of
relevant information tae
placeF Is it clear with respect to
e/pectations and
responsibilities of individuals
and groups, and reporting of
resultsF And does
communication occur down,
across and upward in the
entity, as well as between the
entity and other partiesF
$onitorin* '' Are appropriate
procedures in place to monitor
on an ongoing basis, or to
periodically evaluate the
functioning of the other
components of internal
controlF Are defciencies
reported to the right peopleF
Are policies and procedures
modifed as neededF
Overall Concl"sion

COSO Internal Control Evaluation Tool - Blank

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

COSO Internal Control Evaluation Tool - Blank

Enviado por

Direitos autorais:

Formatos disponíveis

INTRODUCTION

Você também pode gostar