sign in sign up
<<
Home , Tone at the top

COSO Framework Summary with RF Examples Component Principles Point(s) of Focus Examples

Management attitude, values and control, 1.1 Tone at the Top consciousness of personnel; Importance of integrity and ethical values

1.2 Mission Statement Identifies organization's purpose

1. Demonstrate commitment to integrity and ethical Expectations of Board and Sr. Mgmt values concerning integrity and ethical values are defined and understood by all levels of 1.3 Standards of conduct organization, aw well as outside sources with processes in place to evaluate performance against expected conduct

Unethical, immoral, etc. activities 1.4 Address deviations timely addressed appropriately and timely , Supervisory Board, 2.1 Oversight structure defined etc. Appropriate decisions to achieve 2.2 Applies relevant expertise objectives 2. Exercise oversight of the internal control program 2.3 Operates independently Independent from organization Oversees design, 2.4 Oversight of the internal control program implementation, operation of the internal control program Document the "Who, What, Where, 3.1 Internal Control Program documented When, Why" of the internal control program Control Environment 3. Establish structure, reporting, authority, 3.2 Reporting lines established Reliably report quality information responsibilities Provides ownership of the control 3.3 Assign responsibility and delegation of authority program and ensures segregation of duties Appropriate policies and procedures 4.1 Establishes Policies and practices ensure all applicable risk has been addressed

Organization has identified competence 4.2 Addresses competence gaps gaps and either established mitigating 4. Demonstrate commitment to competent activities or fills the gaps personnel 4.3 Retains competent employees

Organization is identifying areas of 4.4 Succession planning possible retirements and developing capable employees to assume those roles

5.1 Enforces accountability 5.2 Establishes performance measures 5.3 Evaluates performance measures

Difficult economies can place undue 5. Enforce accountability pressure on employees; the organization 5.4 Aware of outside pressures has identified those positions that are susceptible to outside pressures and established appropriate controls

5.5 Evaluates performance

COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples

6. Identification and assessment of risks related to:

Management identifies strategic goals 6.1 Reflects choices and objectives Company defined risk appetite and risk 6.2 Considers risk appetite tolerance; based on organizational risk and ERO risk

- Operations Objectives Financial goals and operational goals are 6.3 Includes operations/financial goals identified and communicated to personnel Resources are reviewed and committed to meet organizational objectives; 6.4 Basis to commit resources controls are designed as a benefit to the organization All financial standards and reporting 6.5 Complies with standards expectations are met

When identifying risk, materiality is taken -External Financial Reporting Objectives 6.6 Considers materiality into consideration and appropriate controls designed 6.7 Reflects entity activities

Operational reports meet Standard and 6.8 Complies with external Standards and frameworks governmental expectations 6.9 Considers level of precision -External non Financial Reporting Objectives Reports clearly and appropriately identify 6.10 Reflects entity activities organizational activities and evidence compliance Management identifies reporting goals 6.11 Reflects managements choices and objectives 6.12 Considers level of precision -Internal Reporting Objectives Clearly reflects and reports organizational 6.13 Reflects entity activities activities

6.14 Reflects external laws and regulations Risk Assessment -Compliance Objectives Company defined risk appetite and 6.15 Considers risk appetite controls are designed with a cost benefit in mind Entire organization involved in identifying 7.1 Includes entity, division, operating unit and risk and risk levels; all levels of employees functional levels are empowered to identify risk within their area 7.2 Analyzes internal and external factors 7. Risks identified throughout the organization, and All levels of management are involved in determines how to address the risks. 7.3 Involves appropriate levels of management identifying the risks for their areas of responsibility

Identified risks are ranked in order, with a 7.4 Risk ranks identified risks defined, documented methodology

7.5 Identifies mitigation activities Examples of fraud: Asset 6.21 Considers various types of fraud misappropriation, sharing passwords to avoid license fees, etc. Considers outside pressures and ensures 6.22 Assesses incentives and pressures appropriate incentives are provided, 8. Considers the potential for fraud especially in a difficult economy Organization is aware of possible fraud 6.23 Assesses opportunities opportunities and looking for new possible fraud attempts

6.24 Assesses attitudes Aware of the "pulse" of the organization

Organization is aware of external changes 6.25 Assess external changes and ensures that all areas of the change are identified and addressed

Business model is reviewed to ensure it is 9. Identify and assess changes that could impact still appropriately addressing value 6.26 Assess changes in the business model internal control creation, costs, revenue, etc. and filtered through all applicable controls

Changes to leadership initiate a review of 6.27 Assesses changes in leadership all areas to determine new leadership impact

COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples

10.1 Controls address risk raised by Standards, Rules of Procedure and organizational risk assessment. Controls identify key activities and provide strategy by providing time frames 10.2 Controls address entity objectives and identify and appropriate secondary controls the timeframe

Ensure controls exist to mitigate all risk raised by the Requirement/RoP/risk; identifying all inputs needed, what the 10.3 Design appropriate types of controls control produces, who owns the process, etc.; utilize Flashcards to identify and/or 10. Design appropriate control activities strengthen key controls

Designed at functional level, entity level or both; ensure that all personnel 10.4 Ensure all functions/levels are included involved in the control are included in the identification/design of the control

Control activities related to handling any assets or process designed so that no one 10.5 Consider Segregation of Duties individual controls all key aspects of the event; if not possible, insert reviews at key points of the activity/process

An automated process includes both manual and technology-enabled 11.1 Controls for application system(s) information processes; it would include controls for: completeness, accuracy, validity

For automated processes there are two types of controls: general and application specific. General controls: security mgmt., Control Activities logical/physical access, configuration 11.2 Appropriate types of controls mgmt., segregation of duties, contingency planning. Application specific controls: input, processing, output, master file, interface, data management 11. Design control activities for automated processes Controls for automated process infrastructure to support completeness, 11.3 Controls for application system infrastructure accuracy and validity of information; this would include reconciliation of the data.

Controls to guard against unauthorized access; information safeguarded against improper modification/destruction; 11.4 Design of security management ensuring information nonrepudiation and authenticity; information is readily available, i.e., password controls, unique IDs, limited access, review logs, etc.

Each control is assigned to a position, thus ensuring when personnel are absent, all 12.1 Document responsibilities applicable controls assigned to the position are performed consistently Determine appropriate implementation 12.2 Outline how the control is to be implemented (i.e., OJT, formalized training, etc.) 12. Implement controls Determine if only initial training is needed 12.3 Ensure appropriate training or periodic training

Review policies and procedures to determine if any changes are needed due 12.4 Periodic review of policies and procedures to: organizational changes, technology changes, personnel changes, etc.

COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples What is needed to perform the activity 13.1 Identifies information requirements and where do you go to get it? All sources, internal and external, are 13.2 Identifies external and internal sources of data identified; external sources are vetted Data is reviewed for relevancy; data obtained from outside your control is 13.3 Utilizes relevant data 13. Uses quality information validated to ensure accuracy and sufficiency Uses validated data; data obtained 13.4 Maintains quality outside of your control is validated to ensure quality The control doesn't cost more than the 13.5 Considers costs and benefits benefit of the control Internal customers are identified and the 14.1 Communicates internal information means to communicate the information are established

14.2 Communicates at all levels of the organization Escalates information as needed, timely

14. Communicates internally Various methods of communicating 14.3 Provides various types of communication information are employed to ensure Information and appropriate coverage Communication 14.4 Uses appropriate communication method for the Communication method appropriately information mitigates the risk level

All external parties are identified with established means and timing of 15.1 Communicates to external parties communications, both incoming and outgoing Promotes and listens to feedback from 15.2 Promotes feedback external sources Ensures that information needed by external parties reaches the appropriate 15. Communicates externally 15.3 Communicates to appropriate levels levels; important/risk based information is escalated timely Various methods of communicating 15.4 Provides various types of communication information are employed to ensure appropriate coverage Information is appropriately 15.5 Uses appropriate communication method for the communicated dependent on the information importance of the message

COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples

Monitoring should occur departmentally, 16.1 Monitoring occurs at all levels , compliance oversight, etc.

Technology, turnover, audit findings, etc. 16.2 Change is considered should affect the monitoring activities

Baselines to monitor against are 16.3 Baselines established and understood appropriately established and periodically reviewed

Departmental monitoring performed to ensure personnel familiar with control 16.4 Uses Knowledgeable Personnel expectations are involved with the 16. Perform monitoring activities monitoring in order to ensure the control is performing as expected

Addresses the risk posed by the Standard 16.5 Integrates with Standard expectations to ensure the control is adequate Monitoring

16.6 Adjusts frequency Periodicity determined by risk

Objective review of results by 16.7 Evaluation of results knowledgeable personnel

All control components are interrelated, an issue with any component can lead to 17.1 Assesses results control failure; therefore, evaluation goes beyond just looking at the controls. 17. Evaluate issues and remediate deficiencies Established reporting protocol to timely 17.2 Reports issues appropriate personnel, timely to ensure prompt evaluation

Mitigating activities are monitored to 17.3 Monitors corrective actions ensure issue is properly resolved