COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples Management attitude, values and control, 1.1 Tone at the Top consciousness of personnel; Importance of integrity and ethical values 1.2 Mission Statement Identifies organization's purpose 1. Demonstrate commitment to integrity and ethical Expectations of Board and Sr. Mgmt values concerning integrity and ethical values are defined and understood by all levels of 1.3 Standards of conduct organization, aw well as outside sources with processes in place to evaluate performance against expected conduct Unethical, immoral, etc. activities 1.4 Address deviations timely addressed appropriately and timely Board of Directors, Supervisory Board, 2.1 Oversight structure defined etc. Appropriate decisions to achieve 2.2 Applies relevant expertise objectives 2. Exercise oversight of the internal control program 2.3 Operates independently Independent from organization Oversees management design, 2.4 Oversight of the internal control program implementation, operation of the internal control program Document the "Who, What, Where, 3.1 Internal Control Program documented When, Why" of the internal control program Control Environment 3. Establish structure, reporting, authority, 3.2 Reporting lines established Reliably report quality information responsibilities Provides ownership of the control 3.3 Assign responsibility and delegation of authority program and ensures segregation of duties Appropriate policies and procedures 4.1 Establishes Policies and practices ensure all applicable risk has been addressed Organization has identified competence 4.2 Addresses competence gaps gaps and either established mitigating 4. Demonstrate commitment to competent activities or fills the gaps personnel 4.3 Retains competent employees Organization is identifying areas of 4.4 Succession planning possible retirements and developing capable employees to assume those roles 5.1 Enforces accountability 5.2 Establishes performance measures 5.3 Evaluates performance measures Difficult economies can place undue 5. Enforce accountability pressure on employees; the organization 5.4 Aware of outside pressures has identified those positions that are susceptible to outside pressures and established appropriate controls 5.5 Evaluates performance COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples 6. Identification and assessment of risks related to: Management identifies strategic goals 6.1 Reflects managements choices and objectives Company defined risk appetite and risk 6.2 Considers risk appetite tolerance; based on organizational risk and ERO risk - Operations Objectives Financial goals and operational goals are 6.3 Includes operations/financial goals identified and communicated to personnel Resources are reviewed and committed to meet organizational objectives; 6.4 Basis to commit resources controls are designed as a benefit to the organization All financial standards and reporting 6.5 Complies with accounting standards expectations are met When identifying risk, materiality is taken -External Financial Reporting Objectives 6.6 Considers materiality into consideration and appropriate controls designed 6.7 Reflects entity activities Operational reports meet Standard and 6.8 Complies with external Standards and frameworks governmental expectations 6.9 Considers level of precision -External non Financial Reporting Objectives Reports clearly and appropriately identify 6.10 Reflects entity activities organizational activities and evidence compliance Management identifies reporting goals 6.11 Reflects managements choices and objectives 6.12 Considers level of precision -Internal Reporting Objectives Clearly reflects and reports organizational 6.13 Reflects entity activities activities 6.14 Reflects external laws and regulations Risk Assessment -Compliance Objectives Company defined risk appetite and 6.15 Considers risk appetite controls are designed with a cost benefit in mind Entire organization involved in identifying 7.1 Includes entity, division, operating unit and risk and risk levels; all levels of employees functional levels are empowered to identify risk within their area 7.2 Analyzes internal and external factors 7. Risks identified throughout the organization, and All levels of management are involved in determines how to address the risks. 7.3 Involves appropriate levels of management identifying the risks for their areas of responsibility Identified risks are ranked in order, with a 7.4 Risk ranks identified risks defined, documented methodology 7.5 Identifies mitigation activities Examples of fraud: Asset 6.21 Considers various types of fraud misappropriation, sharing passwords to avoid license fees, etc. Considers outside pressures and ensures 6.22 Assesses incentives and pressures appropriate incentives are provided, 8. Considers the potential for fraud especially in a difficult economy Organization is aware of possible fraud 6.23 Assesses opportunities opportunities and looking for new possible fraud attempts 6.24 Assesses attitudes Aware of the "pulse" of the organization Organization is aware of external changes 6.25 Assess external changes and ensures that all areas of the change are identified and addressed Business model is reviewed to ensure it is 9. Identify and assess changes that could impact still appropriately addressing value 6.26 Assess changes in the business model internal control creation, costs, revenue, etc. and filtered through all applicable controls Changes to leadership initiate a review of 6.27 Assesses changes in leadership all areas to determine new leadership impact COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples 10.1 Controls address risk raised by Standards, Rules of Procedure and organizational risk assessment. Controls identify key activities and provide strategy by providing time frames 10.2 Controls address entity objectives and identify and appropriate secondary controls the timeframe Ensure controls exist to mitigate all risk raised by the Requirement/RoP/risk; identifying all inputs needed, what the 10.3 Design appropriate types of controls control produces, who owns the process, etc.; utilize Flashcards to identify and/or 10. Design appropriate control activities strengthen key controls Designed at functional level, entity level or both; ensure that all personnel 10.4 Ensure all functions/levels are included involved in the control are included in the identification/design of the control Control activities related to handling any assets or process designed so that no one 10.5 Consider Segregation of Duties individual controls all key aspects of the event; if not possible, insert reviews at key points of the activity/process An automated process includes both manual and technology-enabled 11.1 Controls for application system(s) information processes; it would include controls for: completeness, accuracy, validity For automated processes there are two types of controls: general and application specific. General controls: security mgmt., Control Activities logical/physical access, configuration 11.2 Appropriate types of controls mgmt., segregation of duties, contingency planning. Application specific controls: input, processing, output, master file, interface, data management 11. Design control activities for automated processes Controls for automated process infrastructure to support completeness, 11.3 Controls for application system infrastructure accuracy and validity of information; this would include reconciliation of the data. Controls to guard against unauthorized access; information safeguarded against improper modification/destruction; 11.4 Design of security management ensuring information nonrepudiation and authenticity; information is readily available, i.e., password controls, unique IDs, limited access, review logs, etc. Each control is assigned to a position, thus ensuring when personnel are absent, all 12.1 Document responsibilities applicable controls assigned to the position are performed consistently Determine appropriate implementation 12.2 Outline how the control is to be implemented (i.e., OJT, formalized training, etc.) 12. Implement controls Determine if only initial training is needed 12.3 Ensure appropriate training or periodic training Review policies and procedures to determine if any changes are needed due 12.4 Periodic review of policies and procedures to: organizational changes, technology changes, personnel changes, etc. COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples What is needed to perform the activity 13.1 Identifies information requirements and where do you go to get it? All sources, internal and external, are 13.2 Identifies external and internal sources of data identified; external sources are vetted Data is reviewed for relevancy; data obtained from outside your control is 13.3 Utilizes relevant data 13. Uses quality information validated to ensure accuracy and sufficiency Uses validated data; data obtained 13.4 Maintains quality outside of your control is validated to ensure quality The control doesn't cost more than the 13.5 Considers costs and benefits benefit of the control Internal customers are identified and the 14.1 Communicates internal information means to communicate the information are established 14.2 Communicates at all levels of the organization Escalates information as needed, timely 14. Communicates