Internal Control - Integrated Framework: Evaluation Tools
Uploaded by
Cynthia StoneInternal Control - Integrated Framework: Evaluation Tools
Uploaded by
Cynthia StoneINTERNAL CONTROL
INTEGRATED FRAMEWORK
Evaluation Tools
September 1992
Committee of Sponsoring
Organizations of the
Treadway Commission
Copyright 1992 by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO)
Two-Volume edition 1994
6 7 8 9 0 TS 0 9 8 7
To purchase additional copies of the two-volume Internal Control Integrated
Framework (Product 990012), visit [Link] or call 888-777-7077.
Reprint information for this publication may be obtained at [Link].
Committee of Sponsoring Organizations
of the Treadway Commission (COSO)
Oversight
Representative
American Institute of Certified Public Accountants Robert L. May, Chairman
American Accounting Association Alvin A. Arens
The Institute of Internal Auditors William G. Bishop, III
Institute of Management Accountants Thomas M. OToole
Financial Executives Institute P. Norman Roy
Project Advisory Council to COSO
Guidance
Gaylen N. Larson, Chairman C. Perry Colwell John H. Stewart
Group Vice President, Chief
Accounting Officer
Senior Vice President
Financial Management
Assistant Treasurer
IBM Corporation
Household International AT&T (retired)
Andrew D. Bailey William J. Ihlanfeldt Howard L. Siers, Consultant
Professor, Department of Accounting
College of Business and Public
Administration
Assistant Controller
Shell Oil Company
General Auditor
E.I. Du Pont de Nemours and
Company, Inc. (retired)
The University of Arizona
Roger N. Carolus David L. Landsittel
Senior Vice President Managing DirectorAuditing
NationsBank (retired) Arthur Anderson & Co.
Coopers & Lybrand
Author
Principal Contributors
Vincent M. OReilly R Malcolm Schwartz Richard M. Steinberg
Deputy Chairman, Accounting
and Auditing
Principal
New York Office
Partner
National Office
Frank J. Tanki Robert J. Spear
Director, Accounting
and SEC Technical Services
Partner
Boston Office
Contents
Introduction 1
Blank Tools 3
Control Environment 5
Risk Assessment 19
Control Activities 29
Information and Communication 31
Monitoring 37
Risk Assessment and Control Activities Worksheet 42
Overall Internal Control System Evaluation 45
Reference Manual 49
Sample Filled-in Tools 131
Control Environment 133
Risk Assessment 151
Control Activities 167
Information and Communication 169
Monitoring 175
Risk Assessment and Control Activities Worksheet 182
Overall Internal Control System Evaluation 201
1
Introduction
This volume contains a set of tools that may be useful in conducting an evaluation of an entitys
internal control system. The tools may be used in any of several ways:
Individually, when evaluating a particular component, or together when evaluating all components.
In evaluating controls related to one category of controls, such as reliability of financial reporting,
or more than one category.
When focusing on certain activities, such as procurement or sales, or all activities.
The evaluation tools are presented as follows:
A set of blank tools, organized by component, along with one to assist in assembling the results
in making an overall evaluation.
A Reference Manual designed to assist the evaluator in completing the Risk Assessment and
Control Activities Worksheet. Also presented is a generic business model which serves as the
organizational basis for the Reference Manual.
Filled-in tools, depicting how they might be completed for a hypothetical company.
These evaluation tools are intended to provide guidance and assistance in evaluating internal control
systems in relation to criteria for effective internal control set forth in the Framework volume of this
report. Accordingly, users of these materials should be familiar with that volume.
These tools are presented for purely illustrative purposes. They are not an integral part of the
Framework, and their presentation here in no way suggests that all matters addressed in them need to
be considered in evaluating an internal control system, or that all such matters must be present in order
to conclude that a system is effective. Similarly, there is no suggestion that these tools are a preferred
method to conduct and document an evaluation. Because facts and circumstances vary between entities
and industries, evaluation methodologies and documentation techniques will also vary. Accordingly,
entities may use different evaluation tools, or use other methodologies utilizing different evaluative
techniques. For those entities that do plan to use these tools in some way, it is suggested that they be
used only as a starting point, and be modified to reflect the particular facts, conditions and risks
relevant to their own circumstances.
These evaluation tools can be used by entities of any size. When used by small or mid-size entities, the
tailoring process should recognize that smaller entities tend to be less formal and less structured than
large organizations, that fewer organization levels will likely result in the CEO and other key managers
communicating more directly and continuously with lower level personnel, and that these factors will
affect the way control is exercised. That sample filled-in tools contained in this volume have been
completed using a hypothetical mid-size company and may provide guidance to companies of such
size in completing the tools.
3
Blank Tools
Component Tools
Five evaluation tools are presented, one for each internal control component. A heading and brief
introduction identify each factor or significant element within a component.
Substantive issues to be addressed are contained under the column heading points of focus. The
points of focus are identified by the symbol , and represent some of the more important issues
relevant to the component. Not all points of focus are relevant to every entity, and additional issues
will be relevant to some entities. It is suggested that the evaluator tailor the points of focus to fit the
entitys facts and circumstances by adding, deleting or modifying those provided in the tool.
Included under each point of focus are examples of subsidiary issues that might be considered in
addressing the point of focus. It is important to recognize that only a few examples of such subsidiary
issues are provided. Many others usually are relevant. The examples provided are intended only to
illustrate the types of items to consider.
The evaluator addresses each point of focus, considering the example subsidiary issues as well as
others not presented. Although one could record a response for each example subsidiary issue, it is
suggested that a response be provided only to the point of focus. The description/comments column
provides space to record a description of how matters addressed in the point of focus are applied in the
entity, and to record relevant comments. The response generally will not be a yes or no answer,
but rather information on how the entity addresses the matter.
At the end of each section is a space to record a conclusion on the effectiveness of the related controls,
and any actions that might need to be taken or considered. Space is provided at the end of each tool for
similar information on the entire component.
Risk Assessment and Control Activities Worksheet
As noted in the evaluation tools for Risk Assessment and Control Activities, management establishes
objectives for each significant activity; analyzes risks to their achievement; establishes plans, programs
and other actions to address the risks; and puts in place control activities to ensure that the actions are
carried out. The tools for Risk Assessment and Control Activities do not provide a vehicle to evaluate
this process at the activity level. A separate worksheet is provided to assist in this regard.
Management may or may not have already documented this process. If not, the worksheet (pages 42
and 43) provides a vehicle to assist management in performing and documenting the process. An
evaluator then can review the completed worksheet. If management has no documentation, the
evaluator might consider preparing the worksheet (with the assistance of management) in order to
evaluate the process and associated linkages.
4
The Reference Manual (beginning on page 49) is designed to assist in identifying activity-level
objectives, analyzing the risks, and determining what actions might be taken and what control activities
put in place.
Overall Internal Control System Evaluation
An evaluation tool is provided to serve as a summary of the findings and conclusions for each of the
components and to facilitate review of the preliminary results by more senior executives and their
addition of further information. Space for an overall conclusion on the internal control system is
provided.
5
Control Environment
Points of Focus Description/Comments
Integrity and Ethical Values
Management must convey the message that integrity
and ethical values cannot be compromised, and
employees must receive and understand that message.
Management must continually demonstrate, through
words and actions, a commitment to high ethical
standards.
Existence and implementation of codes of
conduct and other policies regarding
acceptable business practice, conflicts of
interest, or expected standards of ethical and
moral behavior. For example, consider whether:
Codes are comprehensive, addressing conflicts of
interest, illegal or other improper payments,
anticompetitive guidelines, insider trading.
Codes are periodically acknowledged by all
employees.
Employees understand what behavior is acceptable
or unacceptable, and know what to do if they
encounter improper behavior.
If a written code of conduct does not exist, the
management culture emphasizes the importance of
integrity and ethical behavior. This may be
communicated orally in staff meetings, in one-on-
one interface, or by example when dealing with
day-to-day activities.
Establishment of the tone at the top
including explicit moral guidance about what is
right and wrongand extent of its
communication throughout the organization.
For example, consider whether:
Commitment to integrity and ethics is
communicated effectively throughout the
enterprise, both in words and deeds.
Employees feel peer pressure to do the right thing,
or cut corners to make a quick buck.
6
Management appropriately deals with signs that
problems exist, e.g., potential defective products or
hazardous wastes, especially when the cost of
identifying problems and dealing with the issues
could be large.
Dealings with employees, suppliers, customers,
investors, creditors, insurers, competitors, and
auditors, etc. (e.g., whether management
conducts business on a high ethical plane, and
insists that others do so, or pays little attention
to ethical issues). For example, consider whether:
Everyday dealings with customers, suppliers,
employees and other parties are based on honesty
and fairness (e.g., customers overpayment or a
suppliers underbilling are not ignored, no efforts
are made to find a way to reject an employees
legitimate claim for benefits, and reports to lenders
are complete, accurate and not misleading).
Appropriateness of remedial action taken in
response to departures from approved policies
and procedures or violations of the code of
conduct. Extent to which remedial action is
communicated or otherwise becomes known
throughout the entity. For example, consider
whether:
Management responds to violations of behavioral
standards.
Disciplinary actions taken as a result of violations
are widely communicated in the entity. Employees
believe that, if caught violating behavioral
standards, theyll suffer the consequences.
Managements attitude towards intervention or
overriding established controls. For example,
consider whether:
Management has provided guidance on the
situations and frequency with which intervention
may be needed.
7
Management intervention is documented and
explained appropriately.
Manager override is explicitly prohibited.
Deviations from established policies are
investigated and documented.
Pressure to meet unrealistic performance
targetsparticularly for short-term results
and extent to which compensation is based on
achieving those performance targets. For
example, consider whether:
Conditions such as extreme incentives or
temptations exist that can unnecessarily and
unfairly test peoples adherence to ethical values.
Compensation and promotions are based solely on
achievement of short-term performance targets.
Controls are in place to reduce temptations that
might otherwise exist.
Conclusions/Actions Needed
Commitment to Competence
Management must specify the level of competence
needed for particular jobs, and translate the desired
levels of competence into requisite knowledge and
skills.
Formal or informal job descriptions or other
means of defining tasks that comprise
particular jobs. For example, consider whether:
Management has analyzed, on a formal or
informal basis, the tasks comprising particular
jobs, considering such factors as the extent to
8
which individuals must exercise judgment and
the extent of related supervision.
Analyses of the knowledge and skills needed to
perform jobs adequately. For example, consider
whether:
Management has determined to an adequate
extent the knowledge and skills needed to
perform particular jobs.
Evidence exists indicating that employees
appear to have the requisite knowledge and
skills.
Conclusions/Actions Needed
Board of Directors or Audit Committee
An active and effective board, or committees thereof,
provides an important oversight function and, because
of managements ability to override system controls,
the board plays an important role in ensuring effective
internal control.
Independence from management, such that
necessary, even if difficult and probing, ques-
tions are raised. For example, consider whether:
The board constructively challenges
managements planned decisions, e.g.,
strategic initiatives and major transactions,
and probes for explanations of past results
(e.g., budget variances).
A board that consists solely of an entitys
officers and employees (e.g., a small
corporation) questions and scrutinizes
activities, presents alternative views and takes
appropriate action if necessary.
9
Use of board committees where warranted by
the need for more in-depth or directed
attention to particular matters. For example,
consider whether:
Board committees exist.
They are sufficient, in subject matter and
membership, to deal with important issues
adequately.
Knowledge and experience of directors. For
example, consider whether:
Directors have sufficient knowledge, industry
experience and time to serve effectively.
Frequency and timeliness with which meetings
are held with chief financial and/or accounting
officers, internal auditors and external
auditors. For example, consider whether:
The audit committee meets privately with the
chief accounting officer and internal and
external auditors to discuss the reasonableness
of the financial reporting process, system of
internal control, significant comments and
recommendations, and managements
performance.
The audit committee reviews the scope of
activities of the internal and external auditors
annually.
Sufficiency and timeliness with which
information is provided to board or committee
members, to allow monitoring of
managements objectives and strategies, the
entitys financial position and operating
results, and terms of significant agreements.
For example, consider whether:
The board regularly receives key information,
such as financial statements, major marketing
initiatives, significant contracts or
negotiations.
Directors believe they receive the proper
information.
10
Sufficiency and timeliness with which the
board or audit committee is apprised of
sensitive information, investigations and
improper acts (e.g., travel expenses of senior
officers, significant litigation, investigations of
regulatory agencies, defalcations,
embezzlement or misuse of corporate assets,
violations of insider trading rules, political
payments, illegal payments). For example,
consider whether:
A process exists for informing the board of
significant issues.
Information is communicated timely.
Oversight in determining the compensation of
executive officers and head of internal audit,
and the appointment and termination of those
individuals. For example, consider whether:
The compensation committee approves all
management incentive plans tied to
performance.
The compensation committee, in joint
consultation with the audit committee, deals
with compensation and retention issues
regarding the chief internal auditor.
Role in establishing the appropriate tone at
the top. For example, consider whether:
The board and audit committee are involved
sufficiently in evaluating the effectiveness of
the tone at the top.
The board takes steps to ensure an appropriate
tone.
The board specifically addresses managements
adherence to the code of conduct.
Actions the board or committee takes as a
result of its findings, including special
investigations as needed. For example, consider
whether:
The board has issued directives to management
detailing specific actions to be taken.
The board oversees and follows up as needed.
11
Conclusions/Actions Needed
Managements Philosophy and Operating Style
The philosophy and operating style of management
normally have a pervasive effect on an entity. These
are, of course, intangibles, but one can look for
positive or negative signs.
Nature of business risks accepted, e.g., whether
management often enters into particularly
high-risk ventures, or is extremely conservative
in accepting risks. For example, consider
whether:
Management moves carefully, proceeding
only after carefully analyzing the risks and
potential benefits of a venture.
Personnel turnover in key functions, e.g.,
operating, accounting, data processing, internal
audit. For example, consider whether:
There has been excessive turnover of
management or supervisory personnel.
Key personnel have quit unexpectedly or on
short notice.
There is a pattern to turnover (e.g., inability to
retain key financial or internal audit
executives) that may be an indicator of the
emphasis that management places on control.
Managements attitude toward the data
processing and accounting functions, and
concerns about the reliability of financial
reporting and safeguarding of assets. For
example, consider whether:
12
The accounting function is viewed as a
necessary group of bean counters, or as a
vehicle for exercising control over the entitys
various activities.
The selection of accounting principles used in
financial statements always results in the
highest reported income.
If the accounting function is decentralized,
operating management sign off on reported
results.
Unit accounting personnel also have
responsibility to central financial officers.
Valuable assets, including intellectual assets
and information, are protected from
unauthorized access or use.
Frequency of interaction between senior
management and operating management,
particularly when operating from
geographically removed locations. For example,
consider whether:
Senior managers frequently visit subsidiary or
divisional operations.
Group or divisional management meetings are
held frequently.
Attitudes and actions toward financial
reporting, including disputes over application
of accounting treatments (e.g., selection of
conservative versus liberal accounting policies;
whether accounting principles have been
misapplied, important financial information
not disclosed, or records manipulated or
falsified). For example, consider whether:
Management avoids obsessive focus on short-
term reported results.
Personnel do not submit inappropriate reports
to meet targets (e.g., salespeople submitting
orders to meet targets, knowing customers will
return goods in the next period).
Managers do not ignore signs of inappropriate
practices.
13
Estimates do not stretch facts to the edge of
reasonableness and beyond.
Conclusions/Actions Needed
Organizational Structure
The organizational structure shouldnt be so simple
that it cannot adequately monitor the enterprises
activities nor so complex that it inhibits the necessary
flow of information. Executives should fully
understand their control responsibilities and possess
the requisite experience and levels of knowledge
commensurate with their positions.
Appropriateness of the entitys organizational
structure, and its ability to provide the
necessary information flow to manage its
activities. For example, consider whether:
The organizational structure is appropriately
centralized or decentralized, given the nature
of the entitys operations.
The structure facilitates the flow of
information upstream, downstream and across
all business activities.
Adequacy of definition of key managers
responsibilities, and their understanding of
these responsibilities. For example, consider
whether:
Responsibilities and expectations for the
entitys business activities are communicated
clearly to the executives in charge of those
activities.
14
Adequacy of knowledge and experience of key
managers in light of responsibilities. For
example, consider whether:
The executives in charge have the required
knowledge, experience and training to perform
their duties.
Appropriateness of reporting relationships. For
example, consider whether:
Established reporting relationshipsformal or
informal, direct or matrixare effective, and
they provide managers information appropriate
to their responsibilities and authority.
The executives of the business activities have
access to communication channels to senior
operating executives.
Extent to which modifications to the
organizational structure are made in light of
changed conditions. For example, consider whether:
Management periodically evaluates the
entitys organizational structure in light of
changes in the business or industry.
Sufficient numbers of employees exist,
particularly in management and supervisory
capacities. For example, consider whether:
Managers and supervisors have sufficient time
to carry out their responsibilities effectively.
Managers and supervisors work excessive
overtime, and are fulfilling the responsibilities
of more than one employee.
Conclusions/Actions Needed
15
Assignment of Authority and Responsibility
The assignment of responsibility, delegation of
authority and establishment of related policies provide
a basis for accountability and control, and set forth
individuals respective roles.
Assignment of responsibility and delegation of
authority to deal with organizational goals and
objectives, operating functions and regulatory
requirements, including responsibility for
information systems and authorizations for
changes. For example, consider whether:
Authority and responsibility are assigned to
employees throughout the entity.
Responsibility for decisions is related to
assignment of authority and responsibility.
Proper information is considered in
determining the level of authority and scope of
responsibility assigned to an individual.
Appropriateness of control-related standards
and procedures, including employee job
descriptions. For example, consider whether:
Job descriptions, for at least management and
supervisory personnel, exist.
They contain specific references to control-
related responsibilities.
Appropriate numbers of people, particularly
with respect to data processing and accounting
functions, with the requisite skill levels relative
to the size of the entity and nature and
complexity of activities and systems. For
example, consider whether:
The entity has an adequate workforcein
numbers and experienceto carry out its mission.
Appropriateness of delegated authority in
relation to assigned responsibilities. For
example, consider whether:
There is an appropriate balance between
authority needed to get the job done and the
involvement of senior personnel where needed.
16
Employees at the right level are empowered
to correct problems or implement
improvements, and empowerment is
accompanied by appropriate levels of
competence and clear boundaries of authority.
Conclusions/Actions Needed
Human Resource Policies and Practices
Human resource policies are central to recruiting and
retaining competent people to enable the entitys
plans to be carried out so its goals can be achieved.
Extent to which policies and procedures for
hiring, training, promoting and compensating
employees are in place. For example, consider
whether:
Existing personnel policies and procedures
result in recruiting or developing competent
and trustworthy people necessary to support
an effective internal control system.
The level of attention given to recruiting and
training the right people is appropriate.
When formal documentation of policies and
practices does not exist, management
communicates expectations about the type of
people to be hired or participates directly in
the hiring process.
Extent to which people are made aware of their
responsibilities and expectations of them. For
example, consider whether:
17
New employees are made aware of their
responsibilities and managements
expectations of them.
Supervisory personnel meet periodically with
employees to review job performance and
suggestions for improvement.
Appropriateness of remedial action taken in
response to departures from approved poli-
cies and procedures. For example, consider
whether:
Managements response to failures to carry
out assigned responsibilities is appropriate.
Appropriate corrective action is taken as a
result of non-adherence to established policies.
Employees understand that ineffective
performance will result in remedial
consequences.
Extent to which personnel policies address
adherence to appropriate ethical and moral
standards. For example, consider whether:
Integrity and ethical values is a criterion in
performance appraisals.
Adequacy of employee candidate background
checks, particularly with regard to prior
actions or activities considered to be
unacceptable by the entity. For example,
consider whether:
Candidates with frequent job changes or gaps
in employment history are subjected to
particularly close scrutiny.
Hiring policies require investigation for a
criminal record.
Adequacy of employee retention and
promotion criteria and information-gathering
techniques (e.g., performance evaluations) and
relation to the code of conduct or other
behavioral guidelines. For example, consider
whether:
18
Promotion and salary increase criteria are
detailed clearly so that individuals know what
management expects prior to promotions or
advancement.
Criteria reflect adherence to behavioral
standards.
Conclusions/Actions Needed
Component SummaryConclusions/Actions Needed
19
Risk Assessment
Points of Focus Description/Comment
Entity-Wide Objectives
For an entity to have effective control, it must have
established objectives. Entity-wide objectives
include broad statements of what an entity desires to
achieve, and are supported by related strategic plans.
Describe the entity-wide objectives and key
strategies that have been established.
Extent to which the entity-wide objectives
provide sufficiently broad statements and
guidance on what the entity desires to achieve,
yet which are specific enough to relate
directly to this entity. For example, consider
whether:
Management has established entity-wide
objectives.
The entity-wide objectives are different than
generic objectives that could apply to any
entity (e.g., generate sufficient cash flow to
service debt, or produce a reasonable return
on investment).
Effectiveness with which the entity-wide
objectives are communicated to employees
and board of directors. For example, consider
whether:
Information on the entity-wide objectives is
disseminated to employees and the board of
directors.
Management obtains feedback from key
managers, other employees and the board
signifying that communication to employees
is effective.
Relation and consistency of strategies with
entity-wide objectives. For example, consider
whether:
The strategic plan supports the entity-wide
objectives.
20
It addresses high level resource allocations
and priorities.
Consistency of business plans and budgets with
entity-wide objectives, strategic plans and
current conditions. For example, consider whether:
Assumptions inherent in the plans and
budgets reflect the entitys historical
experience and current conditions.
Plans and budgets are at an appropriate level
of detail for each management level.
Conclusions/Actions Needed
Activity-Level Objectives
Activity-level objectives flow from and are linked
with the entity-wide objectives and strategies.
Activity-level objectives are frequently stated as
goals with specific targets and deadlines. Objectives
should be established for each significant activity,
and those activity-level objectives should be
consistent with each other.
Linkage of activity-level objectives with
entity-wide objectives and strategic plans. For
example, consider whether:
Adequate linkage exists for all significant
activities.
Activity-level objectives are reviewed from
time to time for continued relevance.
Consistency of activity-level objectives with
each other. For example, consider whether:
21
They are complementary and reinforcing
within activities.
They are complementary and reinforcing
between activities.
Relevance of activity-level objectives to all
significant business processes. For example,
consider whether:
Objectives are established for key activities
in the flows of goods and services and
support activities.
Activity-level objectives are consistent with
past practices and performances or with
industry or functional analogues, or the
reasons for variance have been considered.
Objectives are established for each
significant activity. These activities may
include, among others (the activities listed
derive from a generic business model, pages
52 to 55; illustrative objectives for each of
these activities are presented in the Reference
Manual, pages 57 to 129):
Inbound
Operations
Outbound
Marketing and Sales
Service
Procurement
Technology Development
Human Resources
Manage the Enterprise
Manage External Relations
Provide Administrative Services
Manage Information Technology
Manage Risks (of accident or other
insurable loss)
Manage Legal Affairs
Plan
Process Accounts Payable
Process Accounts Receivable
Process Funds
Process Fixed Assets
Analyze and Reconcile
22
Process Benefits and Retiree
Information
Process Payroll
Process Tax Compliance
Process Product Costs
Provide Financial and Management
Reporting
Specificity of activity-level objectives. For
example, consider whether:
Objectives include measurement criteria.
Adequacy of resources relative to objectives.
For example, consider whether:
Management has identified the resources
needed to achieve the objectives.
Plans exist for acquiring necessary resources
(e.g., financing, personnel, facilities,
technology).
Identification of objectives that are important
(critical success factors) to achievement of
entity-wide objectives. For example, consider
whether:
Management has identified what must go
right, or where failure must be avoided, for
entity-wide objectives to be achieved.
Capital spending and expense budgets are
based on managements analysis of the
relative importance of objectives.
The objectives serving as critical success
factors provide a basis for particular
management focus.
Involvement of all levels of management in
objective setting and extent to which they are
committed to the objectives. For example,
consider whether:
Managers participate in establishing activity
objectives for which they are responsible.
Procedures exist to resolve disagreements.
Managers support the objectives, and do not
have hidden agendas.
23
Conclusions/Actions Needed
Risks
An entitys risk-assessment process should identify
and consider the implications of relevant risks, at
both the entity level and the activity level. The risk-
assessment process should consider external and
internal factors that could impact achievement of the
objectives, should analyze the risks, and provide a
basis for managing them.
Adequacy of mechanisms to identify risks
arising from external sources. For example,
consider whether management considers risks
related to:
Supply sources
Technology changes
Creditors demands
Competitors actions
Economic conditions
Political conditions
Regulation
Natural events
Adequacy of mechanisms to identify risks
arising from internal sources. For example,
consider whether management considers risks
related to:
Human resources, such as retention of key
management personnel or changes in
responsibilities that can affect the ability to
function effectively.
24
Financing, such as availability of funds for
new initiatives or continuation of key
programs.
Labor relations, such as compensation and
benefit programs to keep the entity
competitive with others in the industry.
Information systems, such as the adequacy of
back-up systems in the event of failure of
systems that could significantly affect
operations.
Identification of significant risks for each
significant activity-level objective. (Consider
risks identified with respect to each of the
activities identified under activity-level
objectives; illustrative risks relative to common
objectives are presented in the Reference
Manual, pages 57 to 129.)
Thoroughness and relevance of the risk
analysis process, including estimating the
significance of risks, assessing the likelihood
of their occurring and determining needed
actions. For example, consider whether:
Risks are analyzed through formal processes
or informal day-to-day management
activities.
The identified risks are relevant to the
corresponding activity objective.
Appropriate levels of management are
involved in analyzing the risks.
Conclusions/Actions Needed
25
Managing Change
Economic, industry and regulatory environments
change and entities activities evolve. Mechanisms are
needed to identify and react to changing conditions.
Existence of mechanisms to anticipate,
identify and react to routine events or
activities that affect achievement of entity or
activity-level objectives (usually implemented
by managers responsible for the activities that
would be most affected by the changes). For
example, consider whether:
Routine changes are addressed as part of the
normal risk identification and analysis
process, or through separate mechanisms.
Risks and opportunities related to the
changes are addressed at sufficiently high
levels in the organization so their full
implications are identified and appropriate
action plans formulated.
All activities within the entity significantly
affected by the change are brought into the
process.
Existence of mechanisms to identify and react
to changes that can have a more dramatic and
pervasive effect on the entity, and may
demand the attention of top management. For
example, for each of the following areas of
potential change, consider whether:
Changed operating environment:
Market research or other programs identify
major shifts in customer demographics,
preferences or spending patterns.
The entity is aware of significant shifts in the
workforceexternally or internallythat
could affect available skill levels.
Legal counsel periodically updates management
on the implications of new legislation.
New personnel:
Special action is taken to ensure new
personnel understand the entitys culture and
perform accordingly.
26
Consideration is given to key control activities
performed by personnel being moved.
New or redesigned information systems:
Mechanisms exist to assess the effects of
new systems.
Procedures are in place to reconsider the
appropriateness of existing control activities
when new computer systems are developed
and go live.
Management knows whether systems
development and implementation policies are
adhered to despite pressures to short-cut
the process.
Attention is given to the effect of new
systems on information flows and related
controls, and employee training, including
focus on employee resistance to change.
Rapid growth:
Systems capability is upgraded to handle
rapidly increasing volumes of information.
Workforce in operations, accounting and data
processing is expanded as needed to keep
pace with increased volume.
A process for revising budgets or forecasts
exists.
A process exists for considering
interdepartmental implications of revised unit
objectives and plans.
New technology:
Information on technological developments is
obtained through reporting services,
consultants, seminars or perhaps joint ventures
with companies in the forefront of research and
development relevant to the entity.
New technologies, or applications, developed
by competitors are monitored.
Mechanisms exist for taking advantage, and
controlling the use, of new technology
applications, incorporating them into
production processes or information systems.
New lines, products, activities and acquisitions:
The ability exists to reasonably forecast
operating and financial results.
27
The adequacy of existing information
systems and control activities for the new
line, product or activity is assessed.
Plans are developed for recruiting and
training people with the requisite expertise to
deal with new products or activities.
Procedures are in place to track early results,
and to modify production and marketing as
needed.
Financial reporting, legal and regulatory
requirements are identified and complied with.
The effects on other company products, and
on profitability, are monitored.
Overhead allocations are modified to reflect
product contribution accurately.
Corporate restructuring:
Staff reassignments or reductions are analyzed
for their potential effect on related operations.
Transferred or terminated employees control
responsibilities are reassigned.
Impact on morale of remaining employees,
after major downsizing, considered.
Safeguards exist to protect against
disgruntled former employees.
Foreign operations:
Management keeps abreast of the political,
regulatory, business and social culture of
areas in which foreign operations exist.
Personnel are made aware of accepted
customs and rules.
Alternative procedures exist in case activities
of or communication mechanisms with
foreign operations are interrupted.
Conclusions/Actions Needed
28
Component SummaryConclusions/Actions Needed
29
Control Activities
Points of Focus Description/Comments
Control activities encompass a wide range of policies
and the related implementation procedures that help
ensure that managements directives are effected.
They help ensure that those actions identified as
necessary to address risks to achieve the entitys
objectives are carried out.
Existence of appropriate policies and
procedures necessary with respect to each of the
entitys activities.
All relevant objectives and associated risks for
each significant activity should have been
identified in conjunction with evaluating Risk
Assessment. Reference may be made to the
Reference Manual (pages 57 to 129) which
presents, for common business activities,
illustrative objectives, risks, and points of focus
for actions/control activities. The listings in that
latter column may be useful in identifying what
actions management has directed to address the
risks, and considering the appropriateness of
control activities the entity applies to see that the
actions are carried out. It should be recognized that
points of focus for general controls (or general
computer controls) are presented in the Reference
Manual under the activity Manage Information
Technology.
Identified control activities in place are being
applied properly. For example, consider whether:
Controls described in policy manuals are
actually applied and are applied the way that
theyre supposed to be.
Appropriate and timely action is taken on
exceptions or information that requires
follow-up.
Supervisory personnel review the functioning
of controls.
30
Component SummaryConclusions/Actions Needed
31
Information and Communication
Points of Focus Description/Comments
Information
Information is identified, captured, processed and
reported by information systems. Relevant information
includes industry, economic and regulatory
information obtained from external sources, as well as
internally generated information.
Obtaining external and internal information, and
providing management with necessary reports on
the entitys performance relative to established
objectives. For example, consider whether:
Mechanisms are in place to obtain relevant
external informationon market conditions,
competitors programs, legislative or regulatory
developments and economic changes.
Internally generated information critical to
achievement of the entitys objectives,
including that relative to critical success
factors, is identified and regularly reported.
The information that managers need to carry
out their responsibilities is reported to them.
Providing information to the right people in
sufficient detail and on time to enable them to
carry out their responsibilities efficiently and
effectively. For example, consider whether:
Managers receive analytical information that
enables them to identify what action needs to
be taken.
Information is provided at the right level of
detail for different levels of management.
Information is summarized appropriately,
providing pertinent information while
permitting closer inspection of details as
needed rather than just a sea of data.
32
Information is available on a timely basis to
allow effective monitoring of events and
activitiesinternal and externaland prompt
reaction to economic and business factors and
control issues.
Development or revision of information systems
based on a strategic plan for information
systemslinked to the entitys overall
strategyand responsive to achieving the
entity-wide and activity-level objectives. For
example, consider whether:
A mechanism (e.g., an information technology
steering committee) is in place for identifying
emerging information needs.
Information needs and priorities are
determined by executives with sufficiently
broad responsibilities.
A long-range information technology plan has
been developed and linked with strategic
initiatives.
Managements support for the development of
necessary information systems is demonstrated
by the commitment of appropriate resources
human and financial. For example, consider
whether:
Sufficient resources (managers, analysts,
programmers with the requisite technical
abilities) are provided as needed to develop
new or enhanced information systems.
Conclusions/Actions Needed
33
Communication
Communication is inherent in information processing.
Communication also takes place in a broader sense,
dealing with expectations and responsibilities of
individuals and groups. Effective communication must
occur down, across and up an organization and with
parties external to the organization.
Effectiveness with which employees duties and
control responsibilities are communicated. For
example, consider whether:
Communication vehiclesformal and informal
training sessions, meetings and on-the-job
supervisionare sufficient in effecting such
communication.
Employees know the objectives of their own
activity and how their duties contribute to
achieving those objectives.
Employees understand how their duties affect,
and are affected by, duties of other employees.
Establishment of channels of communication
for people to report suspected improprieties.
For example, consider whether:
Theres a way to communicate upstream
through someone other than a direct superior,
such as an ombudsman or corporate counsel.
Anonymity is permitted.
Employees actually use the communication
channel.
Persons who report suspected improprieties are
provided feedback, and have immunity from
reprisals.
Receptivity of management to employee
suggestions of ways to enhance productivity,
quality or other similar improvements. For
example, consider whether:
Realistic mechanisms are in place for employees
to provide recommendations for improvement.
Management acknowledges good employee
suggestions by providing cash awards or other
meaningful recognition.
34
Adequacy of communication across the
organization (for example, between
procurement and production activities) and the
completeness and timeliness of information and
its sufficiency to enable people to discharge
their responsibilities effectively. For example,
consider whether:
Salespeople inform engineering, production
and marketing of customer needs.
Accounts receivable personnel advise the
credit approval function of slow payers.
Information on competitors new products or
warranties reach engineering, marketing and
sales personnel.
Openness and effectiveness of channels with
customers, suppliers and other external parties
for communicating information on changing
customer needs. For example, consider whether:
Feedback mechanisms with all pertinent parties
exist.
Suggestions, complaints and other input are
captured and communicated to relevant
internal parties.
Information is reported upstream as necessary
and follow-up action taken.
Extent to which outside parties have been made
aware of the entitys ethical standards. For
example, consider whether:
Important communications to outside parties
are delivered by management level
commensurate with the nature and importance
of the message (e.g., senior executive
periodically explains in writing the entitys
ethical standards to outside parties).
Suppliers, customers and others know the
entitys standards and expectations regarding
actions in dealing with the entity.
Such standards are reinforced in routine
dealings with outside parties.
35
Improprieties by employees of external parties
are reported to the appropriate personnel.
Timely and appropriate follow-up action by
management resulting from communications
received from customers, vendors, regulators or
other external parties. For example, consider
whether:
Personnel are receptive to reported problems
regarding products, services or other matters, and
such reports are investigated and acted upon.
Errors in customer billings are corrected, and
the source of the error is investigated and
corrected.
Appropriate personnelindependent of those
involved with the original transactions
process complaints.
Appropriate actions are taken and there is follow-
up communication with the original sources.
Top management is aware of the nature and
volume of complaints.
Conclusions/Actions Needed
Component SummaryConclusions/Actions Needed
37
Monitoring
Points of Focus Description/Comments
Ongoing Monitoring
Ongoing monitoring occurs in the ordinary course of
operations, and includes regular management and
supervisory activities, and other actions personnel take
in performing their duties that assess the quality of
internal control system performance.
Extent to which personnel, in carrying out their
regular activities, obtain evidence as to whether
the system of internal control continues to
function. For example, consider whether:
Operating management compares production,
inventory, sales or other information obtained in
the course of their daily activities to systems-
generated information.
Integration or reconciliation of operating
information used to manage operations with data
generated by the financial reporting system.
Operating personnel are required to sign off on
the accuracy of their units financial statements,
and are held responsible if errors are discovered.
Extent to which communications from external
parties corroborate internally generated
information, or indicate problems. For example,
consider whether:
Customers implicitly corroborate billing data by
paying their invoices, or customer complaints
about billingsindicating system deficiencies in
the processing of sales transactionsare
investigated for their underlying causes.
Communications from vendors and monthly
statements of accounts payable are used as a
control monitoring technique.
Suppliers complaints of unfair practices by
purchasing agents are fully investigated.
38
Regulators communicate information to the entity
regarding compliance or other matters that reflect
on the functioning of the internal control system.
Controls that should have prevented or detected
the problems are reassessed.
Periodic comparison of amounts recorded by the
accounting system with physical assets. For
example, consider whether:
Inventory levels are checked when goods are
taken from inventory storage for shipment, and
differences between recorded and actual amounts
are corrected.
Securities held in trust are counted periodically
and compared with existing records.
Responsiveness to internal and external auditor
recommendations on means to strengthen
internal controls. For example, consider whether:
Executives with proper authority decide which of
the auditors recommendations will be
implemented.
Desired actions are followed up to verify
implementation.
Extent to which training seminars, planning
sessions and other meetings provide feedback to
management on whether controls operate
effectively. For example, consider whether:
Relevant issues and questions raised at training
seminars are captured.
Employee suggestions are communicated
upstream and acted on as appropriate.
Whether personnel are asked periodically to state
whether they understand and comply with the
entitys code of conduct and regularly perform
critical control activities. For example, consider
whether:
Personnel are required periodically to acknowledge
compliance with the code of conduct.
Signatures are required to evidence performance
of critical control functions, such as reconciling
specified amounts.
39
Effectiveness of internal audit activities. For
example, consider whether:
There are appropriate levels of competent and
experienced staff.
Their position within the organization is appropriate.
They have access to the board of directors or
audit committee.
Their scope, responsibilities and audit plans are
appropriate to the organizations needs.
Conclusions/Actions Needed
Separate Evaluations
It is useful to take a fresh look at the internal control
system from time to time, focusing directly on system
effectiveness. The scope and frequency of separate
evaluations will depend primarily on an assessment of
risks, and ongoing monitoring procedures.
Scope and frequency of separate evaluations of
the internal control system. For example, consider
whether:
Appropriate portions of the internal control
system are evaluated.
The evaluations are conducted by personnel with
the requisite skills.
The scope, depth of coverage and frequency are
adequate.
Appropriateness of the evaluation process. For
example, consider whether:
The evaluator gains a sufficient understanding of
the entitys activities.
An understanding is obtained of how the system is
supposed to work and how it actually does work.
40
An analysis is made, using the evaluation results
as measured against established criteria.
Whether the methodology for evaluating a system
is logical and appropriate. For example, consider
whether:
Such methodology includes checklists,
questionnaires or other tools.
The evaluation team is brought together to plan the
evaluation process and ensure a coordinated effort.
The evaluation process is managed by an
executive with requisite authority.
Appropriateness of the level of documentation.
For example, consider whether:
Policy manuals, organization charts, operating
instructions and the like are available.
Consideration is given to documenting the
evaluation process.
Conclusions/Actions Needed
Reporting Deficiencies
Internal control deficiencies should be reported
upstream with certain matters reported to top
management and the board.
Existence of mechanism for capturing and
reporting identified internal control deficiencies.
For example, consider whether means exist for
obtaining reports on deficiencies:
From both internal sources and external sources
(e.g., customers, suppliers, auditors, regulators).
Resulting from ongoing monitoring or separate
evaluations.
41
Appropriateness of reporting protocols. For
example, consider whether:
Deficiencies are reported to the person directly
responsible for the activity and to a person at
least one level higher.
Specified types of deficiencies are reported to
more senior management and to the board.
Appropriateness of follow-up actions. For
example, consider whether:
The transaction or event identified is corrected.
The underlying causes of the problem are
investigated.
There is follow-up to ensure the necessary
corrective action is taken.
Conclusions/Actions Needed
Component SummaryConclusions/Actions Needed
42
Risk Assessment and Control Activities Worksheet
Activity:
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
43
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
45
Overall Internal Control System Evaluation
Internal Control
Components
Preliminary Conclusions/
Actions Needed
(see individual
evaluation tools)
Additional Considerations
Control Environment
Does management adequately
convey the message that
integrity cannot be
compromised? Does a
positive control environment
exist, whereby there is an
attitude of control
consciousness throughout the
organization, and a positive
tone at the top? Is the
competence of the entitys
people commensurate with
their responsibilities? Are
managements operating
style, the way it assigns
authority and responsibility
and organizes and develops
its people appropriate? Does
the board provide the right
level of attention?
Risk AssessmentAre
entity-wide objectives and
supporting activity-level
objectives established and
linked? Are the internal and
external risks that influence
the success or failure of the
achievement of the objectives
identified and assessed? Are
mechanisms in place to
identify changes affecting the
entitys ability to achieve its
objectives? Are policies and
procedures modified as
needed?
46
Internal Control
Components
Preliminary Conclusions/
Actions Needed
(see individual
evaluation tools)
Additional Considerations
Control ActivitiesAre
control activities in place to
ensure adherence to
established policy and the
carrying out of actions to
address the related risks? Are
there appropriate control
activities for each of the
entitys activities?
Information and
CommunicationAre
information systems in place
to identify and capture
pertinent information
financial and nonfinancial,
relating to external and
internal eventsand bring it
to personnel in a form that
enables them to carry out
their responsibilities? Does
communication of relevant
information take place? Is it
clear with respect to
expectations and
responsibilities of individuals
and groups, and reporting of
results? And does
communication occur down,
across and upward in the
entity, as well as between the
entity and other parties?
47
Internal Control
Components
Preliminary Conclusions/
Actions Needed
(see individual
evaluation tools)
Additional Considerations
MonitoringAre
appropriate procedures in
place to monitor on an
ongoing basis, or to
periodically evaluate the
functioning of the other
components of internal
control? Are deficiencies
reported to the right people?
Are policies and procedures
modified as needed?
Overall Conclusion
49
Reference Manual
This Reference Manual is designed to assist an evaluator in completing the Risk Assessment
and Control Activities Worksheet (pages 42 and 43 of the Blank Tools).
The Reference Manual, starting on page 57, presents, for common business activities, illustrative
objectives, risks and points of focus for actions/control activities. The listings in this last
column may be useful in identifying actions addressing the risks, and related control activities
that help ensure the actions are carried out. This last column also includes performance indicators
that may be particularly useful in effecting control. The second, O, F, C column indicates the
category into which the objectives fall (Ooperations, Ffinancial reporting, and
Ccompliance). These categorizations are not precise, and may vary with circumstances.
The manual does not purport to list every activity-level objective, risk or point of focus. It may,
however, be helpful in identifying relevant items.
Generic Business Model
The activities covered in the Reference Manual are based on a generic model of a business
enterprise (pages 52 to 55). The generic business model depicts major activities, and is organized
in levels, from a high level view of an enterprise to increasingly more detailed views.
Exhibit 1, the context level, is the highest level. At this level, the model depicts the interactions
of an enterprise with external parties:
Vendors and candidates for employment provide resources used to bring goods and
services to market.
A number of other external parties influence the enterprise, including other sources of
consumption, public bodies, collaborators, investors and competitors.
Exhibit 2, the activity level, depicts major activities within the enterprise, comprising five basic
value chain activities, supported by four infrastructure activities. Each activity receives, performs
operations on and transmits goods, services or information. Between vendors and buyers, value
chain activities include (page references are to the location in which these activities are addressed
in the Reference Manual):
Page
Inbound Activities 5761
Operations 6265
Outbound Activities 6670
Marketing and Sales 7174
Service 7577
50
Infrastructure activitiessupporting the value chain activitiesinclude:
Page
Administration (this activity is broken down into its subactivities in Exhibit 3)
Human Resources 8588
Technology Development 8384
Procurement 7882
Exhibit 3 focuses on the administration activity, depicting its subactivities. These are:
Page
Manage Finance (this activity is broken down further into Control, Treasury,
Tax and Audit; the Control unit is depicted in further detail in Exhibit 4)
Manage the Enterprise 8990
Manage External Relations 91
Provide Administrative Services 92
Manage Information Technology 9398
Manage Risks (of accident or other insurable loss) 99100
Manage Legal Affairs 101102
Plan 103104
Exhibit 4 depicts the various administration controllership subactivities:
Page
Process Accounts Payable 105106
Process Accounts Receivable 107108
Process Funds 109114
Process Fixed Assets 115116
Analyze and Reconcile 117
Process Benefits and Retiree Information 118119
Process Payroll 120122
Process Tax Compliance 123124
Process Product Costs 125127
Provide Financial and Management Reporting 128129
The generic business model serves two purposes. As noted, it provides a structure for the
Reference Manual. The activities, transactions and information flows depicted in the model form
the basis for the manual.
The generic business model can also be used as a starting point for an evaluator to understand
an entitys activities and their relationships to one another and to outside parties, and the
51
information that is generated and used to help control those activities. When used in this way, the
generic business model should be tailored to fit the entity being evaluated. It should be modified
or augmented with additional information particular to the entity, such as systems flowcharts, to
better understand the entitys activities and information flows. This understanding can, in turn,
facilitate an analysis of the risks associated with each activity, and can help to identify points in
the system where control should be effected. Those risks, and the entitys related control
activities, can be used to help management complete the Risk Assessment and Control
Activities Worksheet.
E
x
h
i
b
i
t
1
G
e
n
e
r
i
c
B
u
s
i
n
e
s
s
M
o
d
e
l
C
o
n
t
e
x
t
L
e
v
e
l
52
O
t
h
e
r
S
o
u
r
c
e
s
o
f
C
o
n
s
u
m
p
t
i
o
n
P
u
b
l
i
c
B
o
d
i
e
s
&
O
t
h
e
r
P
a
r
t
i
e
s
C
o
l
l
a
b
o
r
a
t
o
r
s
S
h
a
r
e
h
o
l
d
e
r
s
I
n
v
e
s
t
o
r
s
&
F
i
n
a
n
c
i
a
l
I
n
s
t
i
t
u
t
i
o
n
s
C
o
m
p
e
t
i
t
o
r
s
C
a
n
d
i
d
a
t
e
s
V
e
n
d
o
r
s
B
u
y
e
r
s
&
D
i
s
t
r
i
b
u
t
o
r
s
R
u
n
a
n
E
n
t
e
r
p
r
i
s
e
R
e
v
e
n
u
e
O
p
p
o
r
t
u
n
i
t
i
e
s
&
T
h
r
e
a
t
s
C
o
m
p
l
i
a
n
c
e
&
P
e
r
s
u
a
s
i
o
n
S
h
a
r
e
d
V
e
n
t
u
r
e
s
R
e
p
o
r
t
s
M
a
r
k
e
t
T
h
r
e
a
t
s
&
O
p
p
o
r
t
u
n
i
t
i
e
s
F
u
n
d
s
S
t
a
f
f
i
n
g
N
e
e
d
s
S
k
i
l
l
s
&
E
x
p
e
r
i
e
n
c
e
A
v
a
i
l
a
b
l
e
T
e
c
h
n
o
l
o
g
y
C
a
p
a
b
i
l
i
t
i
e
s
S
p
e
c
i
f
i
c
a
t
i
o
n
s
P
u
r
c
h
a
s
e
O
r
d
e
r
s
P
u
r
c
h
a
s
e
d
G
o
o
d
s
&
S
e
r
v
i
c
e
s
R
e
q
u
e
s
t
s
f
o
r
G
o
o
d
s
&
S
e
r
v
i
c
e
s
S
h
i
p
p
e
d
P
r
o
d
u
c
t
S
e
r
v
i
c
e
E
x
h
i
b
i
t
2
G
e
n
e
r
i
c
B
u
s
i
n
e
s
s
M
o
d
e
l
A
c
t
i
v
i
t
y
L
e
v
e
l
53
P
r
o
c
u
r
e
m
e
n
t
O
t
h
e
r
S
o
u
r
c
e
s
o
f
C
o
n
s
u
m
p
t
i
o
n
P
u
b
l
i
c
B
o
d
i
e
s
&
O
t
h
e
r
P
a
r
t
i
e
s
C
o
l
l
a
b
o
r
a
t
o
r
s
S
h
a
r
e
h
o
l
d
e
r
s
I
n
v
e
s
t
o
r
s
&
F
i
n
a
n
c
i
a
l
I
n
s
t
i
t
u
t
i
o
n
s
C
o
m
p
e
t
i
t
o
r
s
B
u
y
e
r
s
&
D
i
s
t
r
i
b
u
t
o
r
s
O
u
t
b
o
u
n
d
A
c
t
i
v
i
t
i
e
s
M
a
r
k
e
t
i
n
g
&
S
a
l
e
s
S
e
r
v
i
c
e
S
h
a
r
e
d
V
e
n
t
u
r
e
s
R
e
p
o
r
t
s
F
u
n
d
s
M
a
r
k
e
t
T
h
r
e
a
t
s
&
O
p
p
o
r
t
u
n
i
t
i
e
s
P
l
a
n
n
i
n
g
&
M
o
n
i
t
o
r
i
n
g
&
A
d
m
i
n
i
s
t
r
a
t
i
v
e
S
e
r
v
i
c
e
s
S
t
a
f
f
i
n
g
N
e
e
d
s
S
k
i
l
l
s
&
E
x
p
e
r
i
e
n
c
e
T
e
c
h
n
o
l
o
g
y
I
n
f
o
r
m
a
t
i
o
n
,
&
M
e
t
h
o
d
s
P
r
o
c
e
d
u
r
e
s
S
p
e
c
i
f
i
c
a
t
i
o
n
s
A
v
a
i
l
a
b
l
e
T
e
c
h
n
o
l
o
g
y
C
a
p
a
b
i
l
i
t
i
e
s
P
u
r
c
h
a
s
e
O
r
d
e
r
s
A
d
m
i
n
i
s
t
r
a
t
i
o
n
H
u
m
a
n
R
e
s
o
u
r
c
e
s
T
e
c
h
n
o
l
o
g
y
D
e
v
e
l
o
p
m
e
n
t
O
p
e
r
a
t
i
o
n
s
R
e
v
e
n
u
e
O
p
p
o
r
t
u
n
i
t
i
e
s
&
T
h
r
e
a
t
s
C
o
m
p
l
i
a
n
c
e
&
P
e
r
s
u
a
s
i
o
n
C
a
n
d
i
d
a
t
e
s
V
e
n
d
o
r
s
I
n
b
o
u
n
d
A
c
t
i
v
i
t
i
e
s
P
u
r
c
h
a
s
e
d
G
o
o
d
s
&
S
e
r
v
i
c
e
s
R
e
q
u
i
s
i
t
i
o
n
e
d
G
o
o
d
s
P
r
o
d
u
c
t
S
o
u
r
c
e
:
C
o
m
p
e
t
i
t
i
v
e
A
d
v
a
n
t
a
g
e
,
M
.
E
.
P
o
r
t
e
r
;
a
n
d
C
&
L
i
n
t
e
r
p
r
e
t
a
t
i
o
n
O
r
d
e
r
I
n
f
o
r
m
a
t
i
o
n
S
e
r
v
i
c
e
S
h
i
p
p
e
d
P
r
o
d
u
c
t
R
e
q
u
e
s
t
s
f
o
r
G
o
o
d
s
&
S
e
r
v
i
c
e
s
E
x
h
i
b
i
t
3
G
e
n
e
r
i
c
B
u
s
i
n
e
s
s
M
o
d
e
l
A
d
m
i
n
i
s
t
r
a
t
i
o
n
A
c
t
i
v
i
t
i
e
s
54
B
u
y
e
r
s
&
D
i
s
t
r
i
b
u
t
o
r
s
V
e
n
d
o
r
s
S
h
a
r
e
h
o
l
d
e
r
s
,
I
n
v
e
s
t
o
r
s
&
F
i
n
a
n
c
i
a
l
I
n
s
t
i
t
u
t
i
o
n
s
P
u
b
l
i
c
B
o
d
i
e
s
&
O
t
h
e
r
B
o
d
i
e
s
O
t
h
e
r
S
o
u
r
c
e
s
o
f
C
o
n
s
u
m
p
t
i
o
n
C
o
l
l
a
b
o
r
a
t
o
r
s
M
a
n
a
g
e
F
i
n
a
n
c
e
C
o
n
t
r
o
l
,
T
r
e
a
s
u
r
y
,
T
a
x
&
A
u
d
i
t
1
.
1
M
a
n
a
g
e
t
h
e
E
n
t
e
r
p
r
i
s
e
1
.
2
M
a
n
a
g
e
E
x
t
e
r
n
a
l
R
e
l
a
t
i
o
n
s
1
.
3
P
r
o
v
i
d
e
A
d
m
i
n
i
s
t
r
a
t
i
v
e
S
e
r
v
i
c
e
s
1
.
4
M
a
n
a
g
e
I
n
f
o
r
m
a
t
i
o
n
T
e
c
h
n
o
l
o
g
y
1
.
5
M
a
n
a
g
e
R
i
s
k
s
1
.
6
M
a
n
a
g
e
L
e
g
a
l
A
f
f
a
i
r
s
1
.
7
P
l
a
n
1
.
8
2
3
4
5
6
7
8
9
P
o
l
i
c
i
e
s
&
P
r
o
c
e
d
u
r
e
s
P
l
a
n
s
&
R
e
p
o
r
t
s
F
u
n
d
s
P
o
l
i
c
y
C
o
m
p
l
i
a
n
c
e
&
P
e
r
s
u
a
s
i
o
n
A
d
m
i
n
i
s
t
r
a
t
i
v
e
S
e
r
v
i
c
e
s
R
e
v
e
n
u
e
O
p
p
o
r
t
u
n
i
t
i
e
s
&
T
h
r
e
a
t
s
S
h
a
r
e
d
V
e
n
t
u
r
e
s
C
o
n
t
r
o
l
I
n
f
o
r
m
a
t
i
o
n
T
r
a
n
s
a
c
t
i
o
n
N
O
T
E
:
N
u
m
b
e
r
s
d
e
p
i
c
t
o
t
h
e
r
p
o
r
t
i
o
n
s
o
f
t
h
e
b
u
s
i
n
e
s
s
m
o
d
e
l
n
o
t
i
l
l
u
s
t
r
a
t
e
d
.
E
x
h
i
b
i
t
4
G
e
n
e
r
i
c
B
u
s
i
n
e
s
s
M
o
d
e
l
A
d
m
i
n
i
s
t
r
a
t
i
o
n
A
c
t
i
v
i
t
i
e
s
55
V
e
n
d
o
r
s
*
*
B
u
y
e
r
s
&
D
i
s
t
r
i
b
u
t
o
r
s
S
h
a
r
e
h
o
l
d
e
r
s
,
I
n
v
e
s
t
o
r
s
&
F
i
n
a
n
c
i
a
l
I
n
s
t
i
t
u
t
i
o
n
s
P
r
o
c
e
s
s
A
c
c
o
u
n
t
s
P
a
y
a
b
l
e
1
.
1
.
1
.
2
.
1
P
r
o
c
e
s
s
A
c
c
o
u
n
t
s
R
e
c
e
i
v
a
b
l
e
1
.
1
.
1
.
2
.
2
P
r
o
c
e
s
s
F
u
n
d
s
1
.
1
.
1
.
2
.
3
P
r
o
c
e
s
s
F
i
x
e
d
A
s
s
e
t
s
1
.
1
.
1
.
2
.
4
A
n
a
l
y
z
e
&
R
e
c
o
n
c
i
l
e
1
.
1
.
1
.
2
.
5
P
r
o
c
e
s
s
B
e
n
e
f
i
t
s
&
R
e
t
i
r
e
e
I
n
f
o
r
m
a
t
i
o
n
1
.
1
.
1
.
2
.
6
P
r
o
c
e
s
s
P
a
y
r
o
l
l
1
.
1
.
1
.
2
.
7
P
r
o
c
e
s
s
T
a
x
C
o
m
p
l
i
a
n
c
e
1
.
1
.
1
.
2
.
8
P
r
o
c
e
s
s
P
r
o
d
u
c
t
C
o
s
t
s
1
.
1
.
1
.
2
.
9
P
r
o
v
i
d
e
F
i
n
a
n
c
i
a
l
&
M
a
n
a
g
e
m
e
n
t
R
e
p
o
r
t
i
n
g
1
.
1
.
1
.
2
.
1
0
2
5
7
4
3
1
.
1
.
3
5
1
.
2
6
7
*
N
o
t
s
h
o
w
n
:
i
n
t
e
r
n
a
l
s
u
p
p
o
r
t
i
n
g
d
o
c
u
m
e
n
t
s
.
*
*
I
n
c
l
u
d
e
s
p
a
y
m
e
n
t
s
t
o
e
m
p
l
o
y
e
e
s
a
n
d
r
e
t
i
r
e
e
s
,
a
n
d
t
o
t
a
x
a
u
t
h
o
r
i
t
i
e
s
.
N
O
T
E
:
N
u
m
b
e
r
s
d
e
p
i
c
t
o
t
h
e
r
p
o
r
t
i
o
n
s
o
f
t
h
e
b
u
s
i
n
e
s
s
m
o
d
e
l
n
o
t
i
l
l
u
s
t
r
a
t
e
d
.
D
i
s
b
u
r
s
e
m
e
n
t
s
V
e
n
d
o
r
I
n
v
o
i
c
e
s
P
u
r
c
h
a
s
e
O
r
d
e
r
s
R
e
c
e
i
p
t
s
S
h
i
p
m
e
n
t
s
S
a
l
e
s
&
P
a
y
m
e
n
t
s
F
u
n
d
s
T
r
a
n
s
a
c
t
i
o
n
s
T
r
a
n
s
f
e
r
s
,
A
c
q
u
i
s
i
t
i
o
n
s
&
D
i
s
p
o
s
i
t
i
o
n
s
*
R
e
p
o
r
t
s
,
&
E
n
t
r
i
e
s
S
t
a
t
e
m
e
n
t
s
I
n
v
o
i
c
e
s
P
a
y
m
e
n
t
s
F
u
n
d
s
(
&
D
i
v
i
d
e
n
d
s
)
A
c
c
o
u
n
t
s
P
a
y
a
b
l
e
B
e
n
e
f
i
t
E
n
t
r
i
e
s
G
e
n
e
r
a
l
L
e
d
g
e
r
T
r
i
a
l
B
a
l
a
n
c
e
T
a
x
E
n
t
r
i
e
s
S
t
a
n
d
a
r
d
C
o
s
t
I
n
f
o
r
m
a
t
i
o
n
P
a
y
r
o
l
l
E
n
t
r
i
e
s
R
e
p
o
r
t
s
O
p
e
r
a
t
i
o
n
s
A
c
t
i
v
i
t
y
B
e
n
e
f
i
t
D
o
c
u
m
e
n
t
s
P
a
y
r
o
l
l
D
o
c
u
m
e
n
t
s
T
a
x
C
o
m
p
l
i
a
n
c
e
I
n
f
o
r
m
a
t
i
o
n
T
e
c
h
n
o
l
o
g
y
I
n
f
o
r
m
a
t
i
o
n
&
M
e
t
h
o
d
s
&
P
r
o
c
e
d
u
r
e
s
57
Reference Manual
Activity: INBOUND
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Manage Logistics
1. Ensure that materials
received and related
information are
processed and
promptly made
available to
production, stores or
other departments
O,F Plans and schedules are
not communicated to
inbound activities, or do
not clearly identify when
or where materials are
needed
Specify on plans and schedules
what materials are needed, and
when they are needed
Communicate all plans and
schedules to inbound activities
Summarize material
requirements and submit them to
receiving periodically
Maintain material routing
procedures for received items
Provide inbound activities with
nonroutine material routing
instructions
Monitor production problems
related to unavailable materials
and parts (performance
indicator)
Consider implementing Just-in-
Time or a similar inventory and
production management
philosophy
Information on materials
received is not entered
into the information
system accurately or on a
timely basis
Maintain procedures for
promptly updating inventory
records
Match dates on receiving
information and inventory
information and follow up as
appropriate
58
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Periodically verify that pre-
numbered receiving documents
have been entered in the
information system
2. Ensure purchase
orders not filled on
a timely basis are
investigated
O Purchase orders are lost or
not forwarded to inbound
activities
Due date information is
not available
Purchase orders are
prenumbered and missing
documents are investigated
Maintain open purchase order
information in a manner that
facilitates identification of
purchase orders remaining un-
filled past the due date
3. Completely and
accurately
document goods
received and goods
returned
O,F Lost receiving reports or
lost shipping records
Prenumber documents and
investigate missing documents
Receive
4. Accept only items
that were properly
ordered
O Purchase order
information is not made
available to inbound
activities
Compare materials received,
including verification of
quantities received, to properly
approved purchase orders. Do
not accept materials not properly
ordered
Monitor instances of invoices
presented for payment when
materials were accepted without
a valid purchase order
(performance indicator)
5. Accept only
materials that meet
purchase order
specifications
O Purchase order
specifications are unclear
Maintain current lists of
specifications to be used in
inspecting and testing goods
59
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Verify specifications with
purchasing or other appropriate
personnel
Monitor production problems
related to substandard materials
(performance indicator)
Materials are not tested
for specification
compliance
Establish testing procedures, as
appropriate, for all materials
ordered
Monitor production problems
related to substandard materials
and parts (performance
indicator)
6. Ensure that all
materials trans-
ferred from the
receiving activity to
other activities are
recorded
O,F Transfer procedures do
not require preparation of
supporting documentation
Transfer documentation
may be lost
Require appropriate
documentation of materials
transferred from receiving to
other business activities
Prenumber documents and
investigate missing documents
Periodically count materials on
hand and reconcile with
perpetual records; investigate
any differences (performance
indicator)
7. Safeguard goods
received
O,F Inadequate physical
security over goods
received
Maintain physical security over
goods received
Segregate custodial and record-
keeping functions
60
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
8. Ensure that vendor,
inventory and
purchase order
information is
accurately updated
to reflect receipts
O,F Receiving information
may be lost
Prenumber receiving documents
and investigate missing
documents
Periodically identify and
investigate open purchase orders
Periodically count inventory and
reconcile with perpetual inventory
records; investigate differences
(performance indicator)
Receiving information
may be entered
inaccurately in the
information system, or
may not be timely
Periodically verify accuracy of
vendor, inventory and open
purchase order information
Periodically ensure information
is being entered into the
information system on a timely
basis
9. Return rejected
items promptly
O Inadequate or untimely
inspection of items
received
Maintain appropriate procedures
for inspecting items received
10. Completely and
accurately
document all
transfers to and
from storage
O,F Incomplete or inaccurate
information regarding
materials transferred to/
from storage
Transfer documents may
be lost
Transfer documentation
accompanies all transfers; stores
or other activities personnel
verify materials and quantities
received
Prenumber transfer documents
and investigate missing
documents
Periodically count materials and
reconcile with perpetual records.
Investigate differences
(performance indicator)
61
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
11. Appropriately
requisition all goods
to be transferred to
operations
O,F Inadequate transfer or
requisition procedures
Transfer materials only on the
basis of a properly approved
requisition
12. Properly transfer all
materials
requisitioned
O,F,C Requisitions may be lost Prenumber requisitions and
investigate missing documents
Materials not
requisitioned are
transferred
Verify that material received
complies with approved
requisition
13. Maintain safe
working conditions
and storage of
hazardous materials
C Inadequate safety
considerations
Maintain relevant policies
consistent with Occupational
Safety and Health
Administration (OSHA) and
other pertinent laws and
regulations, approved by
technical and legal personnel,
and monitor compliance
Follow up on reported safety
concerns
Maintain appropriate procedures
for handling and storing
hazardous materials
62
Activity: OPERATIONS
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Manage and Schedule Operations
1. Schedule operations
to minimize
inventory and to
ensure sufficient
availability of
completed products
in a timely manner
O Poor communication with
marketing regarding sales
forecasts
Use standard documents to
prepare and communicate sales
forecasts
Ensure that production personnel
receive all sales forecasts
Compare production schedules
to sales forecasts to ensure
scheduled timing and production
quantities are appropriate
Several products compete
for concurrent production
Determine production priorities
based on established criteria or
management judgment
Evaluate adequacy of production
capacity
Approve all production
schedules
Insufficient or excess raw
materials due to poor
communication with
procurement, or
inaccurate or untimely
material requirement
forecasts
Use formalized communication
channels to inform procurement
of material requirements,
including quantities and dates
materials are required
Compare material requirement
forecasts with production
schedule and product bills of
materials; consider effect of lead
times required to obtain
materials
63
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Establish and adhere to accurate
and realistic production schedules
Consider the costs/benefits of
establishing a Just-in-Time
system, or similar production
and inventory management
philosophy
Monitor instances of insufficient
or excessive raw materials
inventory (performance
indicator)
2. Minimize
production
downtime
O Poorly maintained, misused
or obsolete equipment
Maintain equipment in
accordance with an established
preventative maintenance
program
Periodically evaluate production
equipment in light of repairs and
maintenance cost, capacity,
breakdowns, obsolescence and
other factors. Consider the
costs/benefits of acquiring new
equipment
Train employees in the proper
use of equipment
Monitor instances of production
downtime due to equipment
failure (performance indicator)
Inadequate skilled labor Train existing employees to
perform various tasks
Natural or other disasters Maintain and update
contingency and natural disaster
plans
Periodically test such plans
64
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Perform Operations
3. Produce product in
appropriate quantities
and in accordance
with specifications
and production
schedules
O Quantities to be produced
are not communicated
clearly
Inappropriate or unclear
specifications
Use standardized documents to
prepare and communicate
production plans and directives
Use standardized documents to
communicate product
specifications
Excessive work steps/
operations
Consider methods to simplify
production, such as
implementation of Just-in-Time
principles
4. Comply with
Occupational
Safety and Health
Administration
(OSHA) laws and
regulations
O,C Pressure to meet
production deadlines
Upper management supports, in
statements and actions, safety
considerations
Enforce disciplinary action on
employees who violate safety
procedures
Monitor safety violations
(performance indicator)
Lack of awareness of laws
and regulations
Conduct periodic training
sessions
Post laws, regulations and
company policy in conspicuous
locations
Assure Quality
5. Product is produced
in accordance with
quality control
standards
O Production processes do
not include procedures
designed to ensure quality
production
Integrate quality assurance
procedures into production
processes
Standardize production
processes to the extent
practicable
65
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Product is difficult to
produce
Design product with appropriate
consideration given to potential
production difficulties
Inadequate product testing Test sufficient quantities of each
production run to ensure
compliance with quality control
standards
Monitor defect rates
(performance indicator)
Quality problems are not
discovered or
appropriately reported
during the production
process
Test products using personnel
independent of production
processes
Monitor customer quality-related
returns and complaints
(performance indicator)
66
Activity: OUTBOUND
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Process Orders
1. Process orders only
for customers who
are authorized for
credit
O Incomplete, untimely or
inaccurate credit
information
Credit authorization systems that
provide accurate and timely
customer information regarding
approved credit limits, current
balances due, age of receivable
balance and other pertinent
information
2. Process orders
accurately and
expeditiously
O Inaccurate or untimely
pricing and inventory
information
Use current pricing and
inventory information
Untimely processing of
order information
Prenumber order forms and
periodically follow up on those
not processed in a reasonable
time frame
Customer order
information may be
unclear, inaccurate or
incomplete
Verify customer order
information with appropriate
marketing/sales personnel;
contact customer if necessary
3. Process only valid
customer orders
O,F Customer orders may not
be authorized
Verify appropriate marketing/
sales personnel approved
customer order
4. Process all
approved orders
O Order documentation is
lost
Prenumber order forms;
investigate missing documents
Store Product
5. Protect products
from damage
O Employee carelessness Monitor damage caused by
employee carelessness
(performance indicator)
Handling and storage
procedures, including
storage containers,
facilities and
maintenance, are
inappropriate for the
nature of the products
Store products in containers and
facilities designed with
consideration for product
features and legal and regulatory
requirements
67
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Create appropriate maintenance
procedures and schedules for the
nature of the storage facility
Employees are not
familiar with handling and
storage requirements or
procedures
Communicate handling and
storage policies and procedures
clearly to stores employees
Monitor compliance with
handling and storage policies
and procedures (performance
indicator)
6. Store products to
facilitate timely
order processing
O Improper organization of
storage facility
Design and maintain efficient
warehouse layout to facilitate
order fulfillment
Insufficient storage capacity Minimize product inventory
while enabling timely order
fulfillment
Identify the appropriate number
and location of warehouses
7. Materials are
handled and stored
in compliance with
applicable laws and
regulations
C Employees may not be
aware of applicable laws
and regulations
Legal counsel, or other qualified
personnel, provide information
regarding applicable laws and
regulations
Periodic training regarding legal
and regulatory requirements
Inappropriate handling
and storage policies and
procedures
Review of handling and storage
procedures by legal counsel or
other qualified personnel
68
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Monitor accidents or problems
due to inappropriate handling or
storage policies or procedures
(performance indicator)
8. Maintain complete
and accurate
records of product
stored and available
for shipment
O,F Product moved into or out
of storage may not be
documented or recorded
Product transfer documents are
required for movements of
product into or out of storage.
Such documents are
prenumbered, and missing
documents are investigated
Product may be moved
into or out of storage
without proper
authorization
Physical security measures to
prevent unauthorized addition to
or removal of product from
storage
Periodically count product in
storage and reconcile to
perpetual records. Investigate
differences between physical
count and accounting records
Ship Product
9. Obtain proper
products and
quantities from
storage
O Improper products or
improper quantities are
retrieved from storage
Compare products and quantities
retrieved from storage with the
customer order and/or product
requisition
Product is unavailable in
sufficient quantity
Maintain perpetual product
inventory records. Notify
operations or other appropriate
personnel when inventory
drops below a predetermined
level
69
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
10. Ensure product is
packed properly to
minimize damage
O Packing materials,
containers or procedures
are inappropriate for the
nature of the product or
method of shipment
Use packing materials,
containers or procedures that
were designed giving
consideration to the nature of the
product and method of shipment
11. Ship only those
products that are
authorized for
shipment
O Incomplete or inaccurate
information from order
processing
Compare documents authorizing
product shipment with customer
order
Unordered or
unauthorized products are
included in customer
shipment
Compare products to customer
order prior to shipment
Monitor customer returns or
billing disputes relating to
products delivered but not
ordered (performance indicator)
12. Deliver products in
the most efficient
manner
O Disruption of normal
shipping channels
Identify alternative shipping
arrangements
Inaccurate or incomplete
shipping documents
Review shipping documents for
completeness and compare to
customer order for accuracy
before shipment
Use of inefficient
shipping methods
Periodically review shipping
alternatives and identify the
most efficient alternative
13. All shipments are
accurately
documented, and
such documentation
is forwarded to
accounts receivable
on a timely basis
O,F Incorrect information is
entered on shipping
documentation
Compare shipping document
information with customer order
information before shipment
Independent verification of
shipping document information
before shipment
70
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Shipping documents are
lost
Prenumber shipping documents
and investigate missing
documents
14. Ensure timely
shipment of customer
order
O Order or shipping
documentation may be
lost
Prenumber order and shipping
documents; investigate missing
documents
71
Activity: MARKETING AND SALES
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Manage Marketing Activities
1. Design marketing
strategies giving
consideration to
competitive,
regulatory, business
environment or other
factors that may
influence the entitys
marketing activities,
and potential changes
in those factors
O,C Inadequate information
regarding factors that may
influence the entitys
marketing strategy
Retain marketing personnel
experienced in the entitys
industry
Promote active membership in
industry, trade or professional
associations
Monitor legal and regulatory
initiatives that may affect the
entity
Conduct market research, and
monitor and analyze economic,
customer and industry trends
2. Identify potential
and existing
customers, and
develop marketing
strategies to
influence those
parties to purchase
the entitys products
or services
O Inaccurate, untimely or
unavailable information
regarding pricing,
products, actual or
potential customers,
advertising and promotion
Conduct market research
Evaluate pricing strategies vis-a-
vis competitors products and
pricing
Evaluate the effectiveness of
advertising and promotion
(performance indicator)
Communication of product
capabilities, enhancements or
new products from technology
development personnel
Limited number of
appropriate distributors
Identify and evaluate alternative
distribution arrangements
3. Maintain delivery
capabilities for
delivery of products
to customers on a
timely basis at the
least distribution
cost
O
Poor performance of
distributors
Communicate appropriate
customer information to
distributors to ensure timely
delivery
72
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Monitor distributors
performance in the context of the
entitys overall marketing
strategy
4. Address market
needs for product,
including
introduction of new
products, and
continuance,
changes to or
discontinuance of
existing products
O Lack of or inaccurate
information regarding
competitive products or
potential new products
Conduct market research,
including existence of
competitive products, products
under development and
customer preferences
Promote active membership in
industry, trade or professional
associations
Products become obsolete Conduct market research,
focusing on competitors
technical innovations and
customers acceptance of or
preference for such innovations
Lack of product demand Monitor the trend of product
sales by the entity and the
industry
Evaluate advertising and
promotion effectiveness
Conduct market research
Lack of information
regarding profit margins
and/or sales prices
Communicate information needs
to accounting, management
information systems and other
appropriate personnel
Monitor profit margins and sales
prices for signs of competitive
price pressures
73
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Manage Sales Activities
5. Implement marketing
strategies effectively
O Sales personnel are
unaware of marketing
strategies
Communicate marketing
strategies to sales personnel
Sales personnel disregard
marketing strategies
Establish sales quotas,
commissions and other
compensation, or other
performance criteria in such a
manner that failure to implement
marketing strategies results in
substandard performance
evaluations and compensation,
and positive implementation of
strategies results in increased
compensation and recognition
6. Meet or exceed
sales targets in an
efficient manner
O Sales personnel are
unaware of potential
customers
Communication of market
research results from marketing
to sales personnel
Salespeople lack
knowledge about product
features or benefits
Provide product awareness
training
Retain qualified and experienced
sales staff
Incomplete or inaccurate
customer information
Maintain customer information
system, including name, address,
phone number, contact, size,
locations, history of previous
orders, plans to expand or
change the business, or other
information that could be useful
in marketing the entitys
products or services
Periodically verify the accuracy
of customer information
74
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Salespeople perform
poorly
Retain qualified and experienced
salespeople
Organize salesforce and align
territories in most efficient
manner
7. Forward all sales
orders to outbound
activities and service
in a timely manner
O Sales orders are lost Prenumber sales orders and
investigate missing documents
75
Activity: SERVICE
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Provide Customer Service
1. Handle customer
inquiries expe-
ditiously and
efficiently
O Inadequate information
systems
Maintain accurate and timely
product and customer
information
Untrained staff Provide staff with initial and
periodic product and customer
service training
Customer service representatives
present favorable image to
customers and are
knowledgeable about products
Poor organization of
customer service
department
Organize customer service
department in most efficient
manner (e.g., along product
lines, geographical lines, etc.)
2. Satisfy customer
service needs so as
to further sales and
marketing objectives
O Lack of awareness of
sales and marketing
objectives
Customer service representatives
understand the objectives
common to marketing, sales and
customer service
Install
3. Make authorized
installations
correctly, efficiently
and on a timely
basis
O Untrained staff Provide installers with initial and
periodic training regarding
installation techniques and
product features
Monitor customer complaints
regarding product installation
(performance indicator)
Product unavailability Coordinate scheduled
installations with operations
production schedule and
shippings delivery schedule
76
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Inaccurate or unavailable
customer information
Compare installation
authorization documents with
customer orders to verify
information accuracy and review
such documents for
completeness
Prenumber installation
authorization documents and
investigate missing documents
Unavailability of service
personnel
Schedule installations and staff
utilization to minimize costs
Provide Warranty Service
4. Warranty policies
are consistent with
marketing and
financial strategies
O Inaccurate market
information
Make certain that market
information developed by
marketing is considered when
establishing warranties
Insufficient staff Forecast staffing level
requirements
Monitor adequacy of staffing,
overtime, workloads
5. Investigate and
respond to requests
for service on a
timely basis and in
accordance with
warranties
O
Uncommunicated changes
in warranty policies
Communicate changes in
product warranty policies to
appropriate personnel
77
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Provide Post-Warranty Service
6. Customer service
representatives use
up-to-date pricing
and other product
information
O Unavailable or inaccurate
information
Update pricing information on
order processing systems on a
daily basis
Provide customer representatives
access to order processing
systems
7. Investigate and
respond to requests
for services in the
most efficient
manner and on a
timely basis
O Insufficient number of
customer service
representatives or service
personnel
Improperly trained service
personnel
Maintain proper staffing levels
and organize the customer
service department in the most
efficient manner
Properly train staff
78
Activity: PROCUREMENT
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Select Vendor
1. Identify and
purchase from
vendors capable of
meeting the entitys
needs
O Inadequate vendor
screening, including
periodic requalification of
existing vendors, relating
to vendors abilities to
meet:
Technical
specifications
Quantity requirements
Price
Delivery dates/lead
time
Service
Investigate and periodically
update vendor capabilities
regarding production quality and
capacity, price (including
volume or cash discounts and
payment terms), order lead-time
requirements, current and former
customer satisfaction, financial
condition, management stability,
possible legal restrictions on
providing the materials required
and pending litigation
Periodically update vendor
information based on vendor
performance in meeting terms
and specifications of contracts or
purchase orders (e.g., timely
delivery of acceptable items,
correction of errors or problems,
and service)
Appropriate review of purchase
orders
Monitor production problems
related to out-of-stock materials
and to material specifications
(performance indicator)
Monitor frequency of returned
purchases (performance
indicator)
79
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Develop data on alternative
vendors and periodically
reevaluate vendor selection
decisions
Specify procedures for
notification by vendors of
potential performance problems
and for appropriate investigation
and follow-through
2. Purchase items only
from legally
qualified vendors
and in conformity
with applicable
laws, regulations
and contracts
O,C Unavailable or inaccurate
information about
fraudulent acts or other
improper activities of
vendors
Maintain updated vendor
information
Review and approve purchase
orders
Institute and monitor code of
conduct
Consider ways to simplify
vendor investigation procedures
3. Ensure adequate
supply of materials
O Poor communication of
operations or other
activities needs
Timely communication to
procurement of operations or
other activities needs
Vendors inability to
provide needed quantities
due to other higher-
priority orders or an
interruption in their own
supplies
Utilize forward contracts
Identify alternate vendors
Utilize long-term needs analysis
Purchase
4. Order items that
meet appropriate
specifications
O Inappropriate production
specifications
Review existing and revised
specifications by technical
personnel
80
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Monitor and analyze production
problems related to material
specifications (performance
indicator); examples of
performance indicators include
comparing current-period data
on production stoppages and
slow-downs, rush orders,
spoilage, and material price and
quantity variances to prior-
period data, peer or industry
data, budgets, or other pre-
established goals
Communicate production
specifications to procurement
personnel
Appropriate review and approval
of contracts and purchase orders
5. Pay appropriate
prices
O Out-of-date or incomplete
price information
Obtain competitive bids for each
acquisition periodically
Consider volume purchases by
determining total usage of
similar materials; combine
orders to obtain volume discount
Appropriate review of purchase
orders
Monitor material price variances
(performance indicator)
Use hedging or forward
contracts
81
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
6. Order appropriate
quantities at
appropriate times
O Unavailable or inaccurate
information on inventory
levels or production needs
Maintain accurate perpetual
inventory records
Match periodic production
schedules to inventory
information and order lead-time
requirements
Appropriate review of purchase
orders
Use forecasts
Consider implementing Just-in-
Time or a similar inventory and
production management
philosophy
Information on issued
purchase orders is not
clearly or completely
communicated
Route copies of purchase orders
to appropriate personnel
7. Update vendor
information
completely and
accurately to reflect
open purchase
orders
O
Purchase orders are not
entered into the system on
a timely basis
Prenumber purchase orders and
periodically verify their entry
into the system. Investigate
unusual time delays in entering
data
8. Receive items
ordered on a timely
basis (see also
objective no. 2 of
Inbound activities)
O Unavailable or inaccurate
information on items
ordered but not received
Specify shipment mode and
delivery date on purchase orders
Prenumber and account for
purchase orders
Match receiving information
with purchase order information
and promptly follow through on
outstanding orders
82
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Monitor vendor performance in
terms of timely delivery; follow
up in cases of poorly performing
vendors
9. Record authorized
purchase orders
completely and
accurately
O,F Purchase orders may be
lost
Prenumber and account for
purchase orders
10. Prevent unautho-
rized use of
purchase orders
O,F Inadequate policies and
procedures to prevent
unauthorized use
Prenumber and account for
purchase orders
Maintain physical security of
purchase orders
Approve purchase orders
Notify vendors of company
personnel purchase orders
83
Activity: TECHNOLOGY DEVELOPMENT
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Product or processes
needs are not effectively
communicated to Tech-
nology Development
Clear communication of needs
and opportunites to
Technology Development
Identify needs by appropriate
activities
1. Identify existing
technology or
develop new tech-
nology to satisfy
product needs as
identified by
marketing, or
operating or
management proc-
esses needs as
identified by other
activities
O
Technology Develop-
ment personnel do not
have technical ability to
identify or develop
appropriate technology
Retain personnel who are
adequately qualified to fulfill
their responsiblities
2. Maintain a high
level of knowledge
regarding current
technological
developments that
may affect the entity
O,C Management does not
have access to
information relating to
current technological
developments
Monitor business, technical and
industry literature
Attend technical seminars,
conferences, trade meetings,
expositions and similar meetings
Periodically summarize
technological developments and
distribute to appropriate
personnel
Technology Develop-
ment personnel may
acquire or have
knowledge that would
be useful in a
development program
other than that with
which they are
associated
Regularly communicate
information, including nature of
the program, status, manager,
anticipated use of technology
and any other pertinent
information regarding ongoing
or planned research or
development programs
84
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
3. Ensure that
developed
technology does not
violate existing
patents
C Technology may not be
adequately defined
Detailed technology
specifications, plans, drawings,
schematics or other technical
data are created, to the extent
possible, in the concept or early
stages of development, and are
modified as necessary
throughout the project
Relevant patents may not
be identified
Communicate technical data to
legal counsel for use when
conducting patent searches
Existing patents may be
disregarded
Appropriate management review
and approval of all technology
projects
4. Commit resources
to those projects
anticipated to have
the greatest
expected return for
the entity
O Technology development
projects do not support
entity-wide objectives or
strategies
Appropriate technology project
review and approval
Technology development
management are unaware
of project priorities
Clear and complete
communication from
management regarding priorities
85
Activity: HUMAN RESOURCES
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Manage Human Resource Programs
1. Comply with
applicable laws,
regulations and
company policies
C Management or
supervisory personnel are
unaware of legal and
regulatory requirements
and company policies
Require supervisory and
management personnel to
attend training on labor laws
and regulations and company
personnel policies
Management or
supervisory personnel
ignore legal and
regulatory requirements
or company policies
Periodic review of policies and
procedures by legal counsel for
compliance with applicable legal
and regulatory requirements
Encourage personnel to report
suspected violations of laws,
regulations or company policies
Take appropriate disciplinary
actions for violations of legal or
regulatory requirements
2. Maintain records
that demonstrate
compliance with
applicable laws and
regulations
C Human resource
personnel are unaware
of the records that must
be retained to
demonstrate compliance
with applicable laws
and regulations
Human resource personnel are
subject to periodic training
regarding legal and regulatory
requirements
Human resource personnel have
appropriate training and
experience prior to being hired
Records are lost or
prematurely destroyed
File and retain human resource
records in accordance with laws,
regulations and good business
practice
Logs, checklists or other
appropriate tools are used to
ensure appropriate records are
received and retained
86
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Access to human resource
records is restricted to
authorized personnel
Review and approve all files
selected for disposition
Inaccurate or incomplete
information is acquired
and retained
Review validity, accuracy and
completeness of information
received and retained in the form
of records
Record-keeping
requirements are
disregarded
Take appropriate disciplinary or
other action when legal or
regulatory requirements or
company policies are
disregarded
3. Maintain
confidentiality of
human resource
information
O,C Human resource records
are not subject to proper
security procedures
Restrict access to human
resource records to authorized
personnel
Require proper security codes to
gain access to confidential
records maintained on electronic
media; change such access codes
frequently
Monitor personnel accessing
human resource records
Human resource
personnel divulge
confidential information
Subject individuals who provide
confidential information to
unauthorized persons to
disciplinary actions
Restrict access to confidential
information to those persons
who need such information to
discharge their responsibilities
87
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
4. Maintain employee
turnover at an
acceptable level
O Compensation and
benefits are less than
offered by other
companies
Review and evaluate
compensation and benefits on a
regular basis
Compare compensation and
benefits with those offered by
other companies within the
industry and within the local
geographical area
Seek employee feedback about
their needs
Employees may not feel
their efforts are noticed or
appreciated
Periodic, standardized
performance evaluations and
career counseling
Institute compensation programs
that reflect past performance and
capacity for future development
Plan and Acquire Personnel
5. Acquire sufficient
number of
appropriately
qualified personnel
O Over- or underqualified
candidates may be hired
Maintain appropriate candidate
identification, screening and
hiring practices
Maintain adequate job
descriptions and hiring criteria
that can be used to measure and
compare candidates
qualifications with job
requirements
Lack of awareness of
entitys current human
resources
Investigate and review potential
candidates inside the entity
before considering external
candidates
88
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Lack of qualified
candidates
Identify and retrain qualified
personnel currently performing
other job functions
Establish networks and
candidate sources outside of the
local geographical area
The entity may be
unaware of its future
staffing needs
Regularly update future staffing
requirements as part of ongoing
business planning
Labor organizations may
call for strikes or work
slowdowns
Continually identify union
demands and issues and take
reasonable steps to avoid labor
disputes
Identify viable alternative
sources of labor in the event of a
labor dispute
Train and Develop Employees
6. Ensure employees
receive adequate
training to
discharge their
responsibilities
effectively
O Training requirements
may not be adequately
identified
Solicit opinions and ideas of
management, supervisors and
employees to identify training
needs
Monitor performance or other
problems that may indicate
training deficiencies
7. Ensure staff receive
adequate feedback
regarding their
performance and
career development
O Staff are not evaluated on
regular or timely basis
Periodically evaluate
performance and provide career
counseling
89
Activity: MANAGE THE ENTERPRISE
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Design and imple-
ment strategies that
allow achievement
of entity-wide
objectives
O Incomplete or inaccurate
information regarding
changes affecting the
entity, such as
competition, products,
customer preferences, or
legal and regulatory
changes
Develop a strategic plan
that incorporates senior
managements vision for the
company
Periodically evaluate direction
and priorities set by senior
management to make certain
they are still valid
Communicate information
regarding competitors, products,
customers, and legal and
regulatory changes to all
relevant activities
Establish communication, down,
up and across the organization,
to allow prompt identification
and resolution of problems that
impede achievement of strategic
objectives
Lack of understanding of
critical success factors
Identify and analyze critical
success factors from an industry
and entity standpoint
Insufficient or
inappropriate resources
Identify and maintain adequate
supply of internal resources and
ensure availability of external
resources
Inadequate attention to
relationships with
shareholders, investors or
other outside parties
Effectively communicate with
shareholders, investors and other
outside parties
90
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Information is too specific
to be usable
Establish an executive
management reporting system
that focuses on key information
for managing the business
2. Maintain systems
that allow timely
communication of
accurate internal
and external
information to
relevant personnel
O,F
Out-of-date systems Regularly review information
systems to ensure that they meet
the changing needs of the
company
Inaccurate or untimely
information
Institute information system that
ensures the accuracy and
timeliness of internal and
external information
Lack of Code of Conduct Implement and monitor
compliance with Code of
Conduct
3. Ensure entity
personnel are aware
of acceptable
actions and
behavior
O,C
Employees do not
understand the Code of
Conduct
Requirements of the Code of
Conduct are reviewed with all
new employees, and periodically
with all employees
Employees ignore the
Code of Conduct
Appropriate disciplinary action
for violations of the Code of
Conduct to clearly communicate
the message that violations will
not be tolerated
Dishonest employees Hiring policies and procedures
require reference checks on
employment candidates
Employees found violating laws
are subject to appropriate
disciplinary action and are
reported to the authorities for
prosecution
91
Activity: MANAGE EXTERNAL RELATIONS
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Attempt to legally
influence govern-
ment policies and
regulations that
have an impact
on the entitys
objectives
O Lack of understanding of
government policies
Employ personnel experienced
in government affairs as they
relate to the entity
Monitor and communicate
regulatory and other government
information
Join industry or trade
organizations that lobby
legislative or regulatory bodies
2. Actively participate
in standard-making
bodies
O Participation dependent
on appointment
Limited number of
positions
Establish reputation as industry
leader
Make certain that entity officials
are visible spokespeople on
issues that affect the entity
3. Participate in
community
activities that
enhance the public
image of the
company
O Lack of information on
and awareness of
community issues
Encourage staff to support civic
endeavors
92
Activity: PROVIDE ADMINISTRATIVE SERVICES
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Lack of or excess staff Estimate service usage to ensure
appropriate staffing levels
1. Provide quality
services that are
delivered on a
timely basis at the
least cost
O
Lack of planning
procedures that
incorporate objectives of
administrative services
Where appropriate, evaluate the
value of using outside service
companies rather than providing
service in-house
Inadequate accounting
systems for allocating
costs
Accurately capture costs and
distribute such costs on an
equitable basis
93
Activity: MANAGE INFORMATION TECHNOLOGY
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Use information
technology (IT) to
carry out the
entitys strategic
plans
O,F,C Insufficient interaction of
information technology,
financial and operating
management in
developing strategic plans
Develop IT strategic plan that
optimizes entity-wide
investment in and use of IT, and
ensure that IT initiatives support
entitys long-range plans
Involve users in the development
and maintenance of the strategic
IT plan
Use an IT steering committee
2. Capture, process
and maintain
information
completely and
accurately and
provide it to the
appropriate people
to enable them to
carry out their
responsibilities
O,F,C Systems are not designed
according to user needs or
are not properly
implemented
Use a systems development life
cycle, which includes the
following key aspects or phases:
Request for systems design
Feasibility study
General system design
Detailed systems
specifications
Program development and
testing
System testing
Conversion
System acceptance and
approval
Use project management
procedures to ensure proper
management of systems
development activities
Involve users in review and
approval to ensure systems are
designed to meet user
requirements
94
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
System and program
modifications are
implemented incorrectly
Use well-controlled system and
program change procedures,
including:
Properly approved system/
program change requests
Approved changes are tracked
throughout change process
Review and approve final
design of changes by users
All changes, including those
initiated in data processing,
are subject to appropriate
testing, and test results are
reviewed and approved by
user and data processing
management
Approve implementation of
tested changes by requester
Notify data processing
departments affected by
changes
Prepare/update documentation
(such as operations runbooks,
user manuals, program
narratives and system
description)
Computer operations fail
to use correct programs,
files and procedures
Prepare and adhere to a
production job schedule;
document and approve
departures from the schedule
95
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Establish adequate job set-up
and execution procedures over:
Setting up of batch jobs
Loading on-line application
systems
Loading system software
Use control statements and
parameters in processing that are
in accordance with approved
procedures
Require written approval,
including user involvement
where appropriate, for
departures from authorized set-
up and execution procedures
Establish adequate procedures
for identifying, reporting and
approving operator actions,
such as:
Initial loading of system and
application software
System failures
Restart and recovery
Emergency situation
Any other unusual situations
Data files are subjected to
unauthorized access
Establish a security policy
stating senior managements
commitment on information
security; demonstrate such
commitment through appropriate
actions
96
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Establish standards, procedures
and guidelines that translate the
security policy into rules and
compliance criteria; these
standards and procedures
normally address such matters as:
The information classification
scheme for information stored
on computers and outside of
data processing, including
security categories (e.g.,
research, accounting,
marketing) and security levels
(e.g., top secret, confidential,
internal use only, unclassified)
The data in each information
class and the individuals or
functions authorized to use the
data and the control and
protection requirements
The types of classes of
sensitive assets and for each:
Potential threats
Protection requirements
The responsibilities of
management, security
administration, resource
(data, programs or assets)
owners, computer
operations, system users
and internal auditors, with
respect to:
97
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Ownership of resources
Procedures for granting access
Procedures for establishing
users and access privileges
Required authorizations
Security monitoring
The consequences of non-
compliance with policy,
standards and procedures
The security implementation
plan, if applicable
Programs are subjected to
unauthorized modification
Consider the development of an
information security risk
assessment
Use a security or access control
software package to enhance the
protection of data fields and
system and program libraries
Use proper system software
controls to ensure that system
software is properly
implemented, maintained and
protected from unauthorized
changes
Maintain proper physical
security over computer hardware
and software and information
stored outside of data processing
98
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
3. Information systems
are available as
needed
O,F,C Lack of or poor business
continuation planning
Establish and maintain a
commitment by senior
management for business
contingencies
Develop and maintain a business
continuation plan
Assess the impact of new or
modified systems on business
continuation procedures
Establish alternative processing
arrangements
Poor back-up and
recovery procedures
Regularly back up critical data
files, systems and program
libraries and store offsite
Inadequate safeguarding
of IT resources
Regularly test business
continuation procedures
99
Activity: MANAGE RISKS (of accident or other insurable loss)
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Prevent and reduce
potential for
accidents
O Certain jobs, activities or
locations are hazardous
Identify hazardous jobs,
activities or locations
Implement policies, procedures
or precautions to enhance
workers safety
Monitor workers compensation
or related insurance claims and
compare with industry averages
(performance indicator)
Identify causes of accidents and
implement appropriate, cost-
effective safeguards
Out-of-date production
facilities
Ensure that capital expansion
plans address safety objectives
Ineffective safety and
employee training
programs
Provide appropriate safety and
training programs to all new
employees
Provide periodic updates on such
programs to existing employees
Poorly maintained or
inadequate equipment
Establish a maintenance
program that ensures equipment
is adequately maintained.
Investigate and resolve
employee reports of
malfunctioning equipment
Employees ignore safety
policies or procedures
Appropriately discipline
violators of safety policies or
procedures
100
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
2. Ensure compliance
with applicable
Occupational Safety
and Health
Administration
(OSHA) laws and
regulations
C Lack of knowledge
regarding OSHA laws and
regulations
Retain competent legal counsel
to advise the entity on OSHA
requirements. Ensure legal
counsel periodically reviews
applicable policies, procedures
and safety precautions
3. Minimize insurance
claims and other
risk-related costs
while maintaining
adequate insurance
coverage
O Inaccurate, insufficient or
untimely information
regarding risk-related
costs or accidents or
incidents that could give
rise to an insurance claim
Ensure that all accidents or other
incidents that could give rise to
an insurance claim are reported
to appropriate personnel
Ensure information systems
provide information on all risk-
related costs, including
insurance premiums, self-
insured losses, risk management
personnel costs and other related
costs
Ensure that all significant risks
pertaining to all activities have
been identified and appropriately
addressed, for example: product
liability, property and casualty,
business interruption and loss of
key personnel
Evaluate insurance coverages
and consider opportunities to
limit costs through self-
insurance, captive or off-shore
insurance companies, or other
techniques
Lack of knowledge of risk
management cost
containment techniques
Retain personnel or advisors
with risk management training
and experience
101
Activity: MANAGE LEGAL AFFAIRS
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Ensure the entity
complies with all
laws and
regulations
C Management is unaware
of legal and regulatory
requirements
Retain legal counsel with
applicable industry experience
Legal counsel periodically
communicates with management
about legal and regulatory
requirements
Legal counsel is unaware
of all activities taking
place within the entity
Review of all significant
contracts and agreements by
legal counsel
Review of subsidiary, division
or unit annual business plans by
legal counsel
Legal counsel attends
management meetings, visits
business locations away from the
executive offices or otherwise
establishes adequate
communication with subsidiary,
division or unit management to
gain a thorough understanding of
enterprise activities
Encourage regular
communication between legal
counsel and the internal and
independent auditors, and with
the board of directors and its
various committees
Changing legal and
regulatory requirements
Legal counsel monitors new
laws, regulations, court
decisions or other events that
could impact the entity
102
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
2. Ensure contracts
and agreements are
clear, fair to the
entity and legally
enforceable
O Legal counsel does not
review contracts or
agreements
Review and approval of all
significant contracts and
agreements by legal counsel
Limit personnel authorized to
execute contracts or agreements
to responsible officials at an
appropriate management level
3. Minimize litigation
costs and
settlements
O Nonlegal personnel are
unaware that certain
circumstances could
potentially lead to
litigation
Implement training programs for
appropriate nonlegal personnel
that address situations requiring
communication with legal
personnel
Include a clause in all contracts
and agreements requiring copies
of all legal notices or
correspondence from other
parties be sent to legal counsel
Inaccurate information or
estimates regarding costs
of litigation or anticipated
settlements
Monitor costs of current and
previous litigation
Gather information on recent
settlements or awards in similar
litigation
103
Activity: PLAN
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Develop long- and
short-range plans
that are in
accordance with
entity-wide
objectives
O Lack of awareness of
entity-wide objectives
Establish a planning approach
that uses as its foundation entity-
wide objectives
Communicate entity-wide
objectives to appropriate
personnel involved in the
planning process
Insufficient information
regarding available
opportunities
Join industry and trade
associations
Attend seminars or other
informative sessions offered by
outside parties
Retain experienced and
competent management
Inadequate management
information systems
Establish information systems
that present plan information in
the same format as historical
information
2. Develop plans in a
format that allows
management to
manage the
business and
measure progress
on a timely basis
O
Plan formats are
ineffective in providing
necessary benchmarks
against which
performance can be
measured
Monitor and evaluate the
effectiveness of plans. Enhance
plan formats to emphasize
critical success factors
3. Develop plans using
an efficient
approach
O Inadequate and outdated
planning systems
Require agreement on entity-
wide objectives before specific
plans are developed. When
allocating resources,
prioritization should be made in
accordance with entity-wide
objectives
104
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Develop and maintain planning
system and communicate to all
relevant departments. Conduct
training when appropriate
Gather information for plans in
accordance with the business
focus used for managing the
business
Develop and follow timetable
for gathering, analyzing and
consolidating planning
information
4. Develop plans that
are realistic
O Incorrect information and
assumptions
Review and test the validity of
assumptions
Consider all operational support
activities when developing plans
Appropriate staff are involved in
developing plans
105
Activity: PROCESS ACCOUNTS PAYABLE
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Accurately record
invoices on a timely
basis for all
accepted purchases
that have been
authorized and only
for such purchases
O,F Missing documents or
information
Prenumber and account for
purchase orders and receiving
reports
Match invoice, receiving and
purchase order information and
follow up on missing or
inconsistent information
Follow up on unmatched open
purchase orders, receiving
reports and invoices and resolve
missing, duplicate or unmatched
items, by individuals
independent of purchasing and
receiving functions
Inaccurate input of data Use of control totals or one-for-
one checking
Invalid accounts payable
fraudulently created for
unauthorized or non-
existent purchases
Restrict ability to modify data
Reconcile vendor statements to
accounts payable items
2. Identify available
discounts
O Missing or untimely
receipt of documents
Investigate unmatched
information before due date
Maintain accounts payable
ledger by discount date
3. Accurately record
returns and
allowances for all
authorized credits,
and only for such
credits
F Missing documents or
information
Prenumber and account for
shipping orders for returned
goods
Match shipping orders for
returned goods with vendors
credit memos
106
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Follow up on unmatched
shipping orders for returned
goods and related receiving
reports and invoices and resolve
missing, duplicate or unmatched
items, by individuals
independent of accounts payable
function
Review vendor correspondence
authorizing returns and
allowances
Inaccurate input of data Reconcile accounts payable
records with vendor statements
Use of control totals or one-for-
one checking
4. Ensure
completeness and
accuracy of
accounts payable
O,F Unauthorized input for
nonexistent returns
Reconcile accounts payable
subsidiary ledger with purchase
and cash disbursement
transactions
Unauthorized additions to
accounts payable
Resolve differences between the
accounts payable subsidiary
ledger and the accounts payable
control account
5. Safeguard accounts
payable records
O,F Unauthorized access to
accounts payable records
and stored data
Restrict access to accounts
payable and files used in
processing payables
Restrict access to mechanical
check signers and signature
plates
107
Activity: PROCESS ACCOUNTS RECEIVABLE
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. All goods shipped
are accurately billed
in the proper period
O Missing documents or
incorrect information
Use standard shipping or
contract terms
Communicate nonstandard
shipping or contract terms to
accounts receivable
Verify shipping or contract
terms before invoice processing
Improper cutoff of
shipments at the end of a
period
Identify shipments as being
before or after period-end by
means of a shipping log and
prenumbered shipping
documents
Reconcile goods shipped to
goods billed
2. Accurately record
invoices for all
authorized
shipments and only
for such shipments
O,F Missing documents or
incorrect information
Prenumber and account for
shipping documents and sales
invoices
Match orders, shipping
documents, invoices and
customer information, and
follow through on missing or
inconsistent information
Mail customer statements
periodically and investigate and
resolve disputes or inquiries, by
individuals independent of the
invoicing function
Monitor number of customer
complaints regarding improper
invoices or statements
(performance indicator)
108
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
3. Accurately record
all authorized sales
returns and
allowances and only
such returns and
allowances
O,F Missing documents or
incorrect information
Authorize credit memos by
individuals independent of
accounts receivable function
Prenumber and account for
credit memos and receiving
documents
Match credit memos and
receiving documents and resolve
unmatched items by individuals
independent of the accounts
receivable function
Inaccurate input of data Mail customer statements
periodically and investigate and
resolve disputes or inquiries, by
individuals independent of the
invoicing function
4. Ensure continued
completeness and
accuracy of
accounts receivable
O,F Unauthorized input for
nonexistent returns,
allowances and writeoffs
Review correspondence
authorizing returns and
allowances
Reconcile accounts receivable
subsidiary ledger with sale and
cash receipts transactions
Resolve differences between the
accounts receivable subsidiary
ledger and the accounts
receivable control account
5. Safeguard accounts
receivable records
O,F Unauthorized access to
accounts receivable
records and stored data
Restrict access to accounts
receivable files and data used in
processing receivables
109
Activity: PROCESS FUNDS
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Accurately forecast
cash balances to
maximize short-
term investment
income and to avoid
cash shortfalls
O Inaccurate, untimely or
unavailable information
regarding cash inflows
and outflows
Information systems identify all
sources of cash and dates cash is
due or expected to be collected
(such sources include accounts
receivable collections, customer
deposits, sale of assets, loan
proceeds and other cash sources)
Information systems identify all
cash requirements and dates cash
is needed (such requirements
include accounts payable, loan
payments, payrolls, dividends or
other cash requirements)
Identify all internal sources of
information
Compare information used to
prepare cash forecasts with
supporting records or underlying
documents to verify information
is internally consistent
2. Ensure necessary
financing is
available in the
event of a cash
shortfall
O Lack of awareness
regarding financing
alternatives
Retain financial personnel
experienced in obtaining
financing for similar entities
Identify professional advisors
who can assist in locating
alternative sources of financing
and consult those advisors as
appropriate
110
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Failure to establish or
maintain appropriate
relationships with
financing sources
Establish relationships with
financing sources before
financing is needed. Maintain
proper and current relationships
to facilitate access to cash as the
need arises
3. Optimize return on
temporary cash
investments
O Lack of knowledge
regarding investment
alternatives
Retain financial personnel
experienced in short-term
investments
Use professional investment
advisors
4. Accelerate cash
collections
O Handling cash receipts
internally can delay
deposit of such receipts
Consider lock-box
arrangements whereby payments
are remitted to a post office box
and the bank collects and
deposits such remittances
Customers delay
remittance
Factor accounts receivable
Honor bank credit cards
Offer discounts for timely
remittance
Establish and enforce collection
policies
Monitor accounts receivable for
overdue balances; implement
collection procedures on a
timely basis
Excessive accounts
receivable collection
problems
Establish and enforce a credit
policy that reflects an
appropriate balance between risk
of credit loss and sales volume
111
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
5. Record cash
receipts on accounts
receivable
completely and
accurately
O,F Cash received is diverted,
lost or otherwise not
reported accurately to
accounts receivable
Assign opening of mail to an
individual with no responsibility
for or access to files or
documents pertaining to
accounts receivable or cash
accounts; compare listed receipts
to credits to accounts receivable
and bank deposits
Consider use of lock-box or
other arrangements to accelerate
deposits
Consider ability to have
customers transfer funds
electronically to the entitys
bank account, and notify the
entity of payment through
Electronic Data Interchange
(EDI)
Receipts are for amounts
different than invoiced
amounts, or are not
identifiable
Send periodic statements to
customers and investigate
customer-noted differences
(performance indicator)
Reconcile general ledger with
accounts receivable subsidiary
records; investigate differences
Contact payor to determine
reasons for payment, or payment
different than amounts invoiced
6. Manage timing of
cash disbursements
O Inaccurate, untimely or
unavailable information
regarding payment due
dates
Information system identifies all
cash requirements and dates cash
is needed
Use accounts payable aging
analysis
112
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Bills are paid before due
dates
Delay check preparation or
signature until the due date
Release check at the latest
possible time and at the end of a
day or week, if possible
Checks clear the bank
quickly
Consider check-clearing time
when selecting a bank
7. Minimize cash
disbursements
O Information system does
not identify available
discounts and related
required payment dates
Information system identifies
payment dates related to
available discounts
8. Disburse cash only
for authorized
purchases
O,F Fictitious documentation
is created
Examine supporting documents,
payments approved by
individuals independent of
procurement, receiving and
accounts payable
Reuse of supporting
documents
Cancel supporting documents to
prevent resubmission for
payment
9. Remit
disbursements to
vendors and others,
such as for
dividends, debt
service, and tax or
other payments, in a
timely and accurate
manner
O,F Inaccurate, untimely or
unavailable information
regarding amounts or due
dates of payments
Detailed comparison of actual
versus budgeted disbursements
Compare payment amounts and
recipients with source
documents, such as vendor
invoices, purchase orders, tax
returns, dividend computations,
loan repayment schedules
or other appropriate
documentation; verify accuracy
of supporting documents
113
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Establish a tickler file to
identify payment due dates
Modify information systems as
necessary to provide payment
information
10. Record cash
disbursements
completely and
accurately
O,F Missing documents or
information
Match disbursement records
against accounts payable/open
invoice files
Prenumber and account for
checks
Reconcile bank statements to
cash accounts and investigate
long-outstanding checks by
individuals independent of
accounts payable and cash
disbursement functions
11. Safeguard cash and
the related
accounting records
O,F Inadequate physical
security over cash and
documents that can be
used to transfer cash
Segregate custodial and record-
keeping functions
Reconcile bank accounts by
individuals without responsibility
for cash receipts, disbursements
or custody
Receive and prelist cash by
individuals independent of
recording cash receipts
Restrictively endorse checks on
receipt
Deposit receipts intact daily
Restrict access to accounts
receivable files and files used in
processing cash receipts
114
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Mail checks by individuals
independent of recording
accounts payable
Authorized check signers are
independent of cash receipts
functions
Physically protect mechanical
check signers and signature
plates
Restrict access to accounts
payable files and files used in
processing cash disbursements
115
Activity: PROCESS FIXED ASSETS
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Completely and
accurately record
fixed asset transfers,
acquisitions,
dispositions and
related depreciation
O,F Acquisition
documentation may be
lost or otherwise not
communicated to proper
personnel
Prenumber individual capital
expenditure authorizations and
investigate missing documents
Route copy of purchase orders
for capital expenditures to
personnel who process fixed
assets; investigate purchase
orders not matched with
receiving documentation after
anticipated receipt date
Reconcile fixed asset additions
with capital expenditure
authorizations
Acquired assets may not
be adequately described
Inquire of purchasing or other
personnel to clarify asset
description or function
Establish clear definitions for
asset categories
Asset disposals or
transfers may not be
communicated to proper
personnel
Dispose of or transfer fixed
assets only with proper
authorization, a copy of which is
provided to appropriate
personnel
Prenumber fixed asset disposal
and transfer authorization forms
and investigate missing
documents
Count fixed assets periodically,
reconcile count with fixed asset
records and investigate
differences
116
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Incorrect depreciation
lives or methods may be
used
Establish policies regarding
depreciation lives and methods,
communicate them to
appropriate personnel, and
periodically review them to
ensure continued
appropriateness
Review depreciation detail for
accuracy and compliance with
policies and procedures
2. Safeguard fixed
assets from loss
through theft
O Inadequate physical
security over fixed assets
Restrict access to facilities
during non-working hours
Affix an identification plate and
number to office furniture and
fixtures, equipment and other
portable fixed assets
Develop, implement and
communicate safeguarding
policies
117
Activity: ANALYZE AND RECONCILE
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Pre-established standards
are not determined
Periodically establish operating
standards, such as quarterly or
annual budgets
1. Compare operating
results with pre-
established
standards, such as
budgets or prior-
period results.
Identify variances,
trends or unusual
changes and their
causes
O
Lack of or inaccurate
information needed to
compare actual results
with pre-established
standards
Specify information needed to
identify and explain variances,
trends or unusual changes
Design information systems to
communicate necessary
information to appropriate
people on a timely basis
2. Reconcile books
and records to
ensure their internal
consistency
O,F (Note: Risks for this
objective vary, depending
on the reconciliation
procedures and the nature
of the information being
reconciled. Accordingly,
reconciliation procedures
are identified, where
appropriate, in other
sections of this Reference
Manual)
118
Activity: PROCESS BENEFITS AND RETIREE INFORMATION
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Program eligibility
requirements are not
clearly communicated to
appropriate personnel
Train and update appropriate
personnel regarding plan
eligibility requirements and
amendments thereto
1. Ensure all eligible
individuals, and
only such
individuals, are
included in benefit
programs
O,C
Inaccurate employee
information is provided to
benefits personnel
Compare information to
employee personnel file or
otherwise verify its accuracy
Limit access to employee data
base
Eligible employees are
improperly excluded from
participation
Periodically match participant
list to employee and/or retiree
list and to documentation of
employees elections not to
participate
Nonexistent employees
are entered as program
participants or
beneficiaries
Periodically compare participant
list to employee and/or retiree
list
Approval by an authorized
official of all additions to
participant data base
Verify existence and status of
participant
2. Accurately calculate
benefits due to each
participant
O,C Plan benefit provisions
are unclear or complex
Ensure plan documents describe
benefit provisions clearly and
include sample calculations
Amend plan as necessary to
clarify benefit computations
Consult legal, actuarial or other
professionals as needed to
clarify benefit provisions
119
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Errors are made in
calculating benefits
Standardize forms or programs
for calculating benefits
Review benefit calculations
Inaccurate information Limit access to information and
data used in calculating benefits
Approve all changes to data
bases used to calculate benefits
3. Summarize and
track benefit
information
O Lost or misplaced
information
Reconcile various related reports
Use logs or other devices to
ensure completeness of
processing
4. Comply with
applicable laws and
regulations
C Personnel are unaware of
applicable laws and
regulations
Train human resource or other
personnel on applicable laws and
regulations
Review and approve all plan
documents and policies by legal
counsel experienced in employee
and retiree benefit programs
Lack of adequate systems Ensure that report generation
systems process information
accurately and satisfy reporting
deadlines
5. Generate and
distribute benefits
reports in an
accurate and timely
manner
O
Lack of understanding of
reporting requirements
Implement and monitor training
programs
120
Activity: PROCESS PAYROLL
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Pay employees in
accordance with
wage contracts and
other established
policies
O System is not designed to
reflect payment schedule
included in collective
bargaining agreements or
individual agreements
with employees
Implement payment schedule
that reflects wage contracts and
agreed-upon payment schedules
2. Calculate and record
payroll (including
payroll deductions)
accurately and
completely for all
services actually
performed and
approved, and only
for such services
O,F Pay rates or deductions
are not properly
authorized or are
inaccurate
Review and approve initial pay
and any subsequent additions or
changes
Periodically verify payroll data
base information
Review and approve initial
deductions/benefit elections
Use standard forms for making
changes to payroll information
Review and approve all
nonstandard items such as sick,
vacation and bonus pay
Review payroll register and
checks for reasonableness
Security controls that limit
access to payroll data base
Hours are not authorized
or are inaccurate
Review and approve time
records for unusual or
nonstandard hours and for
overtime
Time cards or other
source information is
submitted for nonexistent
employees
Use standardized policies and
procedures when hiring
employees
121
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Security procedures relating to
additions and deletions of
employees to or from the data
base
Maintain logs or other
documentation supporting or
tracking changes to payroll data
base
Where practical, require valid
identification and employee
signature to receive paycheck
Prohibit payment of wages in
cash, except in prescribed
circumstances
Use direct deposit systems
Lack or loss of
information or documents
Verify that source documents
such as timecards are received
for all employees
Maintain back-up records of
employees time in case source
documents are lost
Reconcile the employee
subsidiary ledger to the general
ledger control accounts;
investigate any differences
Compare total hours and number
of employees input with the
totals in the payroll register
122
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
3. Restrict access to
payroll data
information to only
those individuals
who need such
information to
discharge duties
O Unauthorized personnel
may gain access to payroll
information
Access to information stored on
electronic media is restricted by
frequently changed passwords
Payroll processing systems and
written information are subject
to physical security
4. Provide payroll
information to
relevant personnel
to satisfy
management
information needs
O Management information
needs with respect to
payroll are not defined
Identify how payroll information
can satisfy other management
objectives and link information
sources
123
Activity: PROCESS TAX COMPLIANCE
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Accurately process,
prepare and file
required tax
documents on a
timely basis
F,C Inadequate information
about, or understanding
of, filing requirements
and applicable laws and
regulations
Employ competent tax
professionalseither in-house
or outside the entityto identify
and prepare filings
Subscribe to tax services and/or
maintain membership in
appropriate industry, trade or
professional organizations to
identify emerging tax
requirements or opportunities
Establish a system, such as a
tickler file, to identify tax
filing due dates
Incomplete or inaccurate
information used as the
basis for document
preparation
Identify information necessary
to prepare tax documents; ensure
information systems are
designed to accurately provide
such information on a timely
basis
2. Reduce tax
liabilities to the
legal minimum
O,C Inadequate information
regarding tax-savings
opportunities
Ensure tax professionals are
fully informed of all aspects of
the entitys operations, including
routine and nonroutine
transactions, and any changes in
the entitys business lines or
methods of conducting business
Periodically review tax filings
and status to specifically identify
tax-savings opportunities
124
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
3. Record the effect of
all tax transactions
or economic events
completely and
accurately
F,C Inadequate information
about, or understanding
of, financial reporting of
tax transactions or
economic events
Employ personnel who
understand financial reporting
for taxes
Subscribe to technical service
and/or maintain memberships in
appropriate industry, trade or
professional organizations that
identify and explain new or
existing financial reporting
requirements
Journal entries related to
tax transactions or
economic events are not
properly approved or
posted to the general
ledger
Journal entries related to taxes
are approved by authorized and
knowledgeable officials
Each journal entry is compared
with the general ledger to ensure
proper posting
125
Activity: PROCESS PRODUCT COSTS
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Develop standard
costs of producing
products, including
costs at each stage
of the production
process
O,F Inadequate or inaccurate
information
Identify information necessary
to develop standard product
costs; ensure information
systems accurately provide such
information on a timely basis
(this information may include
such items as units planned to be
produced, budgeted labor hours
and costs, budgeted overhead
costs and estimated material
costs; it should take into account
the impact of technology on the
manufacturing process and
consider the proper basis on
which to allocate costs)
Periodically evaluate the
production process and estimate
the costs associated with each
stage of the process
Poorly organized
production process
See the Operations section of
this Reference Manual
Inability to identify the
stage of production
Clearly define and organize each
stage of production;
appropriately document such
stages
Establish systems to routinely
identify stage of completion;
periodically verify system is
functioning properly
126
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
2. Record actual costs
incurred completely
and accurately
O,F Inaccurate, untimely or
unavailable information
regarding actual costs
incurred
Prenumber and account for the
numerical sequence of
requisitions of materials and
component parts issued to and
returned from production;
investigate missing or duplicate
(unmatched) items by people
independent of the materials
handling function
Reconcile records of labor and
overhead charges to payrolls and
overhead cost incurred;
investigate differences
Prenumber and account for the
numerical sequence of
production reports or other
records of finished production
and transfers within work-in-
process; reconcile those reports
to quantities recorded;
investigate missing documents
and differences
Review and approve monthly
summarizing entries
Maintain perpetual inventory
records
Periodically balance the raw
materials, work-in-process and
finished goods records (previous
balance plus additions less
transfers out, compared with the
current total)
127
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Periodically count raw materials,
work-in-process and finished
goods inventories and compare
with the perpetual records;
investigate differences
Reconcile the perpetual records
to the general ledger control
accounts, and approve
adjustments, by personnel other
than those responsible for
maintaining related perpetual
records or for safeguarding
inventories
3. Determine
variances from
standard costs and
their effect on
inventory and cost
of sales
O,F Variances are computed
or recorded inaccurately
Compute variances for each
appropriate product; verify
completeness by comparison to
product list or other appropriate
document
Verify variance accuracy by re-
computation or other appropriate
methods
Review general ledger or other
records to ensure variances are
recorded accurately
128
Activity: PROVIDE FINANCIAL AND MANAGEMENT REPORTING
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
1. Provide timely
and accurate
information needed
by management and
others to discharge
their responsibility
O Information needs of
management or others is
unknown or not clearly
communicated
Identify user information needs
and update such needs
periodically
Communicate information needs
from users to preparers of
management reports
Due dates and relative
priorities of management
reports are not clarified or
communicated
Determine due dates for all
management reports, whether
routine or nonroutine
Establish relative priorities for
all management reports, whether
routine or nonroutine
Communicate management
report due dates and priorities to
report preparers and users
Establish tickler files or other
system to ensure due dates are
routinely identified
Information systems are
incapable of providing
necessary information
Identify information that the
system is incapable of
generating; identify necessary
modifications to the system
Information systems
cannot provide necessary
information in a timely
manner
Identify and implement
necessary systems changes
2. Prepare external
financial reports on
a timely basis and
in compliance with
applicable laws,
regulations, rules
or contractual
agreements
F,C
Personnel are unaware of
applicable laws,
regulations, rules or
contractual agreements
Retain competent personnel who
are knowledgeable of, and have
experience with, applicable laws,
regulations or rules affecting the
entitys external financial
reporting
129
Objectives O,F,C Risks
Points of Focus for
Actions/Control Activities
Review of significant
contractual agreements by
management or supervisory
personnel responsible for
preparation of external financial
reports
3. Maintain
confidentiality of
financial
information
O,C Unauthorized personnel
have access to financial
information
Restrict report or information
distribution to authorized
personnel; periodically review
and update distribution lists
131
Sample Filled-in Tools
This section presents the evaluation tools presented in blank form earlier, filled-in for ABC
Company, a hypothetical medium-size aerospace parts manufacturer. ABC Company recently
acquired Laker Parts, a smaller company in the same industry. The italicized entries illustrate how
an evaluator might complete these tools.
133
Control Environment
Points of Focus Description/Comments
Integrity and Ethical Values
Management must convey the message that integrity and
ethical values cannot be compromised, and employees
must receive and understand that message. Management
must continually demonstrate, through words and
actions, a commitment to high ethical standards.
Existence and implementation of codes of
conduct and other policies regarding acceptable
business practice, conflicts of interest, or
expected standards of ethical and moral
behavior. For example, consider whether:
The company does not have a formal
code of conduct, but expectations of
employee conduct are included in a
manual. This is provided to all new
employees.
Codes are comprehensive, addressing conflicts
of interest, illegal or other improper payments,
anticompetitive guidelines, insider trading.
Codes are periodically acknowledged by all
employees.
Employees understand what behavior is
acceptable or unacceptable, and know what to do
if they encounter improper behavior.
If a written code of conduct does not exist, the
management culture emphasizes the importance
of integrity and ethical behavior. This may be
communicated orally in staff meetings, in one-
on-one interface, or by example when dealing
with day-to-day activities.
Establishment of the tone at the top
including explicit moral guidance about what is
right and wrongand extent of its
communication throughout the organization.
For example, consider whether:
Commitment to integrity and ethics is
communicated effectively throughout the
enterprise, both in words and deeds.
Employees feel peer pressure to do the right
thing, or cut corners to make a quick buck.
Management expects all employees to
maintain high moral and ethical
standards, and to conduct themselves
accordingly. Management is conscious
of setting an example through words
and actions. This is done anecdotally
and sporadically. Managements
expectations are communicated to all
employees in the manual, and expected
to be reinforced by supervisors and
workers alike.
134
Management appropriately deals with signs that
problems exist, e.g., potential defective products
or hazardous wastes, especially when the cost of
identifying problems and dealing with the issues
could be large.
Dealings with employees, suppliers, customers,
investors, creditors, insurers, competitors, and
auditors, etc. (e.g., whether management
conducts business on a high ethical plane, and
insists that others do so, or pays little attention
to ethical issues). For example, consider whether:
Everyday dealings with customers, suppliers,
employees and other parties are based on honesty
and fairness (e.g., customers overpayment or a
suppliers underbilling are not ignored, no efforts
are made to find a way to reject an employees
legitimate claim for benefits, and reports to
lenders are complete, accurate and not
misleading).
Management maintains a high degree of
integrity in its dealings, and requires its
employees and agents to maintain
similar levels. Departures from this
requirement are dealt with quickly and
severely; there are examples on file of
actions taken with individuals and with
regard to general communications. Few
complaints alleging misconduct have
been received from customers or others.
Periodically, the CEO speaks with key
customers and suppliers regarding their
views of treatment by company
personnel, and receives positive
reactions.
Appropriateness of remedial action taken in
response to departures from approved policies
and procedures or violations of the code of
conduct. Extent to which remedial action is
communicated or otherwise becomes known
throughout the entity. For example, consider
whether:
Departures that surface from policies
and procedures or violations of
behavior expectations are immediately
dealt with in a manner commensurate
with the infraction. Such remedial
actions range from oral reminders of
company policy to termination.
Management responds to violations of
behavioral standards.
Disciplinary actions taken as a result of
violations are widely communicated in the
entity. Employees believe that, if caught
violating behavioral standards, theyll suffer the
consequences.
135
Managements attitude towards intervention or
overriding established controls. For example,
consider whether:
Management has provided guidance on the
situations and frequency with which intervention
may be needed.
Management intervention is documented and
explained appropriately.
Manager override is explicitly prohibited.
Deviations from established policies are
investigated and documented.
Management has not attempted to
override or bypass controls improperly.
Employees are encouraged to report
attempts to override controls, and
management has supported individuals
who have done so by recognizing this on
their appraisals.
Pressure to meet unrealistic performance
targetsparticularly for short-term results
and extent to which compensation is based on
achieving those performance targets. For
example, consider whether:
Conditions such as extreme incentives or
temptations exist that can unnecessarily and
unfairly test peoples adherence to ethical values.
Compensation and promotions are based solely on
achievement of short-term performance targets.
Controls are in place to reduce temptations that
might otherwise exist.
Executives are salaried, and usually
receive an additional cash bonus
approximating 20% of salary largely
related to achieving specific personal or
activity objectives. As a result,
managements compensation is based
primarily on their individual and joint
performance and that of the activity in
which they work. Management believes
that this compensation plan encourages
individual initiative and teamwork.
Because short-term compensation is
only indirectly based on profitability,
management has little incentive to
manipulate operations or financial
statements to improve operating results.
Conclusions/Actions Needed
Management has demonstrated its commitment to integrity and ethical behavior and has
communicated that commitment to all employees. The message is continual but anecdotal.
Management should consider a more planned program.
136
Commitment to Competence
Management must specify the level of competence
needed for particular jobs, and translate the desired
levels of competence into requisite knowledge and
skills.
Formal or informal job descriptions or other
means of defining tasks that comprise particular
jobs. For example, consider whether:
Management has analyzed, on a formal or
informal basis, the tasks comprising particular
jobs, considering such factors as the extent to
which individuals must exercise judgment and
the extent of related supervision.
The Company has formal written job
descriptions for all supervisory
personnel and, for jobs involving only
few specific tasks, job duties are clearly
communicated.
Analyses of the knowledge and skills needed to
perform jobs adequately. For example, consider
whether:
Management has determined to an adequate
extent the knowledge and skills needed to
perform particular jobs.
Evidence exists indicating that employees appear
to have the requisite knowledge and skills.
The job descriptions specify the
knowledge and skills needed, either
generally or in terms of the nature and
extent of education, training and
experience required. The human
resources department uses these
descriptions in hiring, training and
promotion decisions.
Conclusions/Actions Needed
The existence of written job descriptions with defined tasks and parameters (e.g., education,
training) demonstrates clear management commitment to competence. Management should
consider more formal job descriptions for non-supervisory personnel.
137
Board of Directors or Audit Committee
An active and effective board, or committees thereof,
provides an important oversight function and, because
of managements ability to override system controls, the
board plays an important role in ensuring effective
internal control.
Independence from management, such that
necessary, even if difficult and probing,
questions are raised. For example, consider
whether:
The board constructively challenges
managements planned decisions, e.g., strategic
initiatives and major transactions, and probes for
explanations of past results (e.g., budget
variances).
A board that consists solely of an entitys
officers and employees (e.g., a small
corporation) questions and scrutinizes activities,
presents alternative views and takes appropriate
action if necessary.
The board of directors consists of four
outside directors and three senior
officers of the company. Two of the
outside directors are business
associates of the CEO and chairman.
The secretary and other board meeting
guests report lively discussions between
management and certain outside
directors.
Use of board committees where warranted by
the need for more in-depth or directed attention
to particular matters. For example, consider
whether:
The board has an audit committee,
composed of three outside directors,
and a compensation committee,
composed of the four outside directors.
Board committees exist.
They are sufficient, in subject matter and
membership, to deal with important issues
adequately.
Knowledge and experience of directors. For
example, consider whether:
Directors have sufficient knowledge, industry
experience and time to serve effectively.
Most board members are experienced
businesspeople. One, who owns 12% of
the outstanding common stock, is a
physician who lacks direct management
experience. All board members who are
also officers of the company have
extensive aerospace industry
experience, as does one of the outside
directors.
Frequency and timeliness with which meetings
are held with chief financial and/or accounting
The companys internal audit manager,
a recent hire, meets quarterly with the
138
officers, internal auditors and external auditors.
For example, consider whether:
The audit committee meets privately with the
chief accounting officer and internal and external
auditors to discuss the reasonableness of the
financial reporting process, system of internal
control, significant comments and
recommendations, and managements
performance.
The audit committee reviews the scope of
activities of the internal and external auditors
annually.
audit committee. The audit committee
meets with the external auditors at least
twice each yearduring audit planning
and upon completion of the audit. The
CFO is a director, and has frequent
interaction with other directors.
Sufficiency and timeliness with which
information is provided to board or committee
members, to allow monitoring of managements
objectives and strategies, the entitys financial
position and operating results, and terms of
significant agreements. For example, consider
whether:
The board regularly receives key information,
such as financial statements, major marketing
initiatives, significant contracts or negotiations.
Directors believe they receive the proper
information.
The board members are provided
monthly financial statementsincluding
a comparison of current-year actual
results to budget and the prior yearas
well as certain operating statistics and
analyses. These are given by the
fifteenth of each month in sufficient
detail to allow meaningful analysis
prior to the Board meetings. Board
meetings are held on the last Friday of
each month. Board approval is required
for expenditures over $250,000, and
to accept any sales orders over
$1,000,000. Board approval of sales
orders is normally received during
special meetings conducted by
telephone.
Sufficiency and timeliness with which the board
or audit committee is apprised of sensitive
information, investigations and improper acts
(e.g., travel expenses of senior officers,
significant litigation, investigations of
regulatory agencies, defalcations, embezzlement
or misuse of corporate assets, violations of
insider trading rules, political payments,
Company policy dictates that the
board be notified, by certified mail,
within three business days of any
litigation deemed likely to result in
loss of over $100,000, any regulatory
investigation, or defalcation,
embezzlement or other improper act of
any employee or officer at or above
139
illegal payments). For example, consider
whether:
A process exists for informing the board of
significant issues.
Information is communicated timely.
the manager level. Any such act by an
employee below the manager level that
results in a company loss in excess of
$2,000 is reported to the board. Officer
expense accounts and perks are
reviewed by the board semiannually.
Oversight in determining the compensation of
executive officers and head of internal audit,
and the appointment and termination of those
individuals. For example, consider whether:
The compensation committee annually
determines the compensation of the
CEO and the head of internal audit.
The compensation committee approves all
management incentive plans tied to performance.
The compensation committee, in joint
consultation with the audit committee, deals with
compensation and retention issues regarding the
chief internal auditor.
Role in establishing the appropriate tone at the
top. For example, consider whether:
The board and audit committee are involved
sufficiently in evaluating the effectiveness of the
tone at the top.
The board takes steps to ensure an appropriate
tone.
The board specifically addresses managements
adherence to the code of conduct.
The board encourages management to
establish and enforce high ethical and
moral standards. The outside directors
do not actively participate in
establishing those standards, though
they do monitor managements
compliance with those standards.
Actions the board or committee takes as a result
of its findings, including special investigations as
needed. For example, consider whether:
The board ordinarily leaves follow-up
to managements discretion, and rarely
conducts special investigations.
The board has issued directives to management
detailing specific actions to be taken.
The board oversees and follows up as needed.
140
Conclusions/Actions Needed
The board of directors and audit committee contribute meaningfully to the effectiveness of the
control environment. Management should strive, however, to involve the board more closely in
special investigations.
Managements Philosophy and Operating Style
The philosophy and operating style of management
normally have a pervasive effect on an entity. These are,
of course, intangibles, but one can look for positive or
negative signs.
Nature of business risks accepted, e.g., whether
management often enters into particularly high-
risk ventures, or is extremely conservative in
accepting risks. For example, consider whether:
Management moves carefully, proceeding only
after carefully analyzing the risks and potential
benefits of a venture.
Management is relatively risk averse,
being conservative in its business
practices. The companys debt to equity
ratio is among the lowest in the
industry; business acquisitions are
researched thoroughly, evidenced by
the plan developed for the Laker
Parts acquisition, which analyzed
competition, markets, pricing structure
and vendor and customer relationships.
Capital acquisitions are financed
initially through existing bank credit
lines with permanent financing provided
by collateralized long-term borrowings.
The company recently retained outside
consultants to consider how to better
control medical plan and workers
compensation costs.
141
Personnel turnover in key functions, e.g.,
operating, accounting, data processing, internal
audit. For example, consider whether:
There has been excessive turnover of
management or supervisory personnel.
Key personnel have quit unexpectedly or on
short notice.
There is a pattern to turnover (e.g., inability to
retain key financial or internal audit executives)
that may be an indicator of the emphasis that
management places on control.
Personnel turnover has been at
satisfactory levels for many years. There
was greater turnover at Laker Parts
immediately prior to acquisition; such
turnover was apparently related to the
pending sale of the company, and was
not considered a problem by
management because it did not involve
key skills.
Managements attitude toward the data
processing and accounting functions, and
concerns about the reliability of financial
reporting and safeguarding of assets. For
example, consider whether:
The accounting function is viewed as a necessary
group of bean counters, or as a vehicle for
exercising control over the entitys various
activities.
The selection of accounting principles used in
financial statements always results in the highest
reported income.
If the accounting function is decentralized,
operating management sign off on reported
results.
Unit accounting personnel also have
responsibility to central financial officers.
Valuable assets, including intellectual assets and
information, are protected from unauthorized
access or use.
The information systems department
consists of 10 full-time employees,
including two experienced managers
who report to the CFO, with a current
budget of $3 millionsufficient for its
needs.
Project estimates, such as costs to
complete open contract jobs, are
prepared by knowledgeable personnel
and reviewed and approved by
appropriate operating and financial
management.
All financial reports are reviewed by the
controller, the CFO and the CEO before
release. Annual financial statements are
reviewed by the board of directors
before release.
Frequency of interaction between senior
management and operating management,
particularly when operating from
geographically removed locations. For example,
consider whether:
Senior managers frequently visit subsidiary or
divisional operations.
Group or divisional management meetings are
held frequently.
Senior management and operating
management have frequent interaction
in both formal and informal settings,
such as weekly management meetings
and informal lunches. ABC has only one
location.
142
Attitudes and actions toward financial
reporting, including disputes over application of
accounting treatments (e.g., selection of
conservative versus liberal accounting policies;
whether accounting principles have been
misapplied, important financial information not
disclosed, or records manipulated or falsified).
For example, consider whether:
Management avoids obsessive focus on short-
term reported results.
Personnel do not submit inappropriate reports to
meet targets (e.g., salespeople submitting orders
to meet targets, knowing customers will return
goods in the next period).
Managers do not ignore signs of inappropriate
practices.
Estimates do not stretch facts to the edge of
reasonableness and beyond.
Management wants financial reports to
be accurate and fairly presented.
Occasional disagreements arise
between operating and financial
management and between the company
and the external auditors, but
management and the auditors work
together to determine proper accounting
treatments. Such disagreements do not
result in an adversarial relationship
with the auditors.
Conclusions/Actions Needed
Managements philosophy and operating style are conducive to effective internal control.
143
Organizational Structure
The organizational structure shouldnt be so simple that
it cannot adequately monitor the enterprises activities
nor so complex that it inhibits the necessary flow of
information. Executives should fully understand their
control responsibilities and possess the requisite
experience and levels of knowledge commensurate with
their positions.
Appropriateness of the entitys organizational
structure, and its ability to provide the
necessary information flow to manage its
activities. For example, consider whether:
The organizational structure is appropriately
centralized or decentralized, given the nature of
the entitys operations.
The structure facilitates the flow of information
upstream, downstream and across all business
activities.
The organizational structure of the
company has recently been modified to
accommodate the divestiture of the
defense division and the acquisition of
Laker Parts. Management believes the
new structure is appropriate. However,
the new structure has not been in
place long enough to evaluate its
effectiveness.
Adequacy of definition of key managers
responsibilities, and their understanding of these
responsibilities. For example, consider whether:
Responsibilities and expectations for the entitys
business activities are communicated clearly to
the executives in charge of those activities.
Key managers responsibilities have
been redefined recently in conjunction
with the new organizational structure.
Such responsibilities appear adequate
for the companys needs, but have not
been tested over an extended period.
Managers performance indicates they
understand their responsibilities, which
are reviewed with them annually.
Adequacy of knowledge and experience of key
managers in light of responsibilities. For
example, consider whether:
The executives in charge have the required
knowledge, experience and training to perform
their duties.
All officers have been with the company
for at least five years, except for one
former Laker executive, and all are
highly knowledgeable of the industry
and their responsibilities. Certain
managers (i.e., controller and director
of manufacturing) at Laker Parts joined
the company within the last six months,
but held similar positions with other
companies in the aerospace industry.
144
Appropriateness of reporting relationships.
For example, consider whether:
Established reporting relationshipsformal or
informal, direct or matrixare effective, and
they provide managers information appropriate
to their responsibilities and authority.
The executives of the business activities have
access to communication channels to senior
operating executives.
Reporting relationships are logical, and
each activity manager reports to the
proper company officer. Reporting
relationships ensure effective
communication between employees,
supervisors, managers and officers.
Extent to which modifications to the
organizational structure are made in light of
changed conditions. For example, consider
whether:
Management periodically evaluates the entitys
organizational structure in light of changes in the
business or industry.
The organizational structure is assessed
on an as-needed basis. For example,
after the acquisition of Laker Parts,
modifications such as integrating
administrative functions and
consolidating purchasing activities were
made to streamline operations.
Sufficient numbers of employees exist,
particularly in management and supervisory
capacities. For example, consider whether:
Managers and supervisors have sufficient time to
carry out their responsibilities effectively.
Managers and supervisors work excessive
overtime, and are fulfilling the responsibilities of
more than one employee.
Because of the recent merger with Laker
Parts, ABC has more employees than
needed. Layoffs are occurring, but
management carefully considers who is
terminated and the effect the layoffs may
have on control. Management evaluates
employees workload, particularly those
with supervisory and key control
responsibilities, to ensure they are able
to discharge their responsibilities
effectively.
Conclusions/Actions Needed
The companys organizational structure and reporting relationships are logical and fit the
companys activities. However, the recent changes require close monitoring of the effectiveness
and appropriateness of the structure in the near term. Pending layoffs as a result of the Laker Parts
acquisition must be monitored for effects on supervisory and key control responsibilities.
145
Assignment of Authority and Responsibility
The assignment of responsibility, delegation of authority
and establishment of related policies provide a basis for
accountability and control, and set forth individuals
respective roles.
Assignment of responsibility and delegation of
authority to deal with organizational goals and
objectives, operating functions and regulatory
requirements, including responsibility for
information systems and authorizations for
changes. For example, consider whether:
Authority and responsibility are assigned to
employees throughout the entity.
Responsibility for decisions is related to
assignment of authority and responsibility.
Proper information is considered in determining
the level of authority and scope of responsibility
assigned to an individual.
Management delegates authority based
on the individuals job responsibilities,
knowledge, skill and past performance.
For example, only the CFO has the
perspective necessary to determine if
requested program changes to
information systems are feasible and
required. Accordingly, only he can
authorize such changes. In sales, only
experienced personnel are assigned to
service the large aircraft
manufacturers. They are given
significant, but not absolute, authority
to negotiate contracts, make
concessions or take other actions they
deem necessary to ensure customer
satisfaction. All significant assignment
of responsibility and delegation of
authority are reviewed by appropriate
senior officers.
Appropriateness of control-related standards
and procedures, including employee job
descriptions. For example, consider whether:
Job descriptions, for at least management and
supervisory personnel, exist.
They contain specific references to control-
related responsibilities.
Job standards and control
responsibilities are reviewed annually
by each vice president and activity
manager. The CEO annually considers
the appropriateness of reporting
relationships through the activity
manager level.
Appropriate numbers of people, particularly
with respect to data processing and accounting
functions, with the requisite skill levels
relative to the size of the entity and nature
Because of the recent acquisition of
Laker Parts, there are more
accounting personnel than necessary.
Management is planning to consoli-
146
and complexity of activities and systems. For
example, consider whether:
The entity has an adequate workforcein
numbers and experienceto carry out its
mission.
date the accounting activities and is
currently evaluating personnel
requirements. The information systems
department consists of two managers,
four programmers and four operators,
all of whom are well-trained and
competent. This staffing appears
adequate for future needs
Appropriateness of delegated authority in
relation to assigned responsibilities. For example,
consider whether:
There is an appropriate balance between
authority needed to get the job done and the
involvement of senior personnel where needed.
Job responsibilities are commensurate
with needs and skills. Decision making
is pushed down to reasonable levels,
with sufficient involvement of superiors
as needed.
Employees at the right level are empowered to
correct problems or implement improvements,
and empowerment is accompanied by
appropriate levels of competence and clear
boundaries of authority.
Conclusions/Actions Needed
Authority and responsibility are appropriately established and reviewed by senior management.
Human Resource Policies and Practices
Human resource policies are central to recruiting and
retaining competent people to enable the entitys plans
to be carried out so its goals can be achieved.
147
Extent to which policies and procedures for
hiring, training, promoting and compensating
employees are in place. For example, consider
whether:
Existing personnel policies and procedures result
in recruiting or developing competent and trust-
worthy people necessary to support an effective
internal control system.
The level of attention given to recruiting and
training the right people is appropriate.
When formal documentation of policies and
practices does not exist, management
communicates expectations about the type of
people to be hired or participates directly in the
hiring process.
The human resources department has
established policies and procedures for
hiring, training, promoting and
compensating employees. Such policies
and procedures are reviewed and
modified, as needed, at least annually.
Also, the VP-Human Resources is
responsible for monitoring compliance
with the established human resource
policies and procedures throughout the
company and reports on compliance
annually to the Board.
Extent to which people are made aware of their
responsibilities and expectations of them. For
example, consider whether:
New employees are made aware of their
responsibilities and managements expectations
of them.
Supervisory personnel meet periodically with
employees to review job performance and
suggestions for improvement.
All new supervisory employees are
provided written job descriptions which
explain their responsibilities.
Additionally, they are evaluated
annually, and performance goals for the
following year are established. Their
responsibilities are reviewed with them
during this evaluation. Supervisors
communicate job duties to personnel
who report to them.
Appropriateness of remedial action taken in
response to departures from approved policies
and procedures. For example, consider whether:
Managements response to failures to carry out
assigned responsibilities is appropriate.
Appropriate corrective action is taken as a result
of non-adherence to established policies.
Employees understand that ineffective perform-
ance will result in remedial consequences.
Departures from policies and
procedures or violations of behavioral
expectations are dealt with in a manner
commensurate with the infraction.
Remedial actions can range from oral
reminders of company policy to
additional training to termination.
148
Extent to which personnel policies address
adherence to appropriate ethical and moral
standards. For example, consider whether:
Integrity and ethical values is a criterion in
performance appraisals.
Adherence to ethical standards is a
factor specifically addressed on the
annual performance evaluation form,
and must be considered in the
evaluation process.
Adequacy of employee candidate background
checks, particularly with regard to prior actions
or activities considered to be unacceptable by
the entity. For example, consider whether:
Candidates with frequent job changes or gaps in
employment history are subjected to particularly
close scrutiny.
Hiring policies require investigation for a
criminal record.
For all prospective employees, at least
three references, business and
personal, are contacted. Employees
hired at a supervisor or higher level
are interviewed by an industrial
psychologist.
Adequacy of employee retention and promotion
criteria and information-gathering techniques
(e.g., performance evaluations) and relation to
the code of conduct or other behavioral
guidelines. For example, consider whether:
Promotion and salary increase criteria are
detailed clearly so that individuals know what
management expects prior to promotions or
advancement.
Criteria reflect adherence to behavioral
standards.
All employees must comply with the
companys behavioral expectations to
retain their jobs. Candidates for
promotion to supervisor or higher level
must have demonstrated a commitment
to ethical standards through their own
actions, and by setting an example for
other employees. Information is
accumulated primarily through the
performance evaluation process, and
less formally through memos or
comments submitted by supervisors or
peers. Comments indicating departure
from behavioral standards are
investigated before being considered in
retention or promotion decisions.
149
Conclusions/Actions Needed
Personnel policies and practices are appropriate.
Component SummaryConclusions/Actions Needed
Management has a commitment to integrity, ethical behavior and competence. The boards
involvement in the companys activities is generally appropriate, though it could be more involved
in special investigations. Managements philosophy and operating style are appropriate as are the
organizational structure and assignment of authority and responsibility. Management must
continue to monitor the effects of the acquisition of Laker Parts, especially the revised
organizational structure and pending layoffs. Personnel policies and practices are adequate.
151
Risk Assessment
Points of Focus Description/Comments
Entity-Wide Objectives
For an entity to have effective control, it must have
established objectives. Entity-wide objectives include
broad statements of what an entity desires to achieve,
and are supported by related strategic plans. Describe
the entity-wide objectives and key strategies that have
been established.
The objectives, as documented in ABCs
business plan and confirmed by
management, are:
OperationsBecome a leader in
providing high-quality aerospace parts
critical to flight-safety. Within five
years, reach a 2 percent share of the
domestic market and a 10 percent share
of the foreign market.
Earn an 18 percent return on total
investment.
Provide employees challenging
opportunities and stable employment.
Financial ReportingIssue timely
financial statements that comply with
generally accepted accounting
principles.
ComplianceComply with the letter
and the spirit of all applicable laws and
regulations.
Extent to which the entity-wide objectives
provide sufficiently broad statements and
guidance on what the entity desires to achieve,
yet which are specific enough to relate directly
to this entity. For example, consider whether:
Management has established entity-wide
objectives.
The entity-wide objectives are different than
generic objectives that could apply to any entity
(e.g., generate sufficient cash flow to service
debt, or produce a reasonable return on
investment).
These objectives state what this
company wants to achieve in terms of
quality, market, market share and
return on investment. These are
necessarily broad statements, yet
tailored to this company. They provide
direction and guidance for management
and employees.
152
Effectiveness with which the entity-wide
objectives are communicated to employees and
board of directors. For example, consider
whether:
Information on the entity-wide objectives is
disseminated to employees and the board of
directors.
Management obtains feedback from key
managers, other employees and the board
signifying that communication to employees is
effective.
These objectives are included in our
annual business plan, distributed to
employees and discussed at the annual
employees meeting and in various
departmental and unit meetings. The
board of directors helps to establish
entity-wide objectives and approves the
business plan.
Relation and consistency of strategies with
entity-wide objectives. For example, consider
whether:
The strategic plan supports the entity-wide
objectives.
It addresses high level resource allocations and
priorities.
Strategic plans (driving at producing to
strict tolerances in a total quality
program, and directing marketing
resources to key players and
influencers) support the operations
objectives.
Consistency of business plans and budgets with
entity-wide objectives, strategic plans and
current conditions. For example, consider
whether:
Assumptions inherent in the plans and budgets
reflect the entitys historical experience and
current conditions.
Plans and budgets are at an appropriate level of
detail for each management level.
The companys five-year business plan
is updated annually by management and
is approved by the board. It reflects
implementation strategies for achieving
the stated company-wide objectives.
Part of the annual updating of the
business plan includes identifying
departmental and unit objectives, and
establishing detailed operating and
capital expenditure budgets. Depart-
mental and unit managers are actively
involved in establishing objectives and
budgets. All plans and budgets are
reviewed and approved by senior
management, assuring that plans and
budgets are consistent with one another,
and reflect historical experience and
current economic industry conditions.
153
Conclusions/Actions Needed
The company-wide objectives and strategies are set at an appropriate level and are linked,
addressing what the entity is to achieve and how it will be achieved.
Activity-Level Objectives
Activity-level objectives flow from and are linked with
the entity-wide objectives and strategies. Activity-level
objectives are frequently stated as goals with specific
targets and deadlines. Objectives should be established
for each significant activity, and those activity-level
objectives should be consistent with each other.
Linkage of activity-level objectives with entity-
wide objectives and strategic plans. For example,
consider whether:
Adequate linkage exists for all significant
activities.
Activity-level objectives are reviewed from time
to time for continued relevance.
Activity-level objectives are based on
and flow from the entity-wide objectives
and strategic plans. Unit heads present
activity objectives to their vice president
who ensures the linkage with the entity-
wide objectives. For instance, with
emphasis on producing high quality
parts critical to flight-safety, vendor
qualification requirements were
modified to high-light quality
considerations; and receiving
department procedures, employee head
count, training requirements and
equipment acquisitions were all
modified to reflect the increased
importance of material testing.
Production processes were altered, and
additional quality assurance personnel
hired.
154
Consistency of activity-level objectives with each
other. For example, consider whether:
They are complementary and reinforcing within
activities.
They are complementary and reinforcing
between activities.
Activity-level objectives are designed to
support achievement of entity-wide
objectives. To ensure consistency,
senior management reviews objectives
of all activities for which they are
responsible. The CEO also reviews
activity-level objectives to provide a
broad perspective and to ensure
consistency.
Relevance of activity-level objectives to all
significant business processes. For example,
consider whether:
Objectives are established for key activities in
the flows of goods and services and support
activities.
Activity-level objectives are consistent with past
practices and performances or with industry or
functional analogues, or the reasons for variance
have been considered.
Objectives are established for each significant
activity. These activities may include, among
others (the activities listed derive from a generic
business model, pages 52 to 55; illustrative
objectives for each of these activities are
presented in the Reference Manual, pages 57 to
129):
Inbound
Operations
Outbound
Marketing and Sales
Service
Procurement
Technology Development
Human Resources
Manage the Enterprise
Manage External Relations
Provide Administrative Services
Manage Information Technology
Manage Risks (of accident or other insurable
loss)
Manage Legal Affairs
Supervised by the appropriate vice
president, each department annually
reviews its participation in business
processes to ensure they support
activity-level objectives. Specific
attention is devoted to adequacy of
information and to the appropriateness
of each employees activities. Activity-
level objectives are consistent with the
companys objectives and practices of
the last four years. Companies within
the industry share similar objectives
and practices.
Each department or unit develops
objectives in conjunction with the
annual business plan update. See pages
182 to 199 for analysis of Inbound
activities. [Similar analyses for other
activities are not shown.]
155
Plan
Process Accounts Payable
Process Accounts Receivable
Process Funds
Process Fixed Assets
Analyze and Reconcile
Process Benefits and Retiree Information
Process Payroll
Process Tax Compliance
Process Product Costs
Provide Financial and Management
Reporting
Specificity of activity-level objectives. For
example, consider whether:
Objectives include measurement criteria.
Activity-level objectives are as specific
as possible. They are defined in a
manner that makes determination of
objective achievement a fairly simple
matter.
Adequacy of resources relative to objectives. For
example, consider whether:
Management has identified the resources needed
to achieve the objectives.
Plans exist for acquiring necessary resources
(e.g., financing, personnel, facilities,
technology).
Business plans and budgets are based
on and drive needs and allocations.
They also serve as a reality check on
new initiatives. For instance, the
business plan for developing a line of
navigational equipment indicated that
the necessary financial and
management resources could be
obtained only at unacceptably high cost
and risk. Accordingly, the plan was
discarded.
Identification of objectives that are important
(critical success factors) to achievement of
entity-wide objectives. For example, consider
whether:
Management has identified what must go right,
or where failure must be avoided, for entity-wide
objectives to be achieved.
Capital spending and expense budgets are based
on managements analysis of the relative
importance of objectives.
The objectives serving as critical success factors
provide a basis for particular management focus.
The company has prioritized activity-
level objectives into three categories
critical, important and supportive.
These prioritizations are reviewed
regularly and whenever a changed
condition requires modification of
objectives or how the company does
business.
156
Involvement of all levels of management in
objective setting and extent to which they are
committed to the objectives. For example,
consider whether:
Managers participate in establishing activity
objectives for which they are responsible.
Procedures exist to resolve disagreements.
Managers support the objectives, and do not
have hidden agendas.
All managers are involved in
establishing entity-wide objectives.
Final decisions are made by senior
management (CFO, manufacturing and
marketing vice presidents), after
considering the managers input.
Modifications to activity-level objectives
are discussed by the appropriate vice
president and unit manager. Unresolved
issues are addressed by the CEO. Unit
plans are modified as necessary based
on the final objectives.
Conclusions/Actions Needed
Activity-level objectives are linked to the entity-wide objectives. Managers involvement in
developing the activity-level objectives contributes to establishing achievable goals.
Risks
An entitys risk-assessment process should identify and
consider the implications of relevant risks, at both the
entity level and the activity level. The risk-assessment
process should consider external and internal factors that
could impact achievement of the objectives, should
analyze the risks, and provide a basis for managing
them.
Adequacy of mechanisms to identify risks
arising from external sources. For example,
consider whether management considers risks
related to:
Supply sources
Technology changes
Creditors demands
Competitors actions
Management obtains input on entity
risks from industry consultants and
analysts, lawyers, external auditors and
board members. Managements
assessment of key risks follows:
Risk: Vendors inability to supply
materials that consistently meet the
Companys production specifications.
157
Economic conditions
Political conditions
Regulation
Natural events
The Company has an effective quality
control function and monitors each
vendors performance. Procedures at
the Inbound Activity level are adequate
to address this risk.
Risk: Insufficient vendor production
capacity to meet the Companys demand
for materials.
Several major vendors are available to
meet the Companys supply needs.
Appears to be little exposure to a
shortage of suppliers. The Companys
Purchasing Activity monitors available
vendors.
Risk: Significant jump in material costs
due to changes in demand or economic
conditions.
Material costs do fluctuate periodically
in response to changes in commodities
prices. Company should consider using
futures contracts for certain materials
to hedge cost increases.
Risk: Federal Trade Commission
investigation of Laker Parts acquisition
for possible restraint of trade.
The Company projects having a 2% and
10% share of the domestic and foreign
markets, respectively. An unfavorable
ruling is unlikely.
Risk: Assessments from the Internal
Revenue Services examination of
open federal income tax returns.
Tax returns for the three previous years
are open for IRS examination. The
Company maintains conservative tax
practices and has established reserves
for possible tax assessments.
158
Risk: FAA may place further onerous
requirements on production of
replacement parts used in the airline
industry.
It is likely that the FAA will require
replacement parts to be more durable.
Research and development is currently
considering alternative production
processes and materials. We are
probably slightly ahead of competitors
in this regard.
Risk: A major competitors penetration
of foreign markets as a result of its
recent acquisition of a German
company, jeopardizing ABCs achieving
a 10% share of the foreign market
within five years.
Sales and Marketing Activities are
considering this factor in developing
strategies to penetrate foreign markets
and achieve the Companys growth
objectives.
Risk: Pentagon cutbacks on defense
spending could result in excess
production capacity.
ABC has a 3-year backlog of
government contracts. No immediate
impact of government spending
reductions.
Risk: Economic and political conditions
could curb commercial airline travel
and reduce demand for new aircraft.
Airline travel may fall during the next
several years but demand for parts
should remain strong, due to a large
backlog for new aircraft and an aging
airline fleet. No significant impact is
expected.
159
Risk: An unstable U.S. dollar coupled
with increased sales to foreign
companies could result in foreign
currency exchange losses.
Consider hedging foreign currency
transactions.
Risk: ABCs major competitors have
modernized production processes and
reduced their labor force by 15%. The
Company has been slow to do likewise.
This needs immediate attention, or there
could be a risk of losing business.
Adequacy of mechanisms to identify risks
arising from internal sources. For example,
consider whether management considers risks
related to:
Human resources, such as retention of key
management personnel or changes in
responsibilities that can affect the ability to
function effectively.
Financing, such as availability of funds for new
initiatives or continuation of key programs.
Labor relations, such as compensation and
benefit programs to keep the entity competitive
with others in the industry.
Information systems, such as the adequacy of
back-up systems in the event of failure of
systems that could significantly affect
operations.
Risks from internal sources are
evaluated. Managements assessment of
such risks follows:
Risk: The Company may experience
short-term cash flow problems because
of its recent acquisition of Laker Parts
and its plans to increase cash dividends
to shareholders.
Projections show that combining Laker
Parts and ABC will result in annual
cash savings of approximately $2.8
million per year, starting third quarter
this year. Cash flow from operations of
approximately $2.5 million is sufficient
to service the acquisition debt. Capital
expenditures are being financed through
long-term collateralized financing. The
Company has additional borrowing
capacity, as evidenced by an unused
$4.5 million revolving line of credit. No
further actions are necessary to control
this risk.
160
Risk: Profit margins on certain product
lines are shrinking.
ABC is shifting the emphasis on certain
product lines, moving away from lower-
margin products to higher-margin,
flight-safety-critical parts. In addition,
expanding markets in Europe offer new
opportunities. The business plan
addresses these issues, and performance
to plan should be closely monitored. No
additional actions are necessary.
Risk: Labor strife.
ABC foresees no labor problems. The
union workforce is fully staffed with
experienced and capable people.
Relations with the Companys in-house
labor bargaining unit are good. The
union contract is scheduled to be
renegotiated in 1992. No action needed.
Risk: Because of the recent acquisition
of Laker Parts, selected administrative
positions have been eliminated, creating
uncertainty among some employees
about long-term job security.
Management has taken steps to limit
fallout from these layoffs:
Management has communicated why
the layoffs were necessary, and
provided evidence that they relate
solely to the acquisition and not to
long-term business problems.
Terminated employees were given
generous severance packages.
Supervisory personnel are monitoring
employee morale.
161
Risk: Integrating the operations and
information systems of Laker Parts
could disrupt existing operations (e.g.,
manufacturing, quality assurance and
marketing).
The Vice President-Operations has been
charged with the responsibility of
integrating the Laker Parts operation.
The integration plan, approved by the
CEO, includes deadlines and
performance measures. The status of
integration and any deviation from
schedule are reported weekly.
Identification of significant risks for each
significant activity-level objective. (Consider
risks identified with respect to each of the activities
identified under activity-level objectives;
illustrative risks relative to common objectives are
presented in the Reference Manual, pages 57 to
129.)
Business plans and budgets for key
activities relate activity-level objectives
to risks and action plans. See pages 182
to 199. [Similar analyses for other
activities are not shown.]
Thoroughness and relevance of the risk analysis
process, including estimating the significance of
risks, assessing the likelihood of their occurring
and determining needed actions. For example,
consider whether:
Risks are analyzed through formal processes or
informal day-to-day management activities.
The identified risks are relevant to the
corresponding activity objective.
Appropriate levels of management are involved
in analyzing the risks.
As noted, the business planning and
budgeting process includes analyzing
risks that might affect the company.
Senior management also has monthly
meetings to discuss recent events and
how the company might be affected.
162
Conclusions/Actions Needed
The companys process for identifying and analyzing risk is adequate based on the nature of the
companys operations. Items identified as needing attention include:
Consider techniques to hedge cost increases for certain materials.
Immediately assess progress on modernizing production processes.
Monitor integration and market/product-shift projects.
Managing Change
Economic, industry and regulatory environments change
and entities activities evolve. Mechanisms are needed
to identify and react to changing conditions.
Existence of mechanisms to anticipate, identify
and react to routine events or activities that
affect achievement of entity or activity-level
objectives (usually implemented by managers
responsible for the activities that would be most
affected by the changes). For example, consider
whether:
Routine changes are addressed as part of the
normal risk identification and analysis process,
or through separate mechanisms.
Risks and opportunities related to the changes
are addressed at sufficiently high levels in the
organization so their full implications are
identified and appropriate action plans
formulated.
All activities within the entity significantly
affected by the change are brought into the
process.
Functional managers identify routine
events or changing conditions affecting
their spheres of responsibility.
Management holds semimonthly
meetings where identified changes are
discussed and action plans are
formulated. Follow-up occurs at
subsequent meetings, with decisions
made regarding the need for new
controls.
163
Existence of mechanisms to identify and react to
changes that can have a more dramatic and
pervasive effect on the entity, and may demand
the attention of top management. For example,
for each of the following areas of potential change,
consider whether:
Changed operating environment:
Market research or other programs identify
major shifts in customer demographics,
preferences or spending patterns.
The entity is aware of significant shifts in the
workforceexternally or internallythat could
affect available skill levels.
Legal counsel periodically updates management
on the implications of new legislation.
New personnel:
Special action is taken to ensure new personnel
understand the entitys culture and perform
accordingly.
Consideration is given to key control activities
performed by personnel being moved.
New or redesigned information systems:
Mechanisms exist to assess the effects of new
systems.
Procedures are in place to reconsider the
appropriateness of existing control activities
when new computer systems are developed and
go live.
Management knows whether systems
development and implementation policies are
adhered to despite pressures to short-cut the
process.
Attention is given to the effect of new systems
on information flows and related controls, and
employee training, including focus on employee
resistance to change.
Rapid growth:
Systems capability is upgraded to handle rapidly
increasing volumes of information.
Management uses a variety of
mechanisms to identify events or
activities that may affect achievement
of objectives. These include reviewing
business and industry publications,
participation in industry associations,
and use of consultants and other
professionals to acquire specific
information. Outside counsel monitors
legal developments that could affect
the company. Top management
monitors changes in the national
economy and the health of the aircraft
industry (e.g., new orders, backlogs,
types of aircraft being ordered,
changing technologies, employment
levels) through an industry reporting
service. Activities of competitors are
monitored through trade association
affiliations, frequent interaction
with the aircraft manufacturers and
analysis of competitor proposal
bids.
The company has had little turnover,
especially in key control functions. All
new employees or executives (e.g., from
Laker Parts) in such key positions are
carefully supervised initially to ensure
the appropriateness of their actions and
focus.
The Vice President of Engineering/
Research monitors new technologies
that can be incorporated in the
companys products, or are being
developed by competitors. Such
technologies are brought to the
attention of senior management and
the board. The Vice President of
Operations monitors technological
developments that could be used in the
manufacturing process, and the CFO
164
Workforce in operations, accounting and data
processing is expanded as needed to keep pace
with increased volume.
A process for revising budgets or forecasts
exists.
A process exists for considering interdepart-
mental implications of revised unit objectives
and plans.
New technology:
Information on technological developments is
obtained through reporting services, consultants,
seminars or perhaps joint ventures with
companies in the forefront of research and
development relevant to the entity.
New technologies, or applications, developed by
competitors are monitored.
Mechanisms exist for taking advantage, and
controlling the use, of new technology
applications, incorporating them into production
processes or information systems.
New lines, products, activities and acquisitions:
The ability exists to reasonably forecast
operating and financial results.
The adequacy of existing information systems
and control activities for the new line, product or
activity is assessed.
Plans are developed for recruiting and training
people with the requisite expertise to deal with
new products or activities.
Procedures are in place to track early results, and
to modify production and marketing as needed.
Financial reporting, legal and regulatory
requirements are identified and complied with.
The effects on other company products, and on
profitability, are monitored.
Overhead allocations are modified to reflect
product contribution accurately.
Corporate restructuring:
Staff reassignments or reductions are analyzed
for their potential effect on related operations.
and Information Systems manager
identify new technologies that can be
incorporated in the companys
information systems. Implementation
plans are developed by department or
activity managers and senior
management, and approved by the
board of directors.
When considering development of new
product lines, considerable attention is
given to customer demand, production
capabilities, profitability implications,
information systems needs, etc. The
new product development form
provides the discipline for focusing on
these issues.
Staff reassignments or reductions as a
result of the Laker Parts acquisition
are approved by the vice president
responsible for each activity. Managers
and supervisors have been told to be
particularly sensitive to signs of
possible morale problems.
Management has held employee
meetings to explain the reasons for the
reductions and to emphasize the
strength and stability of ABC, Inc.
Unit managers meet individually with
their V.P. to decide what action might
be needed to alleviate morale
problems.
Because the company plans on
expanding its penetration of the
European market, we have hired local
personnel with substantial aviation
experience to lead operations in key
countries, including the U.K.,
Germany and France. Their
responsibilities include monitoring
changes in the industry and business
community, focusing particularly
165
Transferred or terminated employees control
responsibilities are reassigned.
Impact on morale of remaining employees, after
major downsizing, considered.
Safeguards exist to protect against disgruntled
former employees.
Foreign operations:
Management keeps abreast of the political,
regulatory, business and social culture of areas in
which foreign operations exist.
Personnel are made aware of accepted customs
and rules.
Alternative procedures exist in case activities of
or communication mechanisms with foreign
operations are interrupted.
on the unification of the European
Community.
Conclusions/Actions Needed
Controls to identify and react to changes are adequate.
Continue to watch for potential morale weakness from former Laker Parts employees. Consider
having human resources periodically survey attitudes and monitor performance.
Component SummaryConclusions/Actions Needed
The procedures for linking company-wide objectives with activity-level objectives are appropriate.
Manager involvement at all levels contributes to establishing achievable goals. Risk assessment
processes for identifying and analyzing risks are appropriate, as are the mechanisms to monitor
changing conditions.
Management should consider techniques to mitigate risk of price fluctuation for certain materials.
Management should also determine how to speed progress in modernizing plant facilities. Morale
weakness from the Laker Parts acquisition should continue to be monitored.
167
Control Activities
Points of Focus Description/Comments
Control activities encompass a wide range of policies
and the related implementation procedures that help
ensure that managements directives are effected. They
help ensure that those actions identified as necessary to
address risks to achieve the entitys objectives are
carried out.
Existence of appropriate policies and
procedures necessary with respect to each of the
entitys activities.
All relevant objectives and associated risks for each
significant activity should have been identified in
conjunction with evaluating Risk Assessment.
Reference may be made to the Reference Manual
(pages 57 to 129) which presents, for common
business activities, illustrative objectives, risks, and
points of focus for actions/control activities. The
listings in that latter column may be useful in
identifying what actions management has directed
to address the risks, and considering the
appropriateness of control activities the entity
applies to see that the actions are carried out. It
should be recognized that points of focus for
general controls (or general computer controls) are
presented in the Reference Manual under the
activity Manage Information Technology.
Unit managers develop controls
relevant to their particular activitys
plans and programs. Controls for
critical success factors are reviewed by
the respective Vice Presidents. See
pages 182 to 199 for control activities
related to the inbound activity. [Similar
analyses for other activities are not
shown.]
Identified control activities in place are being
applied properly. For example, consider whether:
Controls described in policy manuals are actually
applied and are applied the way that theyre
supposed to be.
Appropriate and timely action is taken on
exceptions or information that requires follow-
up.
Supervisory personnel review the functioning of
controls.
ABCs policies require, and training
programs emphasize the importance of,
following up on deviations from
expected results or plans to determine
the cause for the deviation. Employees
are evaluated on their follow-up
actions.
168
Component SummaryConclusions/Actions Needed
The companys process for identifying control activities is based on its objectives and risks, and
appears to be effective.
Control activities are in place for significant plans and programs. They are responsive to
managements needs.
Actions needed with respect to inbound activities:
Policies and procedures must be developed to improve the flow of large quantities of materials
through receiving and testing.
Consideration should be given to eliminating any overlap in the use of engineering personnel in
initial testing.
Management should consider establishing policies to control situations where personnel place
undue pressure on receiving to accept materials.
Management should consider providing training on laws and regulations relating to hazardous
materials.
169
Information and Communication
Points of Focus Description/Comments
Information
Information is identified, captured, processed and
reported by information systems. Relevant information
includes industry, economic and regulatory information
obtained from external sources, as well as internally
generated information.
Obtaining external and internal information,
and providing management with necessary
reports on the entitys performance relative to
established objectives. For example, consider
whether:
Mechanisms are in place to obtain relevant
external informationon market conditions,
competitors programs, legislative or regulatory
developments and economic changes.
Internally generated information critical to
achievement of the entitys objectives, including
that relative to critical success factors, is
identified and regularly reported.
The information that managers need to carry out
their responsibilities is reported to them.
The entity-wide strategic plan,
developed by management, identifies the
internally and externally generated
information required to analyze and
monitor the entity-wide objectives.
Information derived from external
sources, such as Dun & Bradstreet,
trade association publications and
outside counsel, includes industry,
economic and regulatory data for
analysis of market and industry trends,
safety records, market share
information and compliance with
aviation standards. Internally generated
information includes reports of gross
margins on various product lines and
service quality offered by the Company.
(See also Risk Assessment.)
Providing information to the right people in
sufficient detail and on time to enable them to
carry out their responsibilities efficiently and
effectively. For example, consider whether:
Managers receive analytical information that
enables them to identify what action needs to be
taken.
Information is provided at the right level of
detail for different levels of management.
Information is summarized appropriately,
providing pertinent information while permitting
Project groups, in liaison with the
Information Systems Steering
Committee, identify information
required by users to run the Companys
operations effectively, and are
responsible for ensuring that any
deficiencies in the current information
systems are addressed by the
information system initiatives.
Information due dates have been
clearly defined and agreed upon by
170
closer inspection of details as needed rather than
just a sea of data.
Information is available on a timely basis to
allow effective monitoring of events and
activitiesinternal and externaland prompt
reaction to economic and business factors and
control issues.
management. Actual performance,
including availability and response
times, is monitored weekly and reported
to the CFO.
Development or revision of information systems
based on a strategic plan for information
systemslinked to the entitys overall
strategyand responsive to achieving the
entity-wide and activity-level objectives. For
example, consider whether:
A mechanism (e.g., an information technology
steering committee) is in place for identifying
emerging information needs.
Information needs and priorities are determined
by executives with sufficiently broad
responsibilities.
A long-range information technology plan has
been developed and linked with strategic
initiatives.
The strategic plan for information
systems is developed by the Information
Systems Steering Committee,
comprising management representatives
from each user activity area. The plan is
updated annually in conjunction with
revisions of the Companys business
plan, and on an interim basis whenever
significant revisions are made to the
business plan, to ensure that
information systems continue to support
the entitys needs.
Managements support for the development of
necessary information systems is demonstrated
by the commitment of appropriate resources
human and financial. For example, consider
whether:
Sufficient resources (managers, analysts,
programmers with the requisite technical
abilities) are provided as needed to develop new
or enhanced information systems.
Management established the
Information Systems Steering
Committee, whose members devote
substantial time to evaluating the
adequacy of existing systems and
developing recommended system
enhancements.
Conclusions/Actions Needed
Information systems provide management with the information it wants, and on a timely basis, to
manage the company effectively.
171
Communication
Communication is inherent in information processing.
Communication also takes place in a broader sense,
dealing with expectations and responsibilities of
individuals and groups. Effective communication must
occur down, across and up an organization and with
parties external to the organization.
Effectiveness with which employees duties and
control responsibilities are communicated. For
example, consider whether:
Communication vehiclesformal and informal
training sessions, meetings and on-the-job
supervisionare sufficient in effecting such
communication.
Employees know the objectives of their own
activity and how their duties contribute to
achieving those objectives.
Employees understand how their duties affect,
and are affected by, duties of other employees.
Following issuance of the annual
report, the CEO holds a meeting with
employees to review the years results.
He also discusses the company-wide
objectives for the coming year, and how
management intends to achieve those
objectives. Following that meeting,
departmental vice presidents meet with
unit personnel to explain how the
activities of that unit relate to achieving
the company-wide objectives.
As part of initial training, all employees
are provided with information
regarding their duties and how those
duties impact other employees in their
own and other units. Many employees
are cross-trained, which further
strengthens this understanding. Each
employee receives an annual evaluation,
during which his or her responsibilities
are discussed, to ensure he or she fully
understands them.
Establishment of channels of communication for
people to report suspected improprieties. For
example, consider whether:
Theres a way to communicate upstream through
someone other than a direct superior, such as an
ombudsman or corporate counsel.
The employee handbook states that
suspected violations of company
policies or behavioral standards should
be reported to a vice president, as
described above. Such reports can be
made anonymously.
172
Anonymity is permitted.
Employees actually use the communication
channel.
Persons who report suspected improprieties are
provided feedback, and have immunity from
reprisals.
Employees have utilized existing
communication channels to report
suspected improprieties. Additionally,
employees from time to time ask their
supervisors for policy interpretations
and for guidance when proper actions
or behavior is not clearly evident.
The company does not provide feedback
to employees who report suspected
improprieties, except to thank them for
their concern. Employees who report
suspected improprieties are immune
from reprisals, unless it is discovered
(as occurred once) that the report was
fabricated and filed with malicious
intent. Management encourages
employees to report suspected
improprieties and has investigated all
such reports.
Receptivity of management to employee
suggestions of ways to enhance productivity,
quality or other similar improvements. For
example, consider whether:
Realistic mechanisms are in place for employees
to provide recommendations for improvement.
Management acknowledges good employee
suggestions by providing cash awards or other
meaningful recognition.
Senior management is receptive to
constructive suggestions regardless of
their source. On several occasions, cash
awards have been made for particularly
good suggestions. Several department
managers are not receptive to such
suggestions, and are being encouraged
to be more open to them.
Adequacy of communication across the
organization (for example, between
procurement and production activities) and the
completeness and timeliness of information and
its sufficiency to enable people to discharge their
responsibilities effectively. For example, consider
whether:
Salespeople inform engineering, production and
marketing of customer needs.
Communication between departments or
units is generally good. Employees are
evaluated on how well they work with
other activities. Also many functions are
integrated for purposes of bonus
computations. Sales, procurement,
inbound and manufacturing, for
example, are all evaluated based on a
number of factors, including profit-
ability.
173
Accounts receivable personnel advise the credit
approval function of slow payers.
Information on competitors new products or
warranties reach engineering, marketing and
sales personnel.
Openness and effectiveness of channels with
customers, suppliers and other external parties
for communicating information on changing
customer needs. For example, consider whether:
Feedback mechanisms with all pertinent parties
exist.
Suggestions, complaints and other input are
captured and communicated to relevant internal
parties.
Information is reported upstream as necessary
and follow-up action taken.
Salespeople actively seek feedback from
customers as it relates to complaints,
design improvement, repair needs, and
the like. Input is communicated to the
appropriate personnel (e.g., engineering
and production) at the biweekly joint
departmental meetings. Sales and
operating management meet with key
customers and suppliers periodically to
obtain firsthand input.
Extent to which outside parties have been made
aware of the entitys ethical standards. For
example, consider whether:
Important communications to outside parties are
delivered by management level commensurate
with the nature and importance of the message
(e.g., senior executive periodically explains in
writing the entitys ethical standards to outside
parties).
Suppliers, customers and others know the
entitys standards and expectations regarding
actions in dealing with the entity.
Such standards are reinforced in routine dealings
with outside parties.
Improprieties by employees of external parties
are reported to the appropriate personnel.
Management does not formally notify
outside parties of ethical standards and
expectations. However, the entity has a
well-known reputation within the
community and the industry of being
honest and ethical, and its reputation is
reinforced in dealings with outside
parties. Letters received by the CEO, as
well as input received in discussions
with key customers and suppliers,
evidence appropriate behavior.
174
Timely and appropriate follow-up action by
management resulting from communications
received from customers, vendors, regulators or
other external parties. For example, consider
whether:
Personnel are receptive to reported problems
regarding products, services or other matters, and
such reports are investigated and acted upon.
Errors in customer billings are corrected, and the
source of the error is investigated and corrected.
Appropriate personnelindependent of those
involved with the original transactionsprocess
complaints.
Appropriate actions are taken and there is
follow-up communication with the original
sources.
Top management is aware of the nature and
volume of complaints.
Management follows up quickly on
communications from outside parties
that indicate problems within the
internal control system, or that
employees may have acted
inappropriately. These external sources
are viewed as valuable indicators of
potential problems that need to be
addressed. Customer complaints and
related follow-up actions are reported
formally to the CEO. Management
requires a response to all external
communications, indicating the
investigation results, and thanking the
initiator for his or her time and effort.
Conclusions/Actions Needed
Generally, communication within the company, and between the company and external parties, is
effective. The following items will be considered to enhance effective communication further:
Develop a formal corporate code of conduct.
Further encourage department managers to solicit and consider constructive suggestions from
personnel at all levels.
Component SummaryConclusions/Actions Needed
Information and communication policies and procedures are effective. Management should
consider developing a formal corporate code of conduct and encouraging department managers to
solicit and consider constructive suggestions from personnel.
175
Monitoring
Points of Focus Description/Comments
Ongoing Monitoring
Ongoing monitoring occurs in the ordinary course of
operations, and includes regular management and
supervisory activities, and other actions personnel take
in performing their duties that assess the quality of
internal control system performance.
Extent to which personnel, in carrying out their
regular activities, obtain evidence as to whether
the system of internal control continues to
function. For example, consider whether:
Operating management compares production,
inventory, sales or other information obtained in
the course of their daily activities to systems-
generated information.
Integration or reconciliation of operating
information used to manage operations with data
generated by the financial reporting system.
Operating personnel are required to sign off on
the accuracy of their units financial statements,
and are held responsible if errors are discovered.
Senior management is actively involved
in all operations of the company, and
has direct contact with customers,
suppliers, production activities,
bankers, inventory control, etc.
Management frequently challenges
financial and management reports that
are inconsistent with its knowledge.
Many of the reports used to manage
activities are integrated with the
financial reporting system and with
reports used by other activities. Because
of the integrated nature of the
companys information systems,
significant differences or
inconsistencies are likely to be detected
quickly. Operating personnel are
expected to identify and report
significant inaccuracies, or identify
reports they believe may be inaccurate.
The Controllers staff also analyzes
operating reports and investigates
apparent inconsistencies with financial
reports.
Extent to which communications from external
parties corroborate internally generated
information, or indicate problems. For example,
consider whether:
Customers implicitly corroborate billing data by
paying their invoices, or customer complaints
Management follows up on all
communications from outside parties
that indicate a problem may exist within
the company. Particular attention is
given to communications from
customers, and government agencies,
176
about billingsindicating system deficiencies in
the processing of sales transactionsare
investigated for their underlying causes.
Communications from vendors and monthly
statements of accounts payable are used as a
control monitoring technique.
Suppliers complaints of unfair practices by
purchasing agents are fully investigated.
Regulators communicate information to the
entity regarding compliance or other matters that
reflect on the functioning of the internal control
system.
Controls that should have prevented or detected
the problems are reassessed.
such as the FAA. Monthly vendor
statements are reconciled to the
recorded accounts payable, and
accounts receivable balances are
confirmed, on a test basis, at least once
a year. Problems are investigated and
resolved. Recently, several sales-tax
exempt customers complained they were
inappropriately charged sales tax. Their
accounts were corrected, and
investigation discovered a flaw in a
software update that did not recognize
certain exempt codes. The software was
fixed, and the program change controls
are being reviewed.
Periodic comparison of amounts recorded by the
accounting system with physical assets. For
example, consider whether:
Inventory levels are checked when goods are
taken from inventory storage for shipment, and
differences between recorded and actual amounts
are corrected.
Securities held in trust are counted periodically
and compared with existing records.
Physical inventory counts are made
semiannually, and actual amounts are
compared with perpetual inventory
records. Differences are investigated.
Fixed assets are counted and compared
with asset listings on a cycle basis, no
less than every three years.
Responsiveness to internal and external auditor
recommendations on means to strengthen
internal controls. For example, consider whether:
Executives with proper authority decide which of
the auditors recommendations will be
implemented.
Desired actions are followed up to verify
implementation.
Internal and external auditor
recommendations are reviewed by
senior management and the audit
committee. Appropriate follow-up
actions are taken and are
communicated to the full board, as are
the reasons any recommendations are
not acted upon.
Extent to which training seminars, planning
sessions and other meetings provide feedback
Management has found that training
sessions and other meetings occasion-
177
to management on whether controls operate
effectively. For example, consider whether:
Relevant issues and questions raised at training
seminars are captured.
Employee suggestions are communicated
upstream and acted on as appropriate.
ally provide feedback on control
effectiveness and participants
understanding of their control
responsibility. Appropriate follow-up
action is taken.
Whether personnel are asked periodically to
state whether they understand and comply with
the entitys code of conduct and regularly
perform critical control activities. For example,
consider whether:
Personnel are required periodically to
acknowledge compliance with the code of
conduct.
Signatures are required to evidence performance
of critical control functions, such as reconciling
specified amounts.
The company has not developed a
formal code of conduct. However,
expectations of behavior are outlined in
the employee manual, and management
regularly reinforces these expectations
in both word and action.
Effectiveness of internal audit activities. For
example, consider whether:
There are appropriate levels of competent and
experienced staff.
Their position within the organization is
appropriate.
They have access to the board of directors or
audit committee.
Their scope, responsibilities and audit plans are
appropriate to the organizations needs.
The company recently established an
internal audit function, headed by an
experienced internal auditor with
Fortune 500 company experience. He
has one staff person at this time.
The audit manager reports to the CFO,
and has access to all activities of the
company. The audit manager has access
to the audit committee, with whom he
meets quarterly. If he desires, he may
meet with them privately. Internal audit
salaries are determined by the CFO,
based on his evaluation of their
performances, abilities, etc., with the
audit committees approval.
178
Conclusions/Actions Needed
Internal control monitoring is appropriate and sufficient. Management will consider the benefit of
formalizing a code of conduct and requiring periodic employee affirmation that they understand
and comply with the code. However, employee compliance with the behavior expectations outlined
in the employee manual is high. The internal audit function is new, and is expected to grow and
become more effective over time.
Separate Evaluations
It is useful to take a fresh look at the internal control
system from time to time, focusing directly on system
effectiveness. The scope and frequency of separate
evaluations will depend primarily on an assessment of
risks, and ongoing monitoring procedures.
Scope and frequency of separate evaluations of
the internal control system. For example,
consider whether:
Appropriate portions of the internal control
system are evaluated.
The evaluations are conducted by personnel with
the requisite skills.
The scope, depth of coverage and frequency are
adequate.
The Information Systems Steering
Committee assesses information system
effectiveness on a high level. The board
focuses on the control environment and
monitoring functions, obtaining input
from the CFO and the auditors.
Appropriateness of the evaluation process. For
example, consider whether:
The evaluator gains a sufficient understanding of
the entitys activities.
An understanding is obtained of how the system
is supposed to work and how it actually does
work.
The evaluation process is informal. It
includes steps for understanding of and
analyzing key controls in place.
179
An analysis is made, using the evaluation results
as measured against established criteria.
Whether the methodology for evaluating a
system is logical and appropriate. For example,
consider whether:
Such methodology includes checklists,
questionnaires or other tools.
The evaluation team is brought together to plan
the evaluation process and ensure a coordinated
effort.
The evaluation process is managed by an
executive with requisite authority.
The process is informal.
Appropriateness of the level of documentation.
For example, consider whether:
Policy manuals, organization charts, operating
instructions and the like are available.
Consideration is given to documenting the
evaluation process.
Limited documentation exists in meeting
minutes of the Board and the
Information Systems Steering
Committee.
Conclusions/Actions Needed
Consideration should be given to formalizing the evaluation process, and considering its scope of
coverage over time. The new internal auditor plans to perform an initial review of the established
evaluation process.
180
Reporting Deficiencies
Internal control deficiencies should be reported
upstream with certain matters reported to top
management and the board.
Existence of mechanism for capturing and
reporting identified internal control deficiencies.
For example, consider whether means exist for
obtaining reports on deficiencies:
From both internal sources and external sources
(e.g., customers, suppliers, auditors, regulators).
Resulting from ongoing monitoring or separate
evaluations.
Policies exist for the capturing and
reporting of deficiencies. For example,
the marketing department
communicates customer complaints
upstream to ensure the proper
department (e.g., shipping, production)
is made aware and takes follow-up
actions. Reaction to external auditor
reporting of deficiencies is well
structured.
Appropriateness of reporting protocols. For
example, consider whether:
Deficiencies are reported to the person directly
responsible for the activity and to a person at
least one level higher.
Specified types of deficiencies are reported to
more senior management and to the board.
Policies clearly identify to whom
discovered deficiencies should be
reported. Generally, it is to the senior
manager of the department under
evaluation, regardless of the level of
controls being evaluated.
Appropriateness of follow-up actions. For
example, consider whether:
The transaction or event identified is corrected.
The underlying causes of the problem are
investigated.
There is follow-up to ensure the necessary
corrective action is taken.
Follow-up actions are monitored and
reported back to the senior manager.
Conclusions/Actions Needed
The policies and procedures in place for reporting deficiencies are appropriate.
181
Component SummaryConclusions/Actions Needed
Ongoing monitoring procedures are adequate. Management should consider formalizing a code of
conduct. The process for separate evaluations of the internal control system could be formalized.
Policies for reporting deficiencies appear to be appropriate.
182
Risk Assessment and Control Activities Worksheet
Activity: INBOUND
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
Manage Logistics
1. Materials are to be tested, and
either accepted and moved to
storage, or rejected and
returned for credit on a timely
basis.
O Receipt of large quantities of
materials may delay the
receiving and testing
activities.
Medium-High
2. Accurately process all
information related to goods
received, and make such
information available to
appropriate activities on a
timely basis.
O,F Information is not entered
accurately or on a timely
basis.
Medium
Information needs of various
production units are not
clearly identified.
Low
NOTE: This evaluation tool is filled in for one activity (inbound) of ABC Company. When evaluating the risk
assessment and control activities company-wide, this tool would be completed for all significant activities.
183
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
1. Production provides a weekly
report of those items most
critically needed to continue
efficient and uninterrupted
production. The Director of
Procurement/Receiving
reviews materials to be tested
and prioritizes such materials
based on the weekly report.
Policies and procedures are
insufficient for timely processing.
Policies and procedures must be
developed to detail how materials
should flow through receiving and
testing, in the event of large amounts of
material being received, and how
achievement of the objective is to be
monitored. Additionally, using
engineering personnel to test materials
may create conflicts between testing
and engineering, especially if such use
negatively affects achievement of
engineering objectives.
2. Certain engineering personnel
have been trained and are
available for short-term use in
testing certain types of
materials.
3. Receiving reports are
prenumbered, and missing
documents are investigated
twice weekly.
Controls are sufficient to achieve the
objective.
4. Information from receiving
documents is matched to open
purchase orders and, subse-
quently, to the vendor invoice.
5. Information needs of each
activity are reviewed semi-
annually, and communicated
to information technology
personnel. Systems and
reports are modified as
necessary.
184
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
3. Ensure purchase orders are
filled on a timely basis.
O
Purchase orders are lost or
not forwarded to inbound
activities.
Medium
Due-date information is not
available.
Medium
4. All materials received are
accurately recorded.
O,F Actual quantities received
may not equal the quantities
indicated on the purchase
order or vendor shipping
documents.
Medium-High
185
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
6. When the purchase order is
generated, the system
automatically updates open
purchase order records. A hard
copy of the prenumbered form is
sent to receiving, which reviews
open purchase orders weekly,
and missing documents are
investigated. The electronic
records are periodically
reviewed to verify their
accuracy.
Controls are sufficient to achieve the
objective.
7. The system provides the option
to sort open purchase orders
several ways, including by due
date. A weekly report of open
purchase orders due is prepared.
8. Goods received are counted,
weighed or otherwise verified as
to quantity.
Production #10
[Not shown]
Controls are sufficient to achieve the
objective.
9. Receipts are subject to second
count, on a random basis, by a
receiving department supervisor.
10. Quantities received according to
the receiving report are matched
to the vendors shipping
documentation and to the
purchase order. Material
shortages are noted on the
receiving documentation, and
any excess material is refused. In
the case of excess material,
documentation is signed by the
transportation company
representative for return to the
vendor. Documentation is
forwarded to accounts payable
for further processing and
control activities.
186
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
Receiving documentation may
not be prepared by receiving
personnel, or it may be lost.
Low
5. Only materials actually
received and accepted are
recorded.
O,F Receiving employees may
prepare erroneous receiving
reports for materials not
actually received.
Low
6. All materials returned for
vendor credit are accurately
recorded.
O,F Material return documentation
may be lost.
Low-Medium
187
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
11. Receiving documents are
sequentially prenumbered, and
missing documents are
investigated weekly.
12. Warehouse personnel will not
accept material without a copy
of appropriate receiving
documentation. Material
remaining in the receiving
department for more than one
day is investigated by a
receiving supervisor.
13. Vendor invoices will not be
processed unless matched with
proper receiving documentation.
Unmatched invoices are
investigated promptly.
14. Receiving reports are subject to
verification by the receiving
department supervisor.
Controls are sufficient to achieve the
objective.
15. Receiving reports must be
matched to a material transfer
document signed by the
authorized party who accepted
the materials from the receiving
department. Unmatched
receiving reports are
investigated weekly.
16. Material return forms are
prenumbered, and missing
documents are promptly
investigated.
Controls are sufficient to achieve the
objective.
188
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
Material return documentation
may not be prepared.
Low
Material return documentation
may be inaccurate.
Low
Receive
7. Only materials properly
ordered are accepted.
O Employees may lack
information regarding properly
ordered goods.
Low
8. Only materials which comply
with purchase order
specifications are accepted.
O Material received from vendors
may not comply with
specifications.
Medium
189
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
17. If material is returned without
preparation of receiving
documentation, open purchase
orders will be investigated. If
receiving documentation is
prepared, it will not be matched
with material transfer
documentation. Such unmatched
receiving reports are promptly
followed up, as described in #I
15 above.
18. Material return documentation
must be approved by a receiving
supervisor who verifies the
return document information.
19. Common carriers (i.e., trucking
companies, UPS, etc.) verify
materials being returned and
sign documentation indicating
their acceptance of such
materials.
20. No materials are accepted
without a properly authorized
purchase order on file in the
receiving department.
Controls are sufficient to achieve the
objective.
21. Materials received are tested for
compliance with contract or
purchase order specifications.
All tests are documented in
accordance with prescribed
procedures and are reviewed by
the receiving department
supervisor.
Policies and procedures appear
adequate to achieve the objective.
However, consideration should be
given to situations where personnel
may place undue pressure on receiving
to accept materials (for instance, in
cases where shortages of certain key
materials threaten the efficiency of or
ability to continue production).
190
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
Inbound activity personnel do
not understand the
specifications due to poor
communication with
procurement.
Low
Testing procedures may
become obsolete.
Low-Medium
Testing equipment may become
obsolete or inaccurate.
Medium-High
Inbound activities personnel
may not test materials, or may
not test them properly.
Low
191
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
22. Receiving is provided a copy of
the contractor purchase order
with specifications clearly
indicated. Specifications
are matched to vendor
documentation and test results
before material is forwarded to
another department.
23. Testing procedures are reviewed
and updated annually by the
Director of Procurement and the
Engineering Manager. The
procedures are reviewed and
approved by the Vice
PresidentOperations.
24. Testing equipment is checked
and recalibrated every 30 days,
or upon the request of the
equipment operator, whichever
is more frequent.
25. Testing equipment is reviewed
and recommendations for new
equipment are made in
conjunction with the review of
testing procedures noted in
control #I 23. Approval of new
equipment is required of the Vice
PresidentOperations.
26. Test documentation is reviewed
by supervisory personnel.
Materials used to manufacture
parts critical to flight safety are
subject to random retesting.
Discrepancies noted in retesting
Production #10
[Not shown]
192
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
9. Ensure that materials
transferred from receiving to
other activities are completely
and accurately recorded.
O,F Proper documentation is not
prepared.
Information may be inaccurate
or incomplete.
Low
Medium
Information may be input
inaccurately.
Medium
10. Precious metals are handled
and stored in a secure manner
to prevent unauthorized
access.
O Precious metals may be stolen. High
193
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
are investigated and appropriate
follow-up action is taken
(retraining, termination if high
number of discrepancies are
noted and training fails to
resolve the problem, etc.).
27. Production personnel monitor
problems related to materials
failing to meet engineering
specifications, and report such
results to procurement and
appropriate follow-up action is
taken.
28. Material cannot be transferred
without transfer documents.
Controls are sufficient to achieve the
objective.
29. Transfer documents must be
signed by both the receiving
employee and the employee
accepting the transfer. Both
employees verify its
completeness and accuracy.
30. Inventory is counted quarterly.
The physical count is compared
with perpetual inventory
records. Differences are
investigated.
31. Record-keeping of precious
metals is performed by an
individual independent of those
employees responsible for
handling and storage of the
metals.
Controls are sufficient to achieve the
objective.
194
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
11. Properly transfer all materials
requisitioned, and only such
materials.
O,F Inadequate requisition
procedures.
Medium
Improper materials are
transferred.
Medium
12. Completely and accurately
record all transfers to and
from storage.
O,F Incomplete or inaccurate
information.
Medium
195
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
32. The precious metals are stored
in a locked and guarded
location. Surveillance cameras
continuously record all
entrances and exits of the
storage area.
33. All packages, briefcases, etc.,
removed from the facility by
employees are subject to
inspection by security personnel.
34. Physical counts of precious
metals are made monthly
by individuals with no
responsibility for record-keeping
or storage of the metals. The
counts are reconciled with the
perpetual records, and
differences investigated.
35. Stores personnel transfer
materials to operations only on
the authority of a properly
approved requisition.
Controls are sufficient to achieve the
objective.
36. Both stores and operations
personnel verify that proper
materials are transferred
and both sign transfer
documentation.
37. Transfer documentation is
signed by both stores and
operations personnel, who verify
its accuracy.
Controls are sufficient to achieve the
objective.
38. Inventory is counted quarterly.
Differences from perpetual
records are investigated and
resolved.
196
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
Transfer documents may be
lost.
Medium
13. Hazardous materials are
handled and stored in
compliance with Occupational
Safety and Health
Administration (OSHA) and
other laws and regulations.
C Employees may disregard
hazardous material handling
and storage policies and
procedures.
Low
Storage tanks may leak. Medium-High
197
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
39. Transfer documents are
prenumbered, with missing
documents investigated weekly.
40. Employees responsible for
handling and storing hazardous
materials are closely supervised,
and their work reviewed by
experienced supervisors.
Deviations from specified policy
are treated as serious matters,
and disciplinary action is swift
and severe.
41. Employees responsible for
handling and storing hazardous
materials are subject to regular
drug testing.
Controls are adequate to achieve the
objective. However, employees are not
provided periodic training on laws and
regulations, nor on handling and
storage techniques. This training could
provide assurance that employees
remain knowledgeable of such laws,
regulations and techniques.
Additionally, it would help ensure that
employees remain aware of the
importance of complying with company
policies.
42. Storage tanks are inspected
annually. Any sign of
irregularity is immediately
investigated and resolved.
43. Storage tanks are replaced at
90% of the manufacturers
estimated useful life.
44. Water and soil samples, taken
from near the storage tanks, are
tested quarterly to detect
leakage. Any sign of irregularity
is immediately investigated and
resolved.
198
Risk Analysis
Objectives O,F,C Risk Factors Likelihood
14. Federal and state
Occupational Safety and
Health Administration (OSHA)
laws and regulations are
complied with.
C Personnel may not be familiar
with all OSHA requirements.
Medium
OSHA requirements may be
violated due to errors, neglect
or intentional disregard.
Medium-High
199
Actions/
Control Activities/
Comments
Other
Objectives
Affected
Evaluation
and
Conclusion
45. Monitoring systems to measure
pressure in pipelines used to
transport hazardous materials
are utilized to detect leaks or
other potential problems. These
systems are inspected quarterly.
Any sign of irregularity is
immediately investigated and
resolved.
46. Legal counsel, and the Vice
PresidentOperations review
policy and procedures quarterly.
Such policy and procedures are
modified as necessary to comply
with OSHA requirements.
Controls are sufficient to achieve the
objective.
47. Legal counsel observes
execution of company policies
and procedures on a regular
basis. Questionable acts are
immediately investigated and
appropriate follow-up action is
taken.
48. Employees are encouraged to
report any suspected violations
to the office of the CEO.
Employees of the office of the
CEO follow-up on such
communication.
201
Overall Internal Control System Evaluation
Internal Control Components
Preliminary Conclusions/
Actions Needed
(see individual
evaluation tools) Additional Considerations
Control EnvironmentDoes
management adequately
convey the message that
integrity cannot be
compromised? Does a positive
control environment exist,
whereby there is an attitude of
control consciousness
throughout the organization,
and a positive tone at the
top? Is the competence of the
entitys people commensurate
with their responsibilities? Are
managements operating style,
the way it assigns authority and
responsibility and organizes
and develops its people
appropriate? Does the board
provide the right level of
attention?
Management has demonstrated
its commitment to integrity,
ethical behavior and
competence of the Companys
people, and has communicated
that commitment to all
employees. The companys
control environment is
conducive to effective internal
control, and provides a positive
influence that enhances the
likelihood of achieving ABCs
objectives.
The board and I [CEO] are
considering the benefits of a
formal code of conduct. I am
monitoring the effectiveness of
the recent organizational
structure modifications, which
resulted from the Laker Parts
acquisition and divestiture of
the defense division, and will
introduce changes as
appropriate. In addition, newly
created key manager
responsibilities will be
evaluated over time and
changed as needed. The Laker
Parts acquisition has resulted
also in a duplication of some
accounting department
functions. Reviews of personnel
requirements are underway.
Risk AssessmentAre entity-
wide objectives and supporting
activity-level objectives
established and linked? Are the
internal and external risks that
influence the success or failure
of the achievement of the
objectives identified and
assessed? Are mechanisms in
place to identify changes
affecting the entitys ability to
achieve its objectives? Are
policies and procedures
modified as needed?
The company-wide objectives
and strategies provide relevant
guidance on what the entity is
to achieve and how it will be
achieved. Resources are
allocated to achieve objectives
commensurate with their
importance. Activity-level
objectives have been developed
to support achieving the
company-wide objectives.
Those activity-level objectives
are consistent with and
complement each other.
The implications of competitive
pressures for long-term growth
and profitability objectives will
continue to require the
attention of operating and
financial management. Such
attention will be provided.
The development of new or
modified production processes
will be expedited to keep pace
with changes in the industry.
Further consolidation of the
commercial airline industry
and government re-regulation
202
Internal Control Components
Preliminary Conclusions/
Actions Needed
(see individual
evaluation tools) Additional Considerations
ABC management identifies
and assesses risk informally on
an ongoing basis, and formally
in conjunction with the annual
update of the business plan.
Appropriate actions are taken
to manage the risks. Hedges for
materials cost increases and
modernizing production
processes need to be
addressed.
Controls to identify and react
to changes are adequate. We
need to continue to watch for
potential morale weakness
from former Laker Parts
employees. Consider having
human resources monitor
attitudes and performance.
of the industry are changes that
could adversely affect the
company. These changes are
followed closely and strategies
are being developed to respond
to the changes.
Control ActivitiesAre
control activities in place to
ensure adherence to established
policy and the carrying out of
actions to address the related
risks? Are there appropriate
control activities for each of
the entitys activities?
Control activities have been
designed and implemented to
address significant risks
related to department and unit
activity objectives. Concerns
raised re materials testing and
handling hazardous materials
need to be addressed.
Activities for testing materials
for determining whether to
accept or reject shipments, and
procedures for training
operations personnel on OSHA
requirements for disposal of
hazardous waste, will be
refined and formalized.
Information and
CommunicationAre
information systems in place
to identify and capture
pertinent information
financial and nonfinancial,
relating to external and
internal eventsand bring it
to personnel in a form that
enables them to carry out their
Information systems provide
management with the
information needed, on a
timely basis, to manage the
company effectively.
Generally, communication
within the entity and with
external parties is effective.
The following items will be
Available information related
to competitors activities in the
development of lighter weight
materials for use in production,
and exposures to foreign
currency exchange losses from
an unstable U.S. dollar will be
obtained and considered in our
long-term strategies.
203
Internal Control Components
Preliminary Conclusions/
Actions Needed
(see individual
evaluation tools) Additional Considerations
responsibilities? Does
communication of relevant
information take place? Is it
clear with respect to
expectations and
responsibilities of individuals
and groups, and reporting of
results? And does
communication occur down,
across and upward in the entity,
as well as between the entity
and other parties?
considered to enhance effective
communication further:
Develop a formal corporate
code of conduct, and further
encourage department
managers to solicit and
consider constructive
suggestions from personnel at
all levels.
A formal program to
communicate the companys
ethical standards to vendors
and other outside parties will
be developed.
MonitoringAre appropriate
procedures in place to monitor
on an ongoing basis, or to
periodically evaluate the
functioning of the other
components of internal
control? Are deficiencies
reported to the right people?
Are policies and procedures
modified as needed?
Internal control monitoring is
appropriate and sufficient.
Although employee compliance
with the behavioral
expectations outlined in the
employee manual is high,
management will consider the
benefit of formalizing a code of
conduct and requiring periodic
employee affirmation that they
understand and comply with it.
The internal audit function is
new, and is expected to grow
and become more effective over
time. The scope of separate
evaluations needs to be
considered.
Ongoing monitoring of the
former Laker Parts operation
is important to ensuring its
continued effectiveness and
overall consistency with the
consolidated company. Factors
of particular importance are
the appropriateness of its
organizational structure and
assignment of responsibilities
to key managers. I plan to
continue to monitor these
areas. I will instruct the head
of internal audit to develop a
formal evaluation process.
Overall Conclusion
ABCs system of internal control, as of December 31, 19xx, is effective and provides reasonable
assurance that the companys financial reporting process is reliable, that the company has effective
procedures for ensuring compliance with applicable laws and regulations, and that management is
aware of the extent to which the company is moving toward achieving the operations objectives.
You might also like
- The Integrated Energy and Communication Systems ArchitectureNo ratings yetThe Integrated Energy and Communication Systems Architecture31 pages
- Issues with Risk Matrices in ManagementNo ratings yetIssues with Risk Matrices in Management27 pages
- Qualitative Risk Analysis Process GuideNo ratings yetQualitative Risk Analysis Process Guide31 pages
- DNO Common Network Asset Indices MethodologyNo ratings yetDNO Common Network Asset Indices Methodology233 pages
- Electric Service Requirements Guide 2015No ratings yetElectric Service Requirements Guide 2015260 pages
- Software Project Management 4th EditionNo ratings yetSoftware Project Management 4th Edition26 pages
- Civil Infrastructure Maintenance StrategiesNo ratings yetCivil Infrastructure Maintenance Strategies14 pages
- Decisions With Multiple Objectives: Preferences and Value TradeoffsNo ratings yetDecisions With Multiple Objectives: Preferences and Value Tradeoffs3 pages
- TGG Data Center Power Efficiency Metrics PUE and DCiENo ratings yetTGG Data Center Power Efficiency Metrics PUE and DCiE16 pages
- City of Calgary Proposed Service Plans and Budgets For 2019-2022No ratings yetCity of Calgary Proposed Service Plans and Budgets For 2019-2022668 pages
- Risk Management in Istanbul Rail ProjectsNo ratings yetRisk Management in Istanbul Rail Projects7 pages
- GE GAP Guidelines: High-Hazard Chemical and Petrochemical PlantsNo ratings yetGE GAP Guidelines: High-Hazard Chemical and Petrochemical Plants8 pages
- Vital Area Identification in Nuclear SecurityNo ratings yetVital Area Identification in Nuclear Security20 pages
- Ineffective Risk Management in NPD ProjectsNo ratings yetIneffective Risk Management in NPD Projects9 pages
- MindManager Macros Masterclass v0.1 (Preview)No ratings yetMindManager Macros Masterclass v0.1 (Preview)13 pages
- Geological and Hydrological Risks in HydropowerNo ratings yetGeological and Hydrological Risks in Hydropower20 pages
- Risk Assessment and Analysis Methods Qualitative Quantitative - Joa - Eng - 0421No ratings yetRisk Assessment and Analysis Methods Qualitative Quantitative - Joa - Eng - 04216 pages
- A Comparative Review of Risk Management Standards - Tzvi Raz & David Hillson - Risk Management Journal - 2005 PDFNo ratings yetA Comparative Review of Risk Management Standards - Tzvi Raz & David Hillson - Risk Management Journal - 2005 PDF14 pages
- 3rd Edition New Zealand Pipe Inspection ManualNo ratings yet3rd Edition New Zealand Pipe Inspection Manual156 pages
- Single-Failure Criterion for Safety SystemsNo ratings yetSingle-Failure Criterion for Safety Systems4 pages
- Project Risk Simulation Methods - A Comparative Analysis: Abstract. Effective Risk ManagementNo ratings yetProject Risk Simulation Methods - A Comparative Analysis: Abstract. Effective Risk Management16 pages
- Maintenance Scheduling Compliance GuideNo ratings yetMaintenance Scheduling Compliance Guide84 pages
- Bridge Scour Risk Management StrategiesNo ratings yetBridge Scour Risk Management Strategies28 pages
- Advances in Distribution Network OperationsNo ratings yetAdvances in Distribution Network Operations3 pages
- Internal Control - Integrated Framework - Illustrative Tools For ANo ratings yetInternal Control - Integrated Framework - Illustrative Tools For A156 pages
- Illustrative Tools For Assessing Effectiveness of A System of Internal Control - COSO 2013 Inte50% (2)Illustrative Tools For Assessing Effectiveness of A System of Internal Control - COSO 2013 Inte156 pages
- Updated COSO Internal Control FrameworkNo ratings yetUpdated COSO Internal Control Framework184 pages
- Internal Audit Assistant Manager ProfileNo ratings yetInternal Audit Assistant Manager Profile3 pages
- Engineering Audit and Project Management ResumeNo ratings yetEngineering Audit and Project Management Resume3 pages
- Executive Travel and Housing AllowancesNo ratings yetExecutive Travel and Housing Allowances182 pages
- Bharti AXA and ICICI Lombard Merger AnalysisNo ratings yetBharti AXA and ICICI Lombard Merger Analysis12 pages
- Sampark Global Logistics Tracking ServicesNo ratings yetSampark Global Logistics Tracking Services16 pages
- HR Management Challenges in Bangladesh BanksNo ratings yetHR Management Challenges in Bangladesh Banks12 pages
- Introduction to Entrepreneurship ConceptsNo ratings yetIntroduction to Entrepreneurship Concepts41 pages
- Pricing Strategies for New Beverage LaunchNo ratings yetPricing Strategies for New Beverage Launch18 pages
- Assembly Process Engineer Job in ChennaiNo ratings yetAssembly Process Engineer Job in Chennai3 pages
- Constitutionality of Early Warning DevicesNo ratings yetConstitutionality of Early Warning Devices23 pages
- Starbucks Financial Statements OverviewNo ratings yetStarbucks Financial Statements Overview32 pages
- Financial Analysis of Mahindra & MahindraNo ratings yetFinancial Analysis of Mahindra & Mahindra2 pages
- Game Theory Strategies for Competing FirmsNo ratings yetGame Theory Strategies for Competing Firms3 pages
- Understanding Salary and Wage StructuresNo ratings yetUnderstanding Salary and Wage Structures4 pages
- Restaurant Environment and Consumer BehaviorNo ratings yetRestaurant Environment and Consumer Behavior18 pages
- Mergers & Acquisitions Overview and TypesNo ratings yetMergers & Acquisitions Overview and Types10 pages
- Profiles of Notable Professionals in PhilippinesNo ratings yetProfiles of Notable Professionals in Philippines2 pages
- SAP EC-CS Consolidation Configuration Guide100% (3)SAP EC-CS Consolidation Configuration Guide36 pages
