Professional Documents
Culture Documents
Establishes Structure, Authority, and Responsibility 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Considers All Structures of the EntityManagement and the board of directors consider the multiple structures used (including operating units, legal entities, and outsourced service providers) to support the achievement of objectives. Establishes Reporting LinesManagement designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. Defines, Assigns, and Limits Authorities and ResponsibilitiesManagement and the board of directors delegate authority, define, and assign responsibility and segregate duties as appropriate at the various levels of the organization: - Board of DirectorsRetains authority over significant decisions and reviews managements assignments and limitations of authorities and responsibilities. - Senior ManagementEstablishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities. - ManagementGuides and facilitates the execution of senior management directives at entity and its subunits. - PersonnelUnderstands the entitys standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives. - Outsourced Service ProvidersAdheres to managements definition of the scope of authority and responsibility for all non-employees engaged. Demonstrates Commitment to Competence 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Establishes Policies and PracticesPolicies and practices reflect the organizations expectations of competence necessary to support the achievement of objectives. Attracts, Develops, and Retains IndividualsThe organization provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. Evaluates Competence and Addresses ShortcomingsThe board of directors and management evaluate competence across the organization and in outsourced service providers in relation to established policies and practices, and acts as necessary to address shortcomings. Plans and Prepares for SuccessionSenior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.
Enforces Accountability 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Enforces Accountability through Structures, Authorities, and Responsibilities Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary. Establishes Performance Measures, Incentives, and RewardsManagement and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer- term objectives. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives. Considers Excessive PressuresManagement and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. Evaluates Performance and Rewards or Disciplines IndividualsManagement and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence and provide rewards or exercise disciplinary action as appropriate.
Identifies and Analyzes Risks 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Includes Entity, Subsidiary, Division, Operating Unit, and Functional LevelsThe organization identifies and assesses risks at the entity, subsidiaries, division, operating unit, and functional levels relevant to the achievement of objectives. Analyzes Internal and External FactorsRisk identification considers both internal and external factors and their impact on the achievement of objectives. Involves Appropriate Levels of ManagementThe organization puts into place effective risk assessment mechanisms that involve appropriate levels of management. Estimates Significance of Risks IdentifiedIdentified risks are analyzed through a process that includes estimating the potential significance of the risk. Determines How to Respond to RisksRisk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. Assesses Fraud Risk 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. Considers Various Ways That Fraud Can OccurThe assessment of fraud considers possible loss of assets, fraudulent reporting, and corruption resulting from the various ways that fraud and misconduct can occur. Considers Risk FactorsAn entitys assessment considers factors that influence the significance of the loss of assets and the related impact on operations, reporting, and compliance activities. Assesses Incentive and PressuresThe assessment of fraud risk considers incentives and pressures. Assesses OpportunitiesThe assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entitys reporting records, or committing other inappropriate acts. Assesses Attitudes and RationalizationsThe assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. Identifies and Analyzes Significant Change 9. The organization identifies and assesses changes that could significantly impact the system of internal control. Assesses Changes in the External EnvironmentThe risk identification process considers changes to external factors that can significantly affect the entitys ability to achieve objectives. Assesses Changes in the Business ModelThe organization considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, changing reliance on foreign geographies, new technologies, and changes to the physical environment in which the business operates. Assesses Changes in LeadershipThe organization considers changes in management and their respective attitudes and philosophies on the system of internal control.
Deploys through Policies and Procedures 12. The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies Establishes Policies and Procedures to Support Deployment of Managements Directives Management establishes control activities that are built into business processes and employees dayto-day activities through policies establishing what is expected and relevant procedures specifying actions. Establishes Responsibility and Accountability for Executing Policies and Procedures Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside. Performs Using Competent PersonnelCompetent personnel perform control activities with diligence and continuing focus. Performs in a Timely MannerResponsible personnel perform control activities in a timely manner as defined by the policies and procedures. Takes Corrective ActionResponsible personnel investigate and act on matters identified as a result of executing control activities. Reassesses Policies and ProceduresManagement periodically reviews control activities to determine their continued relevance, and refreshes them when necessary.