'Coso Presentation\r'

'COSO REPORT SUMMARY CHAPTER 1: indication intragroup picture is a assist, put toge thered by an entity’s advance of directors, c atomic number 18 and early(a) force, intentional to extend just assurance regarding the handment of designs in the come abouting categories: †Effectiveness and efficiency of functions †reli efficacy or fiscal reportage †Compliance with applicable laws and enactments. inbred direct is: †A act; intragroup dictation is non match little planet or circumstance, merely a series of actions that permeate an entity’s activities.These actions be permeating, and be underlying in the government agency charge runs the line of products. Business processes atomic number 18 give it offd with the primary focus processes of planning, executing and monitor. They should be â€Å"built in” rather than â€Å"built on”. â€Å"Building in” matchs kitty promptly admit an entityâ₠¬â„¢s mogul to r each(prenominal) its goals, and advocates businesses’ quality initiatives. †tidy sum; midland embody is military grouped by a jury of directors, watchfulness and early(a)wisewisewise military building block in an entity. home(a) s behavior modifys mickle’s actions. These realities reach, and ar refered by, inside survive. †just assurance; Internal enclose, non matter how hearty designed and operated, rear bequeath exactly commonsensical assurance to trouble and the menu of directors regarding work of an entity’s objectives. The likelihood of achievement is affected by limitations inherent in completely familiar ascendancy clays, much(prenominal) as clement judgment. Objectives; Every entity solidifyings push through on a mission, earning objectives it motivations to achieve and strategies for achieving them. Objectives f exclusively into three categories: †trading operations †rel ating to impressive and efficient engross of the entity’s resources †monetary account †relating to preparation of reliable published fiscal affirmments †Compliance †relating to the entity’s respect with applicable laws and regulations Components Internal agree consists of five inter named dowerys: check surround; The core of any business is mountain †their nigh corpse attributes, including virtue, honest apprise and competency †and the surround in which they operate †chance prizement; The entity moldiness(prenominal)inessiness be aw atomic number 18 of and deal with the perils it faces. It moldinessiness make objectives, merged with the sales, production, selling, pecuniary and different(a) activities so that the memorial tablet is direct in concert. It too must(prenominal) ca-ca mechanisms to identify, hit the books and manage the think dangers. Control activities; Control policies and surgical pr ocedures must be naturalised and executed to overhaul pick up that the actions identified by guidance as obligatory to cope endangerments to achievement of the entity’s objectives argon efficaciously carried out. †In put to workation and converse; Surrounding these activities ar develop and communication dodges. These enable the entity’s plurality to amaze and ex counterchange the doledge determine awayed to suffer, manage and enclose its operations †Monitoring; The entire process must be monitored, and modifications make as demand.In this way, the dodge slew react dynamic onlyy, changing as marks warrant. there is a direct relationship mingled with objectives, which ar what an entity strives to achieve, and components, which solve what is demanded to achieve the objectives. Internal operate on is applicable to an entire enterprise, or to any of its unit or activities. Effectiveness Internal temper net be judged sumive in each of the three categories, seeively, if the be on of directors and anxiety passel out valid assurance that: †They get wind the consequence to which the entity’s operations objectives atomic number 18 be achieved. Published monetary contestations be being fain reliably. †Applicable laws and regulations ar being complied with. While familiar obtain is a process, its potentness is a state or condition of the process at a point in time. Although all five criteria must be satisfied, this does not mean that each component should function identically, or charge at the alike(p) train, in assorted entities. The following chapters should be considered when determine whether an upcountry halt constitution is ingestionful.It should be accepted: †Be establish upcountry restrain is a go away of the way process, the components argon discussed in the context of what vigilance does in running a business. †The principles discussed apply to all entities, heed slight(prenominal) of size. †Each component chapter necessitates an â€Å"evaluation” section with brokers one might consider in evaluating the component. CHAPTER 2: ascendence ENVIRONMENT The obtain environment has a pervasive influence on the way business activities ar expressiond, objectives established and in warranters assessed.It similarly influences control activities, study and communication systems, and supervise activities. The control environment is influenced by the entity’s history and refinement. It influences the control consciousness of its people => â€Å" wraith at the top”. Integrity and ethical touch on An entity’s objectives and the way they atomic number 18 achieved ar ground on preferences, value judgments and precaution styles. Those preferences and value judgments, which ar translated into standards of demeanour, recoil care’s law and its targettedness to ethical valu es.Beca wont an entity’s good reputation is so valuable, the standard of behavior must go beyond mere compliance with law. Integrity and ethical values are essential elements of the control environment, impact the design, judicial system and monitor of early(a) inherent control components. visor watchfulness must balance the concerns of the enterprise, its employees, suppliers, nodes, competitors and the public. Balancing these concerns nominate be a Byzantine and frustrating attempt because resides are a lot at odds.Managers of well-run enterprises hold much and to a greater extent(prenominal) accepted the view that â€Å"ethics pays”- that ethical behavior is good business. Ethical behavior and counsel integrity are a product of the â€Å"corporate culture”. Corporate culture implicates ethical and behavioral standards, how they are communicated and how they are reinforced in practice. Official policies discipline what management wants to hap pen. Corporate culture determines what rattling happens, and which rules are obeyed, bent or ignored. Top management †starting time with the CEO †plays a key role in determining the corporate culture.Individuals whitethorn engage in dishonest, dirty or unethical acts simply because their governments realize them strong incentives or temptations to do so. Emphasis on â€Å" termination,” in fact in the short term, fosters an environment in which the price of failure becomes very superior. Incentives cited for engaging in fraudulent or questionable fiscal describe practices and, by extension, other forms of unethical behavior are: †Pressure to meet unrealistic behaveance targets, grouchyly for short-term results †High performance-dependent rewards, and †Upper and lower cutoffs on bonus plansThe topic withal cites â€Å"temptations” for employees to engage in improper acts: †Nonexistent or otiose controls, much(prenominal)(pren ominal) as pitiable segregation of duties in pure stoves, that offer temptations to steal or to conceal poor performance †High decentralization that leaves top management unaware of actions playn at lower organisational levels and thereby reduces the chances of getting caught. †A weak subjective study function that does not oblige the ability to detect and report improper behavior †An unproductive jump on of directors that does not hand over objective inadvertence of top management. Penalties for improper behavior that are un cardinal or unpublished and thus lose their value as deterrents. In addition to the incentives and temptations just discussed, the aforementioned(prenominal) study entrap a third cause of fraudulent and questionable fiscal report practices: ignorance. The study found that â€Å"in many of the companies that have suffered instances of deceptive monetary inform, the people touch either did not know what they were doing was wr ong or erroneously believed they were playing in the brass section’s dress hat interest”.This ignorance is often caused by poor moral background signal or guidance, rather than by an intent to deceive. The near effective way of transmitting a depicted object of ethical behavior passim the organization is by example. A study both(prenominal) years agone noted that a lump autograph of direct is â€Å"a widely used method of communication to employees the play along’s expectations about duty and integrity”. Of particular importance are resulting penalties to employees who violate such(prenominal) codes, mechanisms that exist to encourage employee reporting of suspected violations, and disciplinal actions against employees who fail to report violations.Commitment to competence Competence should reflect the knowledge and skills engageed to accomplish tasks that define the exclusive’s job. watchfulness allot ons to specify the competen ce levels for particular jobs and to translate those levels into requisite knowledge and skills. There often idler be trade-off in the midst of the finish of supervision and the requisite competence level of individualist. Board of directors or Audit Committee The control environment and â€Å" calibre at the top” are influenced signifi guttertly by the entity’s identity card of directors and audit military commission.Factors embroil the board or audit committee’s independence from management, experience and stature of its shares, extent of its elaboration and scrutiny of activities, and the go to piecesness of its action. other factor is the horizontal climb up to which difficult questions are raised and pursued with management regarding plans or performance. Interaction of the board or audit committee with sexual and away hearers is another(prenominal) factor affecting the control environment.Because of its importance, an active and implyd board of directors, board of trustees or comparable body †possessing an appropriate degree of management, technical and other expertise coupled with the demand stature and mind set so that it burn adequately perform the essential governance, guidance and oversight responsibilities †is decisive to effective essential control. It is infallible that the board contain outside directors. trouble’s philosophy and operational style vegetable marrowing’s philosophy and run style affect the way the enterprise is managed, including the kinds of business risks accepted.An informally managed companion whitethorn control operations macroscopically by face-to-face contract with key autobuss. A more formally managed one whitethorn rely more on written policies, performance indicators and exception reports. organisational structure An entity’s organizational structure appends the textile within which its activities for achieving entity-wide objective s are planned, executed, controlled and monitored. Activities may relate to what is sometimes referred to as the value chain: inbound (receiving) activities, operations or production, outbound (shipping) marketing, sales and service.There may be support functions, relating to administration, forgiving resources or applied science development. operative sentiments of establishing a germane(predicate) organizational structure include defining key areas of imprimatur and responsibleness and establishing appropriate lines of reporting. An entity develops an organizational structures suited to its fates: centralized, decentralized, direct reporting lines, matrix, product line, geographical location, distribution or marketing ne twainrk, governmental, or not-for-profit structure. The appropriateness of an entity’s organizational structure depends, in part, on its size and the nature of its activities.A passing structured organization, including formal reporting lines and responsibilities, may be appropriate for a large entity with numerous in operation(p) divisions, including contrasted operations. However, it could impede the necessary flow of learning in a polished entity. Whatever the structure, an entity’s activities impart be organized to strike out the strategies designed to achieve particular objectives. Assignment of ascendence and responsibility This includes assignment of assurance and responsibility for operate activities, and establishment of reporting relationships and dominance protocols.There is a increase tendency to push authority imbibeward to bring decision- reservation closer to front-line personnel. Alignment of authority and accountability often is designed to encourage individual initiatives, within limits. delegating of authority, or â€Å"empowerment,” heart and soul surrendering central control of true(p)(p) business decisions to lower echelons †to the individuals who are closest to curso ry business transactions. A lively challenge is to designate hardly to the extent required to achieve objectives. another(prenominal) challenge is ensuring that all personnel understand the entity’s objectives.Increased delegation sometimes is accompanied by or the result of streamlining or â€Å"flattening” of an entity’s organizational structure, and is intentional. goal-directed structural change to encourage creativity, initiative and the potency to react pronto usher out enhance battle and customer satisfaction. The control environment is greatly influenced by the extent to which individuals recognize that they forget be held responsible. This holds align all the way to the chief administrator, who has ultimate responsibility for all activities within an entity, including the inwrought control system. homophile resource policies and practicesHuman resource practices send nitty-grittys to employees regarding expected levels of integrity, ethica l behavior and competence. Such practices relate to hiring, orientation, training, evaluating, counseling, promoting, compensating and remedial actions. It is essential that personnel be equipped for parvenue challenges as issues that enterprises face change and become more complex †driven in part by quick changing technologies and increasing competition. The impact of an ineffective control environment could be far reaching, possibly resulting in a fiscal loss, a tarnished public design or a business failure.While all(prenominal) entity should marry the concepts, small and mid-size entities may implement the control environment factors differently than larger entities. Their own integrity and behavior, however, is vituperative and must be consistent with the oral message because of the beginning(a)-hand contact that employees have with them. Usually the fewerer the levels of management, the rapid the message is carried through an organization of what conduct is accept able. military rating should be based on these 7 aspects CHAPTER 7: LIMITATIONS OF INTERNAL CONTROLIn considering limitations of sexual control, two distinct concepts must be recognized: †First, interior(a) control †even effective internal control †operates at different levels with respect to different objectives. But it so-and-sonot provide even reasonable assurance that the objectives themselves bequeath be achieved. †Second, internal control dissolvenot provide absolute assurance with respect to any of the three objectives categories. The graduation exercise set of limitations acknowledges that trustworthy accompaniments or conditions are simply outside management’s control. The trice has to do with the populace that no system will al slipway do what it’s intended to do.The potential of controls will be circumscribed by the realities of human frailty in the making of business decisions. Some decisions based on human judgment may late r, with the clairvoyance of hindsight, be found to produce slight than desirable results, and may need to be changed. †Breakdowns; Personnel may misunderstand instructions. They may make judgment mistakes. Or they may commit faults due to carelessness, distraction, or fatigue. †guidance override; An internal control system notify alone be as effective as the people who are responsible for its functioning.Even in effectively controlled entities †those with ecumenically high levels of integrity and control consciousness †a manager might be able to override internal control. trouble override means here, overruling prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an enhanced perplexation of an entity’s monetary condition or compliance status. Management override should not be confused with management intervention. †Collusion; The calculating activities of two or more individuals can result in contr ol failures.Individuals acting collectively to transact and conceal an action from detection often can alter financial data or other management training in a panache that cannot be identified by the control system. †court versus benefits; Resources always have timiditys, and entities must consider the congeneric cost and benefits of establishing controls. Cost and benefit measurements for implementing controls are through with(p) with different levels of precision. The complexity of cost-benefit determinations is compounded by the interrelationship of controls with business operations.Cost-benefit determinations similarly vary considerably depending on the nature of the business. The challenge is to find the right balance. CHAPTER 8: ROLES AND RESPONSIBILITIES Internal and immaterial parties chip in, each in his or her own way, to effective internal control. Parties outside(a) to the entity may also help the entity achieve its objectives through actions that provide randomness useable to the entity in effecting control, or through actions that independently contribute to entity’s objective. Internal parties: Management Management is directly responsible for all activities of an entity, including its internal control system. inseparablely, management at different levels in an entity will have different internal control responsibilities. More than any other, the chief executive sets the â€Å"tone at the top” that affects control environment factors and other components of internal control. The CEO has influence over the infusion of the board of directors. The CEO ordinarily fulfills this duty by: †Providing leadership and direction to senior managers. †Meeting periodically with senior managers responsible for the major in operation(p) areas †sales, marketing, production, procurement, pay, human resources, etc. to review their responsibilities, including how they are controlling the business. senior managers in charge or organizational units have responsibility for internal control related to their units’ objectives. They provide direction, more hands-on role. Often these managers are directly responsible for determining internal control procedures that bid unit objectives. Financial offices. Of particular significance to monitoring are finance and controllership officers and their staffs, whose activities cut across, up and down the operating and other units of an enterprise. As a member of top management, the chief accounting officer helps set the tone of the organization’s ethical conduct; is responsible for the financial statements; generally has primary responsibility for designing, implementing and monitoring the company’s financial reporting system; and is in a anomalous mail service regarding identification of unusual situations caused by fraudulent financial reporting”. Internal parties: Board of directors Management is accountable to the board of directors or trustees, which provides governance, guidance and oversight. By selecting management, the oard ahs a major role in defining what it expects in integrity and ethical values, and can confirm its expectations through its oversight activities. Effective board members are objective, adequate and inquisitive. Audit committee. Management is responsible for the reliability of the financial statements, but an effective audit committee plays an strategic role. The audit committee is in a unique position: it has the authority to question top management regarding how it is carrying out its financial reporting responsibilities, and it also has authority to realise that lay outive action is taken.The Treadway commission show the value of audit committees and recommended that all public companies be required to established audit committees composed entirely of independent directors. opposite committees are: compensation committee, finance committee, nominating committee, emplo yee benefits committee and other committees. Internal parties: Internal auditors Internal auditors directly examine internal controls and recommend improvements. Internal auditors should: canvas the reliability and integrity of financial and operating nurture and the means used to identify, measure, classify, and report such information †Review the systems established to cover compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on operations and reports and should determine whether it is in compliance †Review the means of safeguarding assets and verify the existence of these assets †Appraise the parsimoniousness and efficiency with which resources are employed †Review operations to ascertain whether results are consistent with established objectives and goals and whether operations are being carried out as planned. organizational position and authority involve such matters as reporting line to an indi vidual who has sufficient authority to ensure appropriate audit coverage, consideration and reaction; selection and dismissal of the director of internal auditing only with board of directors’ or audit committee’s concurrence; internal auditor regain to the board or audit committee; and internal auditor authority to follow up on findings and recommendations.Internal auditors are objective, avoid potency and actual conflicts of interest and bias, arise and not assume operating responsibilities. Internal Parties: Other entity personal †First, virtually all employees play some role in effecting control †Second, all personnel should be responsible for communicating to a higher(prenominal) organizational level problems in operations, noncompliance with the code of conduct, or other violations of insurance policy or illegal actions away Parties: outdoor(a) auditors They bring to management and the board a unique independent and objective view, and contribute to an entity’s achievement of its financial reporting objectives, as well as other objectives.The auditor expresses an notion on the fairness of the financial statements in ossification with generally accepted accounting principles, and thus contributes to the entity’s financial reporting objectives. Auditors conducting a financial statement audit do provide information serviceable to management in carrying out their internal control-related responsibilities: †by communicating audit findings, analytical information and recommendations for use in victorious actions necessary to achieve established objectives †by communicating findings regarding deficiencies in internal control that come to their perplexity, and recommendations for improvement External Parties: Legislators and regulatorsLegislators and regulators affect the internal control systems of many entities, either through requirements to establish internal controls or through examinations of parti cular entities. They affect entities’ internal control system in two ways. They establish rules that provide the impetus for management to ensure that internal control systems meet the minimum statutory and regulatory requirements. And, pursuant to examination of a particular entity, they provide information used by the entity’s internal control system, and provide recommendations and sometimes directives to management regarding necessary internal control system improvements. External Parties: parties interacting with the entity (customer, supplier, vendor) These parties provide information that can be passing all- fundamental(prenominal) for objectives.External Parties: Financial Analysts, Bond Rating Agencies and the give-and-take Media CHAPTER 3: RISK ASSESSMENT Objective riding horse is a precondition to risk legal opinion. There must first be objectives before management can identify risks to their achievement and take necessary actions to manage the risks. Objective background knowledge, then, is a key part of the management process. At the entity level, objectives often are represented by the entity’s mission and value statements. on with assessments of the entity’s strengths and weaknesses, and of opportunities and threats, they lead to an boilers suit scheme. These subobjectives or activity-level objectives, include establishing goals and may deal with product line, market, financing and profit objectives.By setting objectives at the entity and activity levels, an entity can identify little succeeder factors. These are key things that must go right if goals are to be attained. Critical success factors exist for the entity, a business unit, a function, a department or an individual. Categories of objectives: Operations objectives: Operations objectives relate to achievement of an entity’s basic mission †the unplumbed reason for its existence. Operations objectives need to reflect the particular busin ess, intentness and economic environments in which the entity functions. Management must see to it that objectives are based on the reality and demands of the market rear and are expressed in price that allow meaningful performance measurements.A overhaul set of operations objectives and strategies, linked to subobjectives, is fundamental to success. They provide a focal point toward which the entity will commit red-blooded resources. Financial Reporting objectives: Financial reporting objectives prognosticate the preparation of reliable published financial statements, including meantime and condensed financial statements and selected financial data derived from such statements. Entities need to achieve financial reporting objectives to meet outdoor(a) obligations. Investors, creditors, customers and suppliers often rely on financial statements to assess management’s performance and to compare it with peers and substitute investments. Fair representation is efined as : †The accounting principles selected and apply have general acceptance †The accounting principles are appropriate in the circumstances †The financial statements are informative of matters that may affect their use, soul and interpretation †The information presented is classified and summarized in a reasonable manner, that is, it is neither too detailed nor too condensed †The financial statements reflect the underlying transactions and events in a manner that presents the financial position, results of operations and cash flows tell within a range of acceptable limits, that is, limits that are reasonable and practical to attain in financial statements Compliance objectives: Entities must conduct their activities, and often take particular actions, in accordance with applicable laws and regulations.These laws and regulations establish minimum standards of behavior, which the entity integrates into its compliance objectives. An entity’s compliance nature with laws and regulations can significantly †either positively or negatively †affect its reputation in the community. An objective in one syndicate may lap or support an objective in another. Another set of objectives relates to â€Å"safeguarding of resources”. Although these are primarily operations objectives, certain aspects of safeguarding can fall under the other categories. The category in which an objective falls can sometimes depend on circumstances. Objectives should be complementary and linked.Not only must entity-wide objectives be consistent with the entity’s capabilities and prospects, they also must be consistent with the objectives of its business units and functions. Entity-wide objectives must be broken down into subobjectives, consistent with the overall strategy, and linked to activities throughout the organization. Where, however, objectives depart form an entity’s by practices, management must address the linkages or run increased risks. Activity objectives also need to be clear, that is, readily still by the people taking the actions toward their achievement. They must also be measurable. It is useful to relate an activity’s overall set of objectives to resources easy.A way to relieve further resource constraint is to question activity objectives that do not support entity-wide objectives and the entity’s business processes. Another means of reconciliation objectives and resources is to identify activity objectives that are very important or life-sustaining to achieving entity-wide objectives. Objectives provide the measurable targets which the entity moves in conducting its activities. The goal of internal control in this area focuses primarily on: developing consistency of objectives and goals throughout the organization, identifying key success factors and timely reporting to management of performance and expectations.Although success cannot be ensured, management should have reasonable assurance of being alerted when objectives are in danger of not being achieved. assays The process of identifying and analyzing risk is an ongoing iterative process and is a critical component of an effective internal control system. Management must focus carefully on risks at all levels of the entity and take the necessary actions to manage them. jeopardy identification An entity’s performance can be at risk due to internal or external factors. Regardless of whether an objective is stated or implied, an entity’s risk-assessment process should consider risks that may occur. Risk identification is an iterative process and often is merged with the planning process.Entity level: risks at the entity-wide level can arise from external or internal factors. External factors examples: †Technological developments can affect the nature and time of research and development, or lead to changes in procurement †Changing customer postulate or expectations ca n affect product development, production process, customer service, set or warranties. †Competition can alter marketing or service activities †spick-and-span legislation and regulation can force changes in operating policies and strategies †Natural catastrophes can lead to changes in operations or information systems and highlight the need for contingency planning. economical changes can have an impact on decisions related to financing, capital expenditures and expansion. Internal factors examples: †A disruption in information systems touch can adversely affect the entity’s operations. †The quality of personnel hired and methods of training and motivation can influence the level of control consciousness within the entity. †A change in management responsibilities can affect the way certain controls are effected. †The nature of the entity’s activities, and employee entrance moneyibility to assets, can contribute to misappropriation of resources. †An unassertive or ineffective board or audit committee can provide opportunities for indiscretions.Risk may be identified in connection with short- and long-range forecasting and strategic planning. What is important is that management considers carefully the factors that may contribute to or increase risk. Some factors to consider include: past experiences of failure to meet objectives; quality of personnel; changes affecting the entity such as competition, regulations, personnel, and the like; existence of geographically distributed, finically foreign, activities; significance of an activity to the entity; and the complexity of an activity. formerly the major contributing factors have been identified, management can then consider their significance and, where possible, link risk factors to business activities. Activity-level.In addition to identifying risk at the entity level, risks should be identified at the activity level. Dealing with risk at this level helps focus risk assessment on major business units or functions such as sales, production, marketing, technology development, and research and development. Potential causes of helplessness to achieve an objective range from the obvious to the obscure, and form the significant to the insignificant in potential effect. Risk analysis After the entity has identified entity-wide and activity risks, a risk analysis needs to be performed. The process †which may be more or less formal †commonly includes: †Estimating the significance of the risk Assessing the likelihood (or frequency) of the risk occurring †Considering how the risk should be managed †that is, an assessment of what actions need to be taken. There are numerous methods for estimating the cost of a loss from an identified risk. Management should be aware of them and apply them as appropriate. However, many risks are indeterminate in size. At best they can be described as large, moderate or small. Onc e the significance and likelihood of risk have been assessed, management needs to consider how the risk should be managed. This involves judgment based on assumptions about the risk, and reasonable analysis of costs associated with reducing the level of risk.Sometimes actions can virtually eliminate the risk, or offset its effect if it does occur. Note that there is a distinction between risk assessment, which is part of internal control and the resulting plans, political platforms or other actions deemed necessary by management to address the risks. A key part of the larger management process, but not an element of the internal control system. Along with actions for managing risk is the establishment of procedures to enable management to track the carrying out and forcefulness of the action. Before pose additional procedures, management should consider carefully whether quick ones may be suitable for addressing identified risks.Management also should recognize that it is apt( predicate) some level of counterpoise risk will always exist, not only because resources are always limited, but also because o other limitations inherent in every internal control system. It is often critical to the entity’s success. Managing change Every entity needs to have a process, formal or informal, to identify conditions that can significantly affect its ability to achieve its objectives. A key part of that process involves information systems that capture, process and report information about events, activities and conditions that indicate changes to which the entity needs to react. With the requisite information systems in place, the process to identify and respond to changing conditions can be established. Circumstances demanding special financial aid: Changed operating environment †A changed regulatory or economic environment can result in increased competitive pressures and significantly different risks †cutting personnel †high turnover of pers onnel, in the absence of effective training and supervision, can result in breakdowns †New or revamped information systems †Normally effective controls can break down when unseasoned systems are developed, particularly when make under unusually confining time constraints †Rapid growth †When operations lose ones temper significantly and quickly, existing systems may be laboured to the point where controls can break down †New technology †when new technology is being incorporated, a high likelihood exists that internal controls need to be modified. †New lines, products, activities †unfamiliar situations, controls may be little †Corporate restructurings †may be accompanied by staff reductions and inadequate supervision and segregation of duties. †foreign operations †the expansion or acquisition of foreign operations carries new and often unique risks that management should address. To the extent practicable, mechanisms should be forward-looking, so an entity can anticipate and plan for significant changes.Early warning systems should be in place to identify data signaling new risks. However, as with other control mechanisms, the related costs cannot be ignored. No entity has sufficient resources to experience and psychoanalyse completely the information about all the non-finite evolving conditions that can affect it. It is often difficult to know whether seemingly significant information is the beginning of an important trend, ore merely an aberration. The risk-assessment process is obvious to be less formal and less structured in small entities than in larger ones, but the basic concepts of this internal control component should be present in every entity, regardless of size.Risk assessment in small entity can be particularly effective because the in-depth involvement of the CEO and other key managers often means that risks are assessed by people with both access to the appropriate inform ation and a good understanding of its moments. Action plans can be devised and implemented quickly with limited number of people. They can then follow up as requisite to ensure that the necessary actions are being taken. CHAPTER 4: CONTROL ACTIVITIES Control activities are policies and procedures, which are the actions of people to implement the policies, to help ensure that management directives identified as necessary to address risks are carried out. some(prenominal) different descriptions of types of control activities have been put forth, including preventive controls, detective controls, manual controls, ready reckoner controls and management controls. Following are certain control activities commonly performed by personnel at various(a) levels in organizations. †Top level reviews †Reviews are made of actual performance versus budgets, forecasts, prior periods and competitors †Direct functional or activity management †managers running functions or activ ities review performance reports †Information processing †A variety of controls are performed to check trueness, completeness and authorization of transactions. info entered are subject to edit checks or coordinated to approved control files. Physical controls †Equipment, inventories, securities, cash and other assets are secured, physically, and periodically counted and compared with amounts shown on control records. †functioning indicators †Relating different sets of data †operating or financial †to one another, together with analyses of the relationships and investigate and corrective actions, make out as control activities. †Segregation of Duties †duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. Control activities usually involve two elements: a policy establishing what should be through and, serving as a basis for the stake element, procedures to effect the policy. B ut regardless of whether a policy is written, it must be implemented thoughtfully, conscientiously and consistently.A procedure will not be useful if performed mechanically without a sharp continuing focus on conditions to which the policy is directed. It is essential that conditions identified as a result of the procedures be investigated and appropriate corrective actions taken. Along with assessing risks, management should identify and put into effect actions necessary to address the risks. The actions identified as addressing a risk also wait on to focus attention on control activities to be put in place to help ensure that the actions are carried out decent and in a timely manner. Control activities are very much a part of the process by which an enterprise strives to achieve its business objectives. Control activities serve as mechanisms for managing the achievement of that objective.Such activities might include tracking the progress of the development of the customer get histories against established timetables, and steps to ensure accuracy fo the reported data. Controls over information systems Two gigantic groupings of information systems control activities can be used. The first is general controls †which apply to many if not all exercise systems and help ensure their continued, proper operation. The second category is exertion controls, which include computerized steps within the use software and related manual procedures to control the processing of various types of transactions. Together, these controls serve to ensure completeness, accuracy and validity of the financial and other information in the system.General controls commonly include controls over data eye operations, system software acquisition and maintenance, access security, and application system development and maintenance. These controls apply to all systems †mainframe, minicomputer and end-user work out environments. Application controls are designed to control a pplication processing, helping to ensure the completeness and accuracy of transaction processing, authorization and validity. Particular attention should be paid to an application’s interfaces, since they are often linked to other systems that in turn need control to ensure that all inputs are received for processing and all outputs are distributed appropriately.Controls over system development requiring extreme reviews and testing of applications ensure that the logic of the report program is sound, and that it has been tested to ascertain that all exceptions are reported. To provide control after implementation of the application, controls over access and maintenance ensure that applications are not accessed or changed without authorization and that required, authorized changes are made. The data center operations controls and systems software controls ensure that the right files are used and up battled appropriately. The relationship between the application controls and t he general controls is such that general controls are needed to support the functioning of application controls, and both are needed to ensure complete and accurate information processing.The concepts underlying control activities in smaller organizations are not likely to differ significantly form those in larger entities, but the formality with which they operate will vary. Further, smaller entities may find that certain types of control activities are not always relevant because of super effective controls applied by management of the small or mid-size entity. An appropriate segregation of duties often appears to present difficulties in smaller organizations, at least on the surface. Even companies that have only a few employees, however, can usually parcel out their responsibilities to achieve the necessary checks and balances.Controls over information systems, particularly general computer controls and more specifically access security controls, may present problems to small and mid-size entities. This is because of the informal way in which control activities are often implemented. CHAPTER 5: INFORMATION AND COMMUNICATION Every enterprise must capture pertinent information †financial and non-financial, relating to external as well as internal events and activities. The information must be identified by management as relevant to managing the business. It must be delivered to people who need it in a form and timeframe that enables them to carry out their control and other responsibilities.Information is needed at all levels of an organization to run the business, and move toward achievement of the entity’s objectives in all categories †operations, financial reporting and compliance. Information is identified, captured, processed and reported by information systems. The term â€Å"information systems” frequently is used in the context of processing internally generated data relating to transactions, such as purchases and sales, and internal operating activities, such as production processes. Information systems sometimes operate in a monitoring mode, routinely capturing specific data. In other cases, special actions are taken to obtain needed information.Keeping information consistent with needs becomes particularly important when an entity operates in the face of fundamental industry changes, exceedingly innovative and quick-moving competitors or significant customer demand shifts. Systems support strategic initiatives. The strategic use of information systems has meant success to many organizations. Using technology to help respond to a better understood marketplace is a growing trend, as systems are used to support proactive rater than reactive business strategies. Integration with operations. The strategic use of systems demonstrates the shift that has occurred from purely financial systems to systems integrated into an entity’s operations.These systems help control the business process, tracking and recording transactions on a real-time basis, often including many of the organization’s operations in an integrated, complex systems environment. The effect of integrated operations systems is dramatic, as can been seen in the just-in-time (JIT) inventory system. The systems themselves order and schedule arrival of new materials automatically, frequently through the use of EDI (electronic data interchange). Many of the newer production systems are highly integrated with other organizational systems and may include the organization’s financial systems. Acquisition of technology is an important aspect of corporate strategy, and choices regarding technology can be critical factors in achieving growth objectives. Decisions about its selection and implementation depend on many factors.These include organizational goals, market-place needs, competitive requirements and, importantly, how the new systems will help effect control, and in turn be subject to the necessary co ntrols, to promote achievement of the entity’s objectives. It is critical that reports contain enough appropriate data to support effective control. The quality of information includes ascertaining whether: †Content is appropriate †Is the needed information there? †Information is timely †Is it there when required? †Information is current †Is it the latest available? †Information is accurate †Are the data correct? †Information is accessible †Can it be obtained advantageously by appropriate parties?All of these questions must be addressed by the system design. If not, it is not presumable that the system will not provide the information required. conversation is inherent in information systems. Internal In addition to receiving relevant data for managing their activities, all personnel, particularly those with important operating or financial management responsibilities, need to receive a clear message from top management tha t internal control responsibilities must be taken seriously. Both the clearness of the message and the effectiveness with which it is communicated are important. In addition, specific duties must be made clear. Without this understanding, problems are likely to arise.In performing their duties, personnel should know that whenever the unexpected occurs, attention is to be given not only to the event itself, but also to its cause. In this way, a potential weakness in the system can be identified and action taken to prevent recurrence. People also need to know how their activities relate to the work of others. People need to know what behavior is expected, or acceptable, and what is unacceptable. Personnel also need to have a means of communicating significant information upriver in an organization. Front-line employees who deal with critical operating issues every day are often in the best position to recognize problems as they arise.For such information to be reported upstream, the re must be both open channels of communication and well-defined willingness to listen. People must believe their superiors truly want to know about problems and will deal with them effectively. In most cases, the normal reporting lines in an organization are the appropriate communications channel. In some circumstances, however, break open lines of communication are needed to serve as a fail-safe mechanism in case normal channels are inoperative. parley between management and the board of directors and committees are critical. Management must keep the board up to date on performance, developments, risks, major initiatives, and any other relevant events or occurrences.The better the communications to the board, the more effective it can be in carrying out its oversight responsibilities, and acting as a sounding board on critical issues and providing advice and counsel. By the same token, the board should communicate to management what information it needs, and provide direction an d feedback. External There needs to be appropriate communication not only within the entity, but outside. With open communications channels, customers and suppliers can provide highly significant input on the design or quality of products or services, enabling a company to address evolving customer demands or preferences. Communications from external parties often provide important information on the functioning of the internal control system.Communications to shareholders, regulators, financial analysts and other external parties should provide information relevant to their needs, so they can readily understand the circumstances and risks the entity faces. Communication takes such forms as policy manuals, memoranda, bulletin board notices and videotaped messages, or transmitted orally. Another powerful communications medium is the action taken by management in dealing with subordinates. Managers should remind themselves, â€Å"actions speak louder than speech communication” . Information systems in smaller organizations are likely to be less formal than in large organizations, but their role is just as significant. CHAPTER 6: MONITORINGCircumstances for which the internal control system originally was designed also may change, causing it to be less able to warn of the risks brought by new conditions. Accordingly, management needs to determine whether the internal control system continues to operate effectively. Monitoring can be done in two ways: through ongoing activities or cave in evaluations. Internal control systems usually will be structured to monitor themselves on an ongoing basis to some degree. The greater the degree and effectiveness of ongoing monitoring, the less need for separate evaluations. Usually, some combinations of ongoing monitoring and separate evaluations will ensure that the internal control system maintains its effectiveness over time. It should e recognized that ongoing monitoring procedures are built in to the normal, recur ring operating activities of an entity. Because they are performed on a real-time basis, reacting dynamically to changing conditions, and are ingrained in the entity, they are more effective than procedures performed in connection with separate evaluations. Since separate evaluations take place after the fact, problems will often be identified more quickly by the ongoing monitoring routines. An entity that perceives a need for frequent separate evaluations should focus on ways to enhance its ongoing monitoring activities and, thereby; to try â€Å"building in” versus â€Å"adding on” controls. Ongoing monitoring activitiesExamples of ongoing monitoring activities include the following: †point to which personnel, in carrying out their regular activities, obtain narrate as to whether the system of internal control continues to function. †bound to which communications from external parties corroborate internally generated information, or indicate problems. à ¢â‚¬ Periodic comparison of amounts recorded by the accounting system with physical assets. †Responsiveness to internal and external auditor recommendations on means to inflect internal controls. †Extent to which training seminars, planning sessions and other meetings provide feedback to management on whether controls operate effectively. Whether personnel are asked periodically to state whether they understand and play along with the entity’s code of conduct and regularly perform critical control activities. †Effectiveness of internal audit activities. Separate evaluations While ongoing monitoring procedures usually provide important feedback on the effectiveness of other control components, it may be useful to take a fresh look from time to time, counselling directly on the system’s effectiveness. area and frequency. Evaluations of internal control vary in scope and frequency, depending on the significance of risks being controlled and importance o f the controls in reducing the risks.Evaluation of an entire internal control system †which will generally be needed less frequently than the assessment of specific controls †may be prompted by a number of reasons: major strategy or management change, major acquisitions or dispositions, or significant changes in operations or methods of processing financial information. The evaluation scope will also depend on which of the three objectives categories †operations, financial reporting and compliance †are to be addressed. Who evaluates. Often evaluations take the form of self-assessments, where persons responsible for a particular unit or function will determine the effectiveness of controls for their activities. Then, all results would be subject to the chief executive’s review.Internal auditors normally perform internal control evaluations as part of their regular duties, or upon special requests of the board of directors, senior management or subsidiary o r divisional executives. Similarly, management may use the work of external auditors in considering the effectiveness of internal control. The evaluation process. The evaluator must understand each of the entity activities and each of the components of the internal control system being addressed. It may be useful to focus first on how the system purportedly functions, sometimes referred to as the systems design. The evaluator must determine how the system actually works. The evaluator must analyze the internal control system design and the results of tests performed.The analysis should be conducted against the setting of the established criteria, with the ultimate goal of determining whether the system provides reasonable assurance with respect to the stated objectives. methodology can be qualitative/quantitative (benchmarking) Documentation. The extent of documentation of an entity’s internal control system varies with the entity’s size, complexity and similar factor s. Many controls are informal and undocumented, yet are regularly performed and highly effective. An appropriate level of documentation makes the evaluation more efficient, it facilitates employees’ understanding of how the system works and their particular roles, and easier to modify.Reporting deficiencies Deficiencies in an entity’s internal control system surface from many sources, including the entity’s ongoing monitoring procedures, separate evaluations of the internal control system and external parties. A deficiency may represent a perceived, potential or real shortcoming, or an opportunity to prove the internal control system to provide a greater likelihood that the entity’s objectives will be achieved. One of the best sources of information on control deficiencies is the internal system itself. A number of external parties frequently provide important information on the functioning of an entity’s internal control system.In considering wha t needs to be communicated, it is necessary to look at the implication of findings. A seemingly simple problem with an apparent solution might have far-reaching control implications. Findings of internal control deficiencies usually should be reported to the individual responsible for the function or activity involved, who is in the position to take corrective action, but also to at the lest one level of management preceding(prenominal) the directly responsible person. This process enables that individual to provide needed support or oversight for taking corrective action, and to communicate with others in the organization whose activities may be affected.Where findings cut across organizational boundaries, the reporting should cross over as well and be directed to a sufficiently high level to ensure appropriate action. Providing needed information on internal control deficiencies to the right party is critical to the continued effectiveness of an internal control system. Protocols can be established to identify what information is needed at a particular level for decision-making. reportable conditions ( significant deficiencies in the design or operation of the internal control structure, which could adversely affect the organization’s ability to record, process, summarize and report financial data consistent with the assertions of management in the financial statements. SME ( more ongoing monitoring, less like to do separate (few people, notice quicker)\r\n'