Control Environment
Demonstrate Commitment to Integrity and Ethical Values
The oversight body and management should demonstrate a commitment to integrity and ethical values
Tone at the Top
Standards of Conduct
Adherence to Standards of Conduct
Exercise Oversight Responsibility
The oversight body should oversee the entity’s internal control system
Oversight Structure
Oversight for the Internal Control System
Input for Remediation of Deficiencies
Establish Structure, Authority, and Responsibility
Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
Organizational Structure
Assignment of Responsibility and Delegation of Authority
Documentation of the Internal Control System
Demonstrate Commitment to Competence
Management should demonstrate a commitment to recruit, develop, and retain competent individuals
Expectations of Competence
Recruitment, Development, and Retention of Individuals
Succession and Contingency Plans and Preparation
Enforce Accountability
Management should evaluate performance and hold individuals accountable for their internal control responsibilities.
Enforcement of Accountability
Consideration of Excessive Pressures
Risk Assessment
Define Objectives and Risk Tolerances
Management should define objectives clearly to enable the identification of risks and define risk tolerances.
Definitions of Objectives
Definitions of Risk Tolerances
Identify, Analyze, and Respond to Risks
Management should identify, analyze, and respond to risks related to achieving the defined objectives.
Identification of Risks
Analysis of Risks
Response to Risks
Assesses Fraud Risk
Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
Types of Fraud
Fraud Risk Factors
Response to Fraud Risks
Identify, Analyze, and Respond to Change
Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Identification of Change
Analysis of and Response to Change
Control Activities
Design Control Activities
Management should design control activities to achieve objectives and respond to risks.
Response to Objectives and Risks
Design of Appropriate Types of Control Activities
Design of Control Activities at Various Levels
Segregation of Duties
Design Activities for the Information System
Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
Design of the Entity’s Information System
Design of Appropriate Types of Control Activities
Design of Information Technology Infrastructure
Design of Security Management
Design of Information Technology Acquisition, Development, and Maintenance
Implement Control Activities
Management should implement control activities through policies.
Documentation of Responsibilities through Policies
Periodic Review of Control Activities
Information and Communication
Use Quality Information
Management should use quality information to achieve the entity’s objectives.
Identifies Information Requirements
Relevant Data from Reliable Sources
Data Processed into Quality Information
Communicate Internally
Management should internally communicate the necessary quality information to achieve the entity’s objectives.
Communication throughout the Entity
Appropriate Methods of Communication
Communicate Externally
Management should externally communicate the necessary quality information to achieve the entity’s objectives.
Communication with External Parties
Appropriate Methods of Communication
Monitoring
Perform Monitoring Activities
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
Establishment of a Baseline
Internal Control System Monitoring
Evaluation of Results
Evaluate Issues and Remediate Deficiencies
Management should remediate identified internal control deficiencies on a timely basis.
Reporting of Issues
Evaluation of Issues
Corrective Actions