Internal controls procedures

control environment

integrity and ethical values - management promotes honesty and ethical behavior

control environment

committment to competence - employees have the knowledge and skills to perform their jobs

control environment

board of direcots and audit committee- independent oversight of managment

control environment

managements philosophy and operating (falls under board/oversight and tone at the top concepts - managements attitude toward risk, controls, and financial reporting

control environment

organizational structure - clear reporting lines and organizational hierarchy

control environment

assignment of authority and responsibility - duties and decisionmaking authority are clearly assigned (segregation of duties included)

control environment

human resource policies and procedures - HR hires, evaluates promotes, and disciplines employees appropriately (performance reviews, background checks, disciplinary actions

Risk Assessment

company wide objectives - organization establishes overall objectives (strategic goals, company objectives - compliance)

Risk Assessment

Process level objectives - individual deparments establish objectives (department goals, operational objectives)

Risk Assessment

risk identification and analysis - management identifies risks that threaten objectives

Risk Assessment

managing change - management evaluates how changes create new risks

Risk Assessment

assess fraud risk - management considers incentives, opportunites and rationalization for fraud

Control Activities

policies and procedures - specific controls ensure manage ment directives are carried out

Control Activities

security (application and network) - protects systems from unauthorized access

Control Activities

application change management - changes to software are properly approved and tested

Control Activities

business continuity/backups - organization can recover after disruptions

Control Activities

outsourcing - controls over third party service providers

Information and Communication

quality of information - information is accurate, complete, timely, and relevant

Information and Communication

effectiveness of communication - important information flows throughout the organization and externally (whistleblower, other reporting)

Monitoring

ongoing monitoring - continuous monitoring during normal operations (suporvisior review, daily review, routine monitoring)

Monitoring

separate evaluations - independent evaluations of internal controls

Monitoring

reporting deficiencies - control weaknesses are communicated and corrected

commitment to competence

training, mentoring certifications

integrity and ethical values

ethics, honesty, code of conduct

board of directors and audit committeeag

audit committee, independent board

management philosophy and operating styler

aggressive earnings targets, management attitude

organizational structure

reporting lines, org chart

assignment of authority and responsibility

segregation of duties, assigning responsibilities

Human resource policies and procedures

hiring, promotions, background checks

company wide objectives

strategic goals

process level objectives

department goals

risk identification and analysis

identifying risks

managing change

new ERP, merger, regulatory change

assess fraud risk

bonuses, commissions, fraud incentives

policies and procedures

approvals, reconciliations, authorizations

security

passwords, firewalls, user access

application change management

software updates

business continuity/backups

backups, disaster recovery

outsourcing

payroll company, cloud provider, SOC reports

quality of information

accurate, complete, timely information

effectiveness of communication

hotline, whistleblower, reporting channelso

ongoing monitoring

daily supervisory reviews

separate evaluations

internal audit, periodic testing

reporting deficiencies

reporting deficiencies to management or the board