Management Control System Design

click to edit

Objectives

click to edit

• Compliance Objectives—These pertain to adherence to laws and regulations to which the entity is subject.

• Operations Objectives—These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance

• Reporting Objectives—These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transpar-
ency

Components

Control Activities
Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.

Information and Communication
Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives.

Risk Assessment
Risk is defined as the possibility that an event will occur and adversely affect the achievement of objec- tives.

Monitoring Activities
Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning.

Control Environment
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.

Relationship of Objectives and Components

• The five components are represented by the rows.

• An entity’s organizational structure is rep- resented by the third dimension.

• The three categories of objectives—oper- ations, reporting, and compliance—are represented by the columns.

Components and Principles

Monitoring Activities

Control Activities

Risk Assessment

Information and Communication

Control Environment

  1. The organization demonstrates a commitment to integrity and ethical values.

  2. The board of directors demonstrates independence from management and exer- cises oversight of the development and performance of internal control.

  3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

  4. The organization demonstrates a commitment to attract, develop, and retain com- petent individuals in alignment with objectives.

  5. The organization holds individuals accountable for their internal control responsibili- ties in the pursuit of objectives.

  1. The organization specifies objectives with sufficient clarity to enable the identifica- tion and assessment of risks relating to objectives.

  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.}

  3. The organization considers the potential for fraud in assessing risks to the achieve- ment of objectives.

  4. The organization identifies and assesses changes that could significantly impact the system of internal control.

click to edit

  1. The organization selects and develops control activities that contribute to the miti- gation of risks to the achievement of objectives to acceptable levels.

  2. The organization selects and develops general control activities over technology to support the achievement of objectives.

  3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action

  1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

  2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

  3. The organization communicates with external parties regarding matters affecting the functioning of internal control.

  1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

  2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.