Illustration 2. Example Control Objectives
Business Objective | Example Control Objectives |
Corporate Culture Establish a culture and a tone at the top that fosters integrity, shared values, and teamwork in pursuit of the entity’s objectives. | Articulate and communicate codes of conduct and other policies regarding acceptable business practice, conflicts of interest, and expected standards of ethical and moral behavior.Reduce incentives and temptations that can motivate employees to act in a manner that is unethical, opposed to the entity’s objectives, or both.Reinforce written policies about ethical behavior through action and leadership by example. |
Personnel Policies The entity’s personnel have been provided with the information, resources, and support necessary to effectively carry out their responsibilities. | Identify, articulate, and communicate to entity personnel the information and skills needed to perform their jobs effectively.Provide entity personnel with the resources needed to perform their jobs effectively.Supervise and monitor individuals with internal control responsibilities.Delegate authority and responsibility to appropriate individuals within the organization. |
IT General Controls The entity’s general IT policies enable the effective functioning of computer applications related to the financial reporting process. | Logical access control protects the following, which are used in the financial reporting process:SystemsDataApplication, utility, and other programsSpreadsheetsInstallation of suitable computer operating environment and controls over the physical access to hardware.Proper functioning of new, upgraded, and modified systems and applications, including plans for migration, conversion, testing, and acceptance. |
Risk Identification Implement a process that effectively identifies and responds to conditions that can significantly affect the entity’s ability to achieve its financial reporting objectives. | Identify what can go wrong in the preparation of the financial statements at a sufficient level of detail that allows management to design and implement controls to mitigate risk effectively.Continuously identify and assess risk to account for changes in external and internal conditions. |
Antifraud Programs and Controls Reduce the incidence of fraud. | Create a culture of honesty and high ethics.Evaluate antifraud processes and controls.Develop an effective antifraud oversight process. |
Period-End Financial Reporting Processes Nonroutine, nonsystematic financial reporting adjustments are appropriately identified and approved. | Management is aware of and understands the need for certain financial reporting adjustments.Information required for decision-making purposes is:Identified, gathered, and communicatedRelevant and reliableManagement analyzes the information and responds appropriately.Management’s response is reviewed and approved. |
Selection and application of accounting principles result in financial statements that are “fairly presented.” | Management identifies events and transactions for which accounting policy choices should be made or existing policies reconsidered.The accounting policies chosen by management have general acceptance and result in a fair presentation of financial statement information.Information processing and internal control policies and procedures are designed to apply the accounting principles selected appropriately. |
Monitoring Identify material weaknesses and changes in internal control that require disclosure. | Monitoring controls operate at a level of precision that would allow management to identify a material misstatement of the financial statements. This objective applies both to:Controls that monitor other controlsControls that monitor financial information |
Activity-Level Control Objectives Adequately control the initiation, processing, and disclosure of transactions. | Identify, analyze, and manage risks that may cause material misstatements of the financial statements.Design and implement an information system to record, process, summarize, and report transactions accurately.Design and implement control activities, including policies and procedures applied in the processing of transactions that flow through the accounting system, in order to prevent or promptly detect material misstatements.Monitor the design and operating effectiveness of activity-level internal controls to determine if they are operating as intended and, if not, to take corrective action. |
Note
1 1 Refer to the October 2018 AICPA Peer Reviewer Alert at https://www.aicpa.org/content/dam/aicpa/interestareas/peerreview/newsandpublications/downloadabledocuments/reviewer-alert-201810.pdf.