Control environment ; Code of Conduct : The norms to which the organization voluntarily agrees to comply. For example, the company's code of conduct might include a policy for prohibiting employees from accepting gifts from vendors. ; Governance : A mechanism for monitoring how the resources of an organization are being put to an efficient use by management, with an emphasis on transparency and accountability ; Assignment of Authority and Responsibility : The term "authority" refers to the right to perform the organization's activities. The term "responsibility" refers to the obligation to perform assigned activities. It is important for the achievement of control objectives that authorities and responsibilities be consistent with the goals of its business activities and assigned to appropriate personnel. ; Hiring and Retention Practices : Hiring and retaining skilled resources is critical to an organization's success. Policies and procedures around job definition, recruitment, training, performance appraisal,
employee retention programs, and management of employee exits are important components of managing human resources. ; Fraud Prevention Prevent/Detect Controls and Analytical Procedures : This refers to the anti-fraud controls and procedures used by management to prevent, detect and mitigate fraud. Examples might include segregation of duties, setting up an ethics hot line and periodic job rotation.
Risk assessment ; Risk Assessment Methodology : A systematic approach to identify, assess and prioritize risks. ; Risk Assessment Analytical Techniques : Analytical techniques, if used appropriately, can serve as a tool in the risk assessment process. Since risk is an outcome of perception, analytical techniques help remove subjectivity, to a certain extent by collation and presentation of data in a systematic manner for assessment of potential impact and likelihood of occurrence or risks.
Information and communication ; Internal Communication and Performance Reporting : This refers to the lines of communication that run through an organization's structure, both top-down and bottom-up, including peer communication. Performance reporting is part of internal communication, and usually involves a two-way process of setting expectations and monitoring performance against agreed-upon expectations. ; Tone Setting : Tone setting refers to various components of the "tone at the top," that are the building blocks of the character of an organization. Having set the right tone, it is equally important to have open channels of communication so that those within and outside the organization understand and act upon it. Examples of such components of tone include code of ethics and corporate governance practices. ; Board/Audit Committee Reporting : Board members, including independent directors, assume fiduciary responsibilities which require them to have access to accurate and relevant information. While most countries have enacted laws regarding formal reporting to the board of directors and the Audit Committee of the Board, these usually constitute baseline procedures and requirements. Companies are free to adopt more stringent measures regarding Board/Audit Committee Reporting, such as holding more frequent formal Audit Committee Meetings than required by law. ; External Communication : This refers to the communication to the shareholders, stock market, customers, regulators, vendors, and other entities outside the company's formal boundaries. The annual report is an example of external communication around the company performance, financial statements, vision, goals and targets.
Monitoring ; Ongoing Monitoring Activities : Periodic review of process and controls using relevant management reporting tools. For example, these would include monthly review of aging of accounts receivable to determine the extent of reserves required for doubtful debts. ; Independent Assessment Mechanism : Use of external specialists or professionals to review and assess internal controls. For example, this might include the use of external tax professionals to review the controls around tax positions developed by the in-house tax team. ; Variance Analysis Reporting : Comparison and reporting of actual performance against pre-determined benchmarks, if used appropriately, can serve as an early-warning mechanism. For example, a steady increase in debtor turnover might indicate varying levels of collection-related issues. ; Remediation Mechanism : This refers to a systematic approach to resolving identified internal control issues. While an issue could be identified by either an internal or an external monitoring mechanism, the remediation mechanism is usually management-owned. ; Management Triggers Embedded Within IT Systems : Most enterprise applications configure business rules in a manner as to prevent, require pre-approval, or alert relevant management personnel in the event that certain pre-set thresholds are not observed. For example, a sales application could deploy a control preventing sales transactions above the specified credit limit of a customer. ==Importance==