This document discusses organizational level controls, which are one of two types of controls according to COSO. It focuses on the control environment component, which sets the tone at the top and influences all other aspects of internal control. Key aspects of an effective control environment discussed include integrity and ethical values, commitment to competence, oversight by the board of directors, management's operating philosophy, organizational structure, assignment of authority and responsibilities, and human resource policies.

1. Organizational Level Controls

2. Components of Internal
Control
• COSO sets forth five
components of internal
control:
– Control Environment
– Risk Assessment
– Control Activities
– Information and
Communication
– Monitoring

3. Components of Internal
Control (continued)
Two types of Controls:
• Organizational Level Controls (Focus of this Presentation)
• Functional Level Controls
COSO Component Primary Level of Application
Organizational Level Functional Level
Control Environment X
Risk Assessment X
Information and
X
Communication
(Communication)
X
(Information Systems)
Control Activities X
Monitoring X

4. Control Environment
• Sets the Organization’s Tone
• Most Cost Effective and Efficient way to
Implement Internal Control
• Effects all Other Aspects of Internal Control
• Control Environment Factors Include the
Following Principles:
– Integrity and ethical values, commitment to competence, oversight by board or
audit committee, management’s philosophy and operating style, organizational
structure, manner of assigning authority and responsibility, HR policies and
procedures.
• Hard Controls vs. Soft Controls

5. Integrity and Ethical Values
• Management’s Integrity Plays a Significant
Role in “Setting the Tone at the Top”
• Challenges Faced when Establishing Ethical
Values:
– Balancing the Issues and Concerns of Various
Parties
– Assigning Prominence to High Ethical Behavior
within the Organization
– Balancing Short-Term and Long-Term Goals

6. Commitment to
Competence
• Employee Competence is Critical to an Organization’s
Control Environment
– Otherwise, Employees May Not Follow Policies
– Internal Control Effectiveness would be Impaired
• Competence Levels Required are Determined by
Management.
– Implemented by hiring decisions, training
– Competence comes with cost
– Jobs with less supervision require more Competence

7. Board of Directors / Audit
Committee
• Their Existence Plays a Role in Setting Tone at the Top
• Board and Audit Committee Should Consist of
Executives Outside the Company
– Outsiders are Less Likely to be Influenced by Management
• Audit Committee Should Oversee:
– Internal Controls over Financial Reporting
– Fraud Risks Identified by Management
– Implementation of Anti-Fraud Measures
– Creation of Appropriate Tone at the Top
– Consideration of Management Override of Controls

8. The Audit Committee
Should…
• Exercise Appropriate Skepticism
• Have Knowledge of the Business and Industry
• Brainstorm Possible Fraud Risks
• Assess Tone at the Top via the Code of Conduct
• Use an Effective Whistleblower Program (including a
fraud hotline)
• Develop an Effective Information and Feedback
Network

9. Management’s Philosophy
and Operating Style
• Management Style: Formal vs. Informal
– Organizations with a formal management style generally have more
structured policies and procedures in place.
– Organizations with an informal management style use personal
contact with supervisors as a control function instead of written
policies and procedures.
• Management’s Philosophy and Operating Style Determine
Acceptable Behavior and Expectations for Each Employee
– An effective antifraud environment is created with a strong value
system founded on integrity.
– Proper examples set by management resonate through the business

10. Organizational Structure
• Organizational Structure:
– “Provides the framework within which its activities for achieving
entity-wide objectives are planned, controlled, and monitored.”
– Types of structures include: Centralized, decentralized, matrix
reporting relationships, direct reporting relationships.
– Can be organized by: Product line, industry, geographic location,
distribution network, marketing network, function.
– Issues to consider when establishing appropriate organizational
structure are how: Areas of authority are defined, appropriate
responsibilities are assigned, appropriate lines or reporting are
established.

11. Assignment of Authority and
Responsibility
• Determined by Management
– Segregation of Duties should be Considered
– Delegating authority to those closest to the transaction
facilitates timely decision-making. However, raises the risk
of poor decisions.
• Other Factors Affecting how Organizations
Delegate Responsibilities include:
– Organizational structure, competence,
accountability, monitoring.

12. Assignment of Authority and
Responsibility (Continued)
• Considerations for assignment of authority
and responsibility related to financial
reporting include:
– Appropriateness of authority and responsibility to
meet required objectives
– Policies that prevent unauthorized access
– Assignments of authorization is assigned at
appropriate levels

13. Human Resource Policies and
Procedures
• HR Policies and Procedures enable and
reinforce other aspects of the control
environment.
– Includes an organization’s practices relating to: hiring,
orientation, training, evaluating, counseling, promoting,
compensating, and remedial actions.

14. Special Considerations for Small
and Mid-sized Businesses
• Nature and Size of the Business
• Organization and Ownership Characteristics
• Diversity and Complexity of Operations
• Methods for Processing Financial Information
• Legal and Regulatory Requirements

15. Challenges for Smaller Businesses in
Implementing Internal Controls
• Management Influence
– Potential for management override of controls is greater with smaller
companies.
• Segregation of Duties
– This is often difficult with smaller companies since there are less
employees to split tasks with.
• Qualified Accounting Personnel
– Smaller companies may not have the resources to hire accounting
personnel with the appropriate technical skills.

16. Challenges for Smaller Businesses in
Implementing Internal Controls (Continued)
• Board of Directors and Audit Committee
– Smaller companies may not have the resources to attract a qualified
board of directors.
• Information Technology
– It may not make financial sense for a smaller company to have an
expensive ERP system with robust controls.

17. Managing Change – Potential
Changes with Significant Impact
• Changes in the Organization’s Operating Environment
– Management implements changes that result in additional risks
– Competitive pressures affect marketing or production strategies
– Deregulation affects competition and cost structures
• New Personnel May:
– Not have proper understanding of control
– Not understand the corporate culture
– Emphasize performance over control activities
– Not have the training and supervision necessary for controls to operate
• New or Revised Information Systems
– Time and cost constraints, and other issues on implementation
– Lack of training and lack of new controls related to new system

18. Managing Change – Potential Changes
with Significant Impact (Continued)
• Rapid Growth within the Organization
– May strain existing systems and personnel
– Shifting responsibilities
– More focused on results than on controls
• New Technology
– New or modified controls need to be implemented to address new technology
– Personnel may require training on use of new technology
• New Business Models, Products, or Activities
– Personnel may be unfamiliar of new business models, products, and activities
– Existing controls may not address new areas

19. Managing Change – Potential Changes
with Significant Impact (Continued)
• Restructuring Within the Organization May Result In:
– Staff reductions, inadequate supervision, inadequate separation of duties,
reassignment of personnel and new duties
• Expanded Foreign Operations
– Culture and customs of foreign country may different
– Economic and regulatory environment may be different
• Adaption of New Accounting Principles
– Unfamiliar with new requirements
– New requirements may affect a variety of accounts and transactions
– Complex requirements may require study and analysis to ensure provisions
are applied properly
– Presentation and disclosure issues

20. Communication
• Communication of expectations, responsibilities, and other
matters is necessary for the business to operate effectively
• Internal Communication- It is important that management
communicates:
– The importance of internal control
– Internal control responsibilities
– That unexpected events should be investigated
– How job activities relate to the work of others

21. Communication
(Continued)
• Importance of Upstream Communication
– Information flowing from bottom to top
– Significant operating issues are typically identified by
people close to the transaction
– Sales representatives may learn new way to give company
products an edge
– Personnel may be aware of ways to cut costs
– Finance employees may be aware of misstatements

22. Communication
(Continued)
• For upstream communication to occur, open
channels must be available
• Management should communicate key issues
to the board

23. Communication
(Continued)
• External Communication
– Communication with companies doing business
with the organization
– Communication with independent auditors
– Communication with regulators
– Communication with shareholders

24. Monitoring
• Monitoring can be accomplished through:
– Ongoing Activities
• Comparisons
• Reconciliations
• Internal and External Audit
• Regulators
• Vendors & Customers
– Separate Evaluations
– A Combination of the Two

25. Questions?

26. Thank You!
Please call Debbie Risher or Marvin
Willis at Smith & Howard with
questions.
404-874-6244
www.smith-howard.com
drisher@smith-howard.com