BASE SOCIAL

As economic, industry, and regulatory environments change, the scope and nature of an entity’s leadership, priorities, business model, organization, business processes, and activities need to adapt and evolve. Internal control effective within one set of conditions may not necessarily be effective when those conditions change significantly. As part of risk assessment, manage- ment identifies changes that could significantly impact the entity’s system of internal control and takes action as necessary. Thus, every entity will require

a process to identify and assess those internal and external factors that can significantly affect its ability to achieve its objectives.

This process will parallel, or be a part of, the entity’s regular risk assessment process. It involves identifying the changes to any significant assumption or condition. It requires having controls in place to identify and communicate changes that can affect the entity’s objectives—and assess the associated risks. Such analysis includes identifying potential causes of achieving or fail- ing to achieve an objective, assessing the likelihood that such causes will oc- cur, evaluating the probable effect on achievement of the objectives, and considering the degree to which the risk can be managed.

Although the process by which an entity manages change is similar to, if not a part of, its regular risk assessment process, it is discussed separately. This is because it is important to effective internal control and because it can too easily be overlooked or given insufficient attention in the course of dealing with everyday issues.

Management develops approaches to identify significant changes in any ma- terial assumption or condition that have taken place or will shortly occur. To the extent practicable, these mechanisms are forward looking, so an entity can anticipate and plan for significant changes. Early warning systems should be in place to identify information signaling new risks that can have a signi- ficant impact on the entity. Management also develops and implements con- trols relating to the conduct of such approaches.

This focus on change is founded on the premise that, because of their poten- tial impact, certain conditions should be the subject of special consideration. The extent to which such conditions require management’s attention, of course, depends on the effect they may have in particular circumstances.

Return to Table of Contents External Environment

•

onment can result in increased competitive pressures, changes in operat- ing requirements, and significantly different risks. Large-scale operations, reporting, and compliance failures by one entity may result in the rapid introduction of broad new regulations. For instance, the release of harmful materials near populated or environmentally sensitive areas may result in new industry-wide transportation restrictions that impact an entity’s ship- ping logistics; the external information that is viewed as having poor transparency may result in enhanced regulatory reporting requirements for all publicly traded companies; and the poor treatment of elderly pa- tients in a care facility may prompt additional care requirements for all care facilities. Each of these changes may require an organization to closely examine the design of its internal control system.

•

entity, supply chain, and other business partners may result in elevated risks that an entity needs to consider to sustain its business. An organiza- tion, for example, may need to find alternative sources of raw material or move production.

Business Model

•

the delivery of its services through new outsourced relationships, or dra- matically alters the composition of existing business lines, previously ef- fective internal controls may no longer be relevant. The composition of the risks initially assessed as the basis for establishing internal controls may have changed, or the potential impact of those risks may have in- creased so that prior internal controls are no longer sufficient. Some fin- ancial services organizations, for example, may have expanded into new products and concentrations without focusing on how to respond to changes in the associated risks of their products.

•

business operations, it may need to review and standardize internal con- trols across the expanded entity. Controls in place in the pre-acquisition operations may not be well developed, suitable for the newly combined

entity, or scalable to operation in the new business. Similarly, when an operation is disposed of, the level of acceptable variation may change in operations, and materiality may decrease. In addition, certain entity-level controls at the disposed business operation may no longer be present. Both the acquisition and divesture of a business may require the organiza- tion to review and possibly revise its internal controls to support the achievement of objectives as appropriate to the restructured entity.

•

ries new and often unique risks. Developing business in new geographies or outsourcing operations to foreign locations may help the business to grow and/or reduce costs, but it may also present new challenges and al- ter the type and extent of the risks. Operating in unfamiliar markets poses risk because there are different customs and practices. For instance, the control environment in a new environment is likely to be influenced by the local culture and customs. Business risks may result from factors unique to the local economy and regulatory environment and channels of communication.

•

structures, business processes, information systems, or resources may be strained to the point where internal controls break down. For instance, adding manufacturing shifts to meet demand or increasing back-office personnel may result in those responsible for supervision being unable to adapt to the higher activity levels and maintain adequate control.

•

service delivery processes, or supporting information systems, internal controls will likely need to be modified. For instance, introducing sales capabilities through mobile devices may require access controls specific to that technology as well as changes in controls over shipping processes.

Leadership Changes

•

entity may not understand the entity’s culture and reflect a different philosophy or may focus solely on performance to the exclusion of control- related activities. For instance, a newly hired chief executive officer

focusing on revenue growth may send a message that a prior focus on ef- fective internal control is now less important. Further, high turnover of personnel, in the absence of effective training and supervision, can result in breakdowns. For instance, a company that reduces its staffing levels by 25% in an attempt to reduce costs may erode the overall internal control structure.

Footnotes

10 Regulators and standard-setting bodies define the term “materiality.” Management de- velops an understanding of materiality as defined by laws, rules, and standards when applying the Framework in the context of such laws, rules, and standards.

Continue Reading

11 Derived from International Financial Reporting Standards.

Continue Reading

12 Some jurisdictions may describe financial statement assertions using terms such as “ex- istence or occurrence,” “completeness, valuation or allocation,” “rights and obliga- tions,” and “presentation and disclosure.”

Continue Reading

13 Derived from International Financial Reporting Standards. Some jurisdictions may use different descriptions of financial statement materiality.

Continue Reading Return to Table of Contents Return to Top

BREAK

7. Control Activities

Chapter Summary

Control activities are the actions established through policies and