Page 207 - COSO Guidance Book
P. 207

For example, the treasurer of a small municipality, at the direction of the town council, files timely
                   reports in order for the town to receive state grants.

               –  Personnel — Understand the entity’s standards of conduct, assessed risks to objectives and the
                   related control activities at their respective levels of the entity, the expected information and
                   communication flow, and monitoring activities relevant to their achievement of objectives

                   For example, personnel receive ethics training every year in order to both (1) reinforce employee’s
                   knowledge of what behavior constitutes a violation of the entity’s policies and (2) learn how to
                   report violations.

               –  Outsourced service providers — Adhere to management’s definition of the scope of authority and
                   responsibility for all nonemployees engaged.

                   Outsourced service providers are provided with clear and concise contractual terms related to the
                   entity’s objectives and expectations of conduct and performance, competence levels, expected
                   information, and communication flow.

                   For example, a software development company that is customizing software for a faith-based
                   organization might be required to sign a nondisclosure agreement stating that the software
                   development company will keep confidential any information the company might obtain, such as
                   the names of major donors.

            The framework provides the following guidance (with relevant examples added for illustrative purposes)
            regarding limitations of authority, which are necessary to ensure that:


              Delegation occurs only to the extent required to achieve the entity’s objectives.
               For example, a community college contemplating an expansion of course offerings requires input not
               just from academic departments but review and approval by other committees (such as the college
               fixed-assets committee if there is a need for new facilities) and the college long-term planning
               committee (to determine if this expansion of courses meshes with long-term objectives).

              Inappropriate risks are not accepted.

               For example, credit is not extended to new customers without performing a credit check.

              Duties are segregated to reduce the risk of inappropriate conduct in the pursuit of entity objectives;
               requisite checks and balances occur from the highest to the lowest levels of the organization.

               For example, in a small for-profit entity, lack of segregation of duties might be mitigated by active
               owner-management involvement in the entity’s daily operations.
              Technology is leveraged as appropriate to facilitate the definition and limitation of roles and
               responsibilities within the workflow of business processes.

              Third-party service providers that perform activities on behalf of an entity understand the extent of
               their decision-making rights.

               For example, an entity might use a third-party service provider to process payroll. Appropriate
               individuals within the entity would be assigned different responsibilities for inputting routine
               transactions, maintaining and reconciling batch control totals, and ensuring that the correct amount


            © 2020 Association of International Certified Professional Accountants. All rights reserved.    3-9
   202   203   204   205   206   207   208   209   210   211   212