Page 208 - COSO Guidance Book
P. 208

was transferred to a payroll bank account. These employees would be provided with different access
               rights to read, update, or delete data items based on their authority levels and job descriptions. The
               third-party service provider is restricted from initiating any input to the payroll system (file
               maintenance, transaction processing, and other types of input).




            Control environment principle 4:
            Demonstrates commitment to competence

            The organization demonstrates a commitment to attract, develop, and retain competent individuals in
            alignment with objectives.

            The following four points of focus highlight important characteristics relating to this principle:

              Point of focus — Establishes policies and practices

               Policies and practices reflect expectations of competence necessary to support the achievement of
               objectives.
               Policies and practices are the entity-level guidance and behavior that are based on the expectations
               and requirements of various stakeholders (lenders, customers, or vendors). Policies and procedures
               provide both the foundation for defining the competence needed within the organization and the
               basis for more detailed procedures for executing and evaluating performance as well as determining
               remedial actions, as necessary.

               For example, a policy might state that only experienced personnel who have worked for similar
               entities be recruited for open positions. A practice might be that job descriptions are crafted in
               accordance with this policy. For an example of a practice, a community hospital’s ad for the director
               of internal audit position might state that the ideal candidate should have certain credentials (CPA
               and CIA) and a certain number of years’ experience auditing in a community hospital. The entity
               might also adopt additional practices to comply with this policy, such as obtaining references,
               verifying the candidate’s credentials with professional licensing bodies, and performing a background
               check.

              Point of focus — Evaluates competence and addresses shortcomings
               The board of directors (those charged with governance) and management evaluate competence
               across the organization and in outsourced service providers in relation to established policies and
               practices and act as necessary to address shortcomings.
               The human resources function of an organization often defines competence and staffing levels by
               job role, facilitates training and maintains completion records, and evaluates the relevance and
               adequacy of individual professional development in relation to the entity’s needs.
               For example, a general contractor who decides to expand operations into new geographical areas
               should consider hiring local site supervisors who are familiar not only with local building regulations
               but with the reputation and proficiency of local subcontractors.
               As an example of evaluating competence in outsourced service providers, consider a local not-for-
               profit entity that is considering acquiring customizable software. This entity does not have the
               internal expertise to make custom modifications. For the software package to be modified and meet


            © 2020 Association of International Certified Professional Accountants. All rights reserved.    3-10
   203   204   205   206   207   208   209   210   211   212   213