Page 211 - COSO Guidance Book
P. 211
Accountability refers to the delegated ownership for the performance of internal control in the pursuit
of objectives considering the risks faced by the entity.
For example, there is a control concept commonly referred to as safeguarding of assets. Senior
management might state an objective that assets are to be adequately safeguarded. Different
organizational units would respond to this directive by adopting measures to safeguard assets within
their areas of authorities and responsibilities. Risk should be considered in adopting these measures.
For example, the IT department could achieve the safeguarding-assets objective by ensuring
individual access rights to data, programs, and functions (add, delete, or others) are in accordance
with each employee’s authorities and responsibilities as contained in the employee’s job description.
Methods to ensure that only authorized access is permitted to data, programs, and functions can be
accomplished by implementation of a variety of controls, such as the use of passwords that are input
with keystrokes. Another method to control access would be to require the use of magnetic stripe
access cards (such as those used at many ATMs). Still yet another control would be to employ a
biometric identifier to identify an authorized user, such as voice or fingerprint recognition. Depending
on the risk (privacy issues or financial loss) associated with unauthorized access to certain data,
programs, and functions, the IT department could restrict access using one or more of these
controls.
Point of focus — Establishes performance measures, incentives, and rewards
Management and the board of directors establish performance measures, incentives, and other
rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of
performance and expected standards of conduct and considering the achievement of both short- and
longer-term objectives.
Performance measures, incentives, and rewards support an effective system of internal control
insofar as they are adapted to the entity’s objectives and develop with its needs. An entity that is
fixated solely on increasing net income may be more likely to experience unacceptable actions, such
as manipulation of the financial statements or offers of kickbacks in order to increase net income.
Two separate COSO studies of public entities (issuers) have shown that the top-ranked financial
statement fraud method to overstate net income is to overstate revenue. However, an owner-
managed entity might be inclined to misstate financial statements to avoid paying income tax. For
example, if tax rates are expected to decrease in the succeeding year, then there is an incentive to
delay revenue recognition in the current year (i.e., move to the succeeding year) and move
succeeding-year expenses into the current year.
Point of focus — Evaluates performance measures, incentives, and rewards for ongoing relevance
Management and the board of directors align incentives and rewards with the fulfillment of internal
control responsibilities in the achievement of objectives.
Performance measures are reviewed periodically for ongoing relevance and adequacy in relation to
incentives and rewards. If necessary, internal or external factors are readjusted to objectives and
other expectations of management, personnel, and outside providers.
For example, a locally owned franchise restaurant provides a bonus to employees if the restaurant
meets or exceeds service levels established by the chain, such as number of customer orders filled
during a certain time period. However, because of an exceedingly severe winter, fewer customers
than expected dined out during the first quarter of the year. This alerted management that
performance measures needed to be evaluated due to a factor not previously considered in the
© 2020 Association of International Certified Professional Accountants. All rights reserved. 3-13
