Page 238 - COSO Guidance Book
P. 238
For example, an entity might perceive a risk regarding inadequate segregation of duties. The
bookkeeper has access to one of the entity’s bank accounts and performs the bank reconciliation for
this account. The entity might elect to accept this risk (inadequate segregation of duties) because
this particular bank account has a continuous small balance, is not used for processing cash receipts
or disbursements, and does not have an overdraft protection feature. However, if the bookkeeper has
the previously mentioned incompatible duties and also has access to the bank operating account —
which has a balance material to the financial statements — then the entity might share this risk by
having the employee bonded. The entity might also decrease the risk that results from an inadequate
segregation of duties by implementing controls, such as having the owner-manager review
transactions daily in the operating account (detective control) and requiring owner-manager approval
for disbursements over a certain dollar amount (for example, $2,000, a preventive control).
Point of focus — Considers entity-specific factors
Management considers how the environment, complexity, nature, and scope of its operations, as well
as the specific characteristics of its organization, affect the selection and development of control
activities.
Because each entity has its own set of objectives and implementation methods, there will be
differences in objectives, risks, risk response, and related control activities. Even if two entities have
identical objectives and structures, their control activities could be different. This could result from
different factors, such as each entity having management with different attitudes toward internal
control and different risk tolerances.
The framework provides the following examples of entity-specific variables that can affect the control
activities needed to support the system of internal control:
– The environment and complexity of an entity and the nature and scope of its operations, both
physically and logically, affect its control activities.
For example, a small not-for-profit entity might outsource the control activity of independent bank
reconciliation to a CPA firm in order to achieve the control principle concerning adequate
segregation of duties. The entity might also implement a logical access control that requires two
individuals to enter separate passwords for any cash disbursement greater than a certain dollar
amount.
– Highly regulated entities generally have more complex risk responses and control activities than
less regulated entities.
For example, a community bank must comply with extensive regulations regarding loans,
deposits, and daily financial ratios. The nature and extent of documentation and procedures are
quite extensive in order to provide assurance that the bank complies with regulatory
requirements. Many nonregulated entities are not as complex; often, control activities exist but
are not documented.
– The scope and nature of risk responses and control activities for multinational entities with
diverse operations generally address a more complex internal control structure than those of a
domestic entity with less varied activities.
This most likely is partly because of varying cultural and legal issues present in different
countries.
© 2020 Association of International Certified Professional Accountants. All rights reserved. 5-4
