Establishes the set of standards; processes; and structures that provide the basis for carrying out internal control across the organization.

• Integrity and Ethical Values - CE.1

  The organization demonstrates a commitment to integrity and ethical values.

• Board of Directors Oversight - CE.2

  The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

• Organizational Structure - CE.3

  Management establishes; with board oversight; structures; reporting lines; and appropriate authorities and responsibilities in the pursuit of objectives.

Involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.

• Financial Reporting Risk Assessment - RA.1

  The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to financial reporting.

• Risks to Financial Reporting Objectives - RA.2

  The organization identifies the risks to the achievement of its financial reporting objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

Establishes processes for considering the potential for fraud in assessing risks to the achievement of objectives.

• Fraud Risk Assessment - FRM.1

  The organization considers the potential for fraud in assessing risks to the achievement of objectives.

Establishes control activities implemented at the entity level.

• Control Activities Policy and Procedures - CA-ELC.1

  Policies and procedures are established; documented; and maintained for entity-level control activities.

• Management Review Controls - CA-ELC.2

  Management review controls are performed to evaluate the accuracy and completeness of financial information.

Establishes control activities implemented within business processes impacting financial reporting.

• Business Process Control Activities - CA-BPC.1

  Control activities are selected and developed that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

• Controls over Revenue Recognition - CA-BPC.2

  Controls are in place to ensure revenue is recognized accurately; completely; and in the correct period.

• Controls over Accounts Payable and Expenses - CA-BPC.3

  Controls are in place to ensure accounts payable and expenses are recorded accurately; completely; and in the correct period.

Establishes general IT controls supporting the integrity and reliability of financial systems.

• IT General Controls Policy and Procedures - CA-ITGC.1

  Policies and procedures are established; documented; and maintained for IT general controls.

• Access Controls (ITGC) - CA-ITGC.2

  IT access controls are implemented to restrict access to systems and data supporting financial reporting.

• Change Management (ITGC) - CA-ITGC.3

  IT change management controls are implemented to ensure changes to financial systems are authorized; tested; and approved.

• IT Operations (ITGC) - CA-ITGC.4

  IT operations controls are implemented to ensure the reliable and continuous operation of financial systems.

• Data Management (ITGC) - CA-ITGC.5

  IT data management controls are implemented to ensure the accuracy; completeness; and integrity of financial data.

Refers to the information and communication necessary to support the functioning of internal control.

• Information and Communication Process - IC.1

  The organization obtains or generates and uses relevant; quality information to support the functioning of internal control.

• Internal Communication - IC.2

  The organization internally communicates information; including objectives and responsibilities for internal control; necessary to support the functioning of internal control.

• External Communication - IC.3

  The organization communicates with external parties regarding matters affecting the functioning of internal control.

Involves ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

• Ongoing Monitoring - MA.1

  The organization selects; develops; and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

• Separate Evaluations - MA.2

  The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action; and to senior management and the board of directors; as appropriate.