1. Communication Interpretation
SOX 2016

2. PART 1 – COSO 2013 2
Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov,
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public
Accountants, aicpa.org.
SOX 2016
PCAOB release No. 2015-003 provided a graph reflecting an increase of deficiencies in audits of
ICFR, from 15% in 2010 to 39% in 2013. On 8.8.15, at the American Accounting Association
Annual Meeting, the PCAOB stated that “…ICFR audit deficiencies continue to be the most
frequent inspection findings…” and PCAOB Release No. 2015-007 observations included
common Part I findings related to risk assessment deficiencies as follows:
“In a firm inspection report, a Part I Finding is an auditing deficiency identified by Inspections staff that is of
such significance that it appeared to the Inspections staff that a firm, at the time it issued its report, had not
obtained sufficient appropriate audit evidence to support (1) its opinion that the financial statements were
presented fairly, in all material respects, in accordance with the applicable financial reporting framework
and/or (2) its opinion about whether the issuer had maintained, in all material respects, effective internal
control over financial reporting (“ICFR”). In other words, in these audits, the auditor issued an opinion
without satisfying its fundamental obligation to obtain reasonable assurance about whether the financial
statements were free of material misstatement and/or the issuer maintained effective ICFR.”
PCAOB news releases (10.1.15) highlight three general areas of concern: ICFR, assessing and
responding to risks of material misstatement and accounting estimates, including fair value
measurements. Financial crisis and global economic factors include the high pace of mergers
and acquisitions, higher–yielding investment returns in a low interest rate environment and
industry effects from oil price fluctuations.
The underlying business question is one of judgment and cost:
• Has your management team provided value by implementing and maintaining transparent and comprehensive
documentation and controls that auditors, regulators and other stakeholders can independently follow?
• Do you have an independent Internal Audit Department (“IAD”) with open lines of communication to management
and the Audit Committee?
• Is there a transparent organizational structure to reflect financial reporting and the related control environment?
• Is IAD or external audit independence limited by incentives to maintain relationships over objective reporting?
• Does IAD provide value by providing transparent audit programs and workpapers and do they pose relevant
questions to external auditors, in order to provide efficient and effective audits.
• Are internal and external auditors comfortable making probing inquiries to executive management?
The 2013 revision of the recommended COSO framework provides an opportunity to re-think
improvements to existing control structure or to implement a more robust environment.

3. PART 1 – COSO 2013 3
Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov,
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public
Accountants, aicpa.org.
This document has three parts. It is not intended to be comprehensive of all risks and controls,
but sufficient to provide an illumination and examples of internal control (“IC”).
Part I reflects an interpretation of controls for the COSO 2013 requirements incorporating the 17
principles within the five components of risk, applied to a personal experience.
Part II highlights audit responsibilities.
Part III observations and further examples of communication breakdown that public entities and
auditors struggle with to identify and manage Internal Controls over Financial Reporting (“ICFR”).
Simplified, ICFR are the responsibility of management. External consultants or IAD’s manage the
framework in order to independently report gaps, remediation and deficiencies for management
certifications and as part of the Board and Audit Committee oversight and on behalf of
stakeholders. External Auditors are responsible to assess the design and effectiveness of ICFR
on behalf of stakeholders.
Comments and discussions are a welcome part of progress through open communication.
PART I – COSO 2013: 17 Principles within 5 COSO components
On 7.1.15, I cycled alone from Vancouver, BC to the Mexican border in 21 days. It’s not the first
time, nor am I the first person to accomplish this endeavor. In the same vein, the 2013 COSO
framework enhanced or clarified the 1992 framework in order to address the current and
increasingly complex, global, technology-driven business environments. ICFR is not new and yet
communication and documentation remains a challenge.
The same control can apply to more than one principle and component, which is more clearly
represented within a matrix summarizing the framework. Please accept the caveat that this
journey is a simplified metaphor in which to apply the COSO 2013 framework to corporate
governance and ICFR.
Effective internal control applies all seventeen principles within the five components. You will see
that an understanding of audit requirements is linked to a robust ICFR framework.

4. PART 1 – COSO 2013 4
Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov,
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public
Accountants, aicpa.org.
CONTROL ENVIRONMENT (1):
1. Commitment to integrity and ethical values.
Control 1.1 - Policies and procedures are documented with transparent controls addressing end-to-end
processing of entity operations, in sufficient detail to be independently verified. This includes corporate
governance (including implementation /modification of stock option plans, salary and bonus arrangements)
as well as IT general and application controls. The CFO and CEO (or others responsible for quarterly and
annual 302 and 404 certifications, respectively) sign off on policies and procedures and control matrices
(and any modifications to reflect current operations) that clearly and comprehensively summarize ICFR.
Control 1.2 – Code of Conduct, Code of Ethics (including Whistleblower Policy, independent of
management) is presented to all employees and contractors to read and sign before access is provided to
entity records.
Control 1.3 – IAD has unrestricted read-only access to all IT applications and business unit /function
servers, including financial statement chart of accounts.
2. Board independence and oversight over management development and execution of internal control.
Control 2.1 - Policies and procedures are documented with evidence of process owners and subsequent
Board approval, and evidence of regular, dated, review for any modifications to reflect current operations.
Control 2.2 – IAD documents an annual internal audit plan, with evidence of Board approval.
Control 2.3 - Board reviews audit programs and audit reports with management response and maintains
documented queries to and responses from management and IAD on the results.
Control 2.4 - Board member background and expertise is documented, including affiliations and
relationships or transactions with the entity, and includes a sufficient number of independent members.
Control 2.5 – Audit Committee and Board members have sufficient independence that necessary and
often probing questions are raised, as documented in meeting minutes and other documented
correspondence that is retained.
Control 2.6 - The Audit Committee includes at least one financial expert and operates under a charter that
outlines their duties and responsibilities and includes adequate resources and authority to discharge such
responsibilities.

5. PART 1 – COSO 2013 5
Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov,
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public
Accountants, aicpa.org.
3. Management establishes structure, reporting lines and appropriate authorities and responsibilities in
pursuing objectives.
Control 3.1 - Organizational charts are distributed and updated regularly to reflect current operations and
clear reporting lines that assist with segregation of duties. Charts are reviewed on a regular basis with
signature and date to evidence Board approval.
Control 3.2 - Authorization Matrix, comprehensive of entity operations, is documented and distributed with
evidence of Board approval and reviewed on a regular basis.
4. Organization commitment to attract, develop and retain competent individuals.
Control 4.1 - Entity maintains an HR department or employs a firm that specializes in screening for
professional designations and vouching of employment history. Standards and procedures are in place for
hiring, training, motivating, evaluating, promoting, compensating, transferring and terminating personnel
that are applicable to all functional areas. Key employees and related salary and bonus compensation are
approved in Board meetings and evidenced in Board minutes.
Control 4.2 – Structured, documented independent reviews are made on a regular basis, including
opportunities for upward performance appraisals and independent exit interviews.
5. Organization accountability for internal control responsibilities.
Control 5.1 - Entity obtains regular employee verification of their awareness and responsibility for internal
controls with sufficient transparency for their responsibilities in-line with policies, procedures, organizational
charts and authorization matrices.
Control 5.2 – IAD has unrestricted read-only access to all IT applications and business unit /function
folders, including financial statement chart of accounts.
Control 5.3 – Identified deficiencies are remediated in a timely manner, and related documentation is
updated and approval signatories are notified and evidence of their response obtained for such updates.
Control 5.4 – Transparent documentation and open lines of communication between internal and external
auditors and management to address significant matters relating to internal control and accounting issues
is documented in regular meeting minutes of Audit Committee and monthly updates.

6. PART 1 – COSO 2013 6
Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov,
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public
Accountants, aicpa.org.
RISK ASSESSMENT (2):
6. Objectives are transparent in order to identify and assess risks relating to each objective.
OPERATIONAL OBJECTIVE: Complete a solo bike journey in consecutive riding days, following Highways
1 and 101, from the Canadian border to the Mexican border.
Risk 1 – Road conditions, weather, wildlife, traffic and health are all significant risks that controls can
mitigate, but not remove completely.
Stung in the throat and eye by bees and wasps - watch out for the Oregon coast!
Control 6.1.1 – Ensure phone /tablet has a full charge each morning, for emergencies and directions.
Control 6.1.2 – Maintain spare tubes, air pump, chain connector, patch kit, weapon, cleansing wipes,
sunscreen and water bottles and account for inventory levels against a checklist each morning.
...until I encountered a growling cougar, I was a typical Canadian - no weapon
Control 6.1.3 – Assess distance and route for isolated areas to plan for daily nutrition and water stops.
Use maps to plan for alternate bike routes when possible.
Control 6.1.4 – Road and weather conditions cannot be altered, but pace and riding schedule
modifications to avoid lightning or extreme heat can keep you on track and maintain health.
That bee sting… got infected and antibiotics caused severe sunburn… imagine wearing
arm and leg warmers in last summer’s heat wave!
Risk 2 – Bike and gear condition and malfunction and lodging availability are controllable risks.
Control 6.2.1 – Gear is washed, accounted for and laid out each evening and repacked (and secured to
the bike or water-proofed) each morning reviewing for low inventory levels or worn parts (i.e. spare tubes,
worn cleats or nutrition) so purchases can be sourced and planned for, timely.
Control 6.2.2 – Bike is wiped down each night and tire pressure is checked each morning.
Control 6.2.3 – Plan and book accommodation the night before to preserve assets (bike and cyclist).
At a remote bike shop in Bend, OR I left my tire levers on the counter – no levers on a
Sunday when my tire went flat…

7. PART 1 – COSO 2013 7
Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov,
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public
Accountants, aicpa.org.
REPORTING OBJECTIVE: Document the journey to raise awareness and funding in three main disciplines
(intentionally vague for proprietary ventures), including road share.
Risk 3 – Cyclist could take a ferry, accept a ride or take a bus when inclement weather, fatigue or timely
completion issues arise, or could disappear without evidence of location or work product.
Control 6.3.1 – GARMIN GPS is turned on for the duration of the ride and heart rate monitor “HRM” is
worn; distance, speed, cadence, heart rate and maps are uploaded to the web for independent review.
Control 6.3.2 – Original receipts are retained for all purchases (picture for credit card purchases).
Control 6.3.3 – Cyclist calls in/emails daily status updates and documents key components in daily journal.
COMPLIANCE OBJECTIVE: Comply with US GAAP for reporting and (road) rules and regulations in order
to complete the journey, without the aid or assistance that impedes completion within the calendar month.
Risk 4 – Current GAAP and other regulatory reporting requirements are not being met.
Control 6.4.1 – Management maintains memberships, regularly attends professional development (CPE)
and reads publications with respect to accounting pronouncements and industry developments.
Control 6.4.2 – see principle 6 - control 6.3.1.
Control 6.4.3 – Cyclist acknowledges road rules and regulations, by state and signs a disclaimer to
acknowledge the personal safety risk and use of judgment required in highway and road conditions, and
adherence to the use of safety lights, bells and reflectors and hand signals on the roads.
7. Risks are identified and assessed.
Control 7.1 - see principle 1 - control 1.1 and principle 2 - control 2.1.
8. Fraud is considered in assessing risks.
Control 8.1 - see principle 3 – controls 3.1 and 3.2.
Control 8.2 – On at least an annual basis, fraud risk discussions are documented.
9. Identification and assessment of changes that could significantly impact the system of internal control.
Control 9.1 - see principle 6 - control 6.4.1.

8. PART 1 – COSO 2013 8
Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov,
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public
Accountants, aicpa.org.
CONTROL ACTIVITIES (3):
10. Development of general control activities that contribute to the mitigation of risks.
Control 10.1 – Management maintains narrative documentation for all processes (could be incorporated
with policies and procedures) that are in scope, based on the risk assessment. These processes are then
summarized in an Excel matrix that clearly outlines risks and associated controls that mitigate risks. This
matrix further identifies key controls relating to accurate and timely financial reporting, fraud controls and
the link to COSO 2013 components and principles, financial statement assertions (“FSA”), control type
(prevent, detect or compensating) and frequency and whether it is a manual or automated (IT) control.
11. Development of general IT controls.
Control 11.1 – Access to IT hardware, servers, routers and networking components are restricted to key
personnel with access rights approved by the Board.
Control 11.2 – Access rights to accounting applications are based on business needs and restricted use
or reports to monitor use are assigned and monitored by the super user with sign-off by the Board and
Audit Committee on at least an annual basis.
Control 11.3 – User access (network server and remote access) is authenticated through unique username
and password with automatic logout period and limited password attempts. Password change is required
on a regular basis as driven by the super user. Users sign a confidentiality agreement on at least a
quarterly basis to acknowledge their responsibility to protect their password and confidential nature of the
critical and sensitive records they have access to modify and change.
12. Development of general control activities through policies and procedures.
Control 12.1 – see principle 1 - control 1.1.
Control 12.2 – Original documentation is obtained and maintained for all processes. Scanned or stored
electronic data must be sufficiently clear and all process owners are responsible to ensure the
transparency of records.
Control 12.3 – Documentation used for funds disbursements must clearly reflect a unique record with the
business name and address and the date and list of goods and services and the total funds paid.
Control 12.4 – Disbursement records are defaced to reflect GL coding, authorization and business unit to
apply payment, including full name and title for all employees and any non-employee the record applied to.

9. PART 1 – COSO 2013 9
Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov,
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public
Accountants, aicpa.org.
INFORMATION & COMMUNICATION (4):
13. Obtains or generates and uses relevant, quality information to support the functioning of IC.
Control 13.1 – Quarterly and annual closing checklists for 10-Q and 10-K reporting are completed and
signed off by appropriate signatories reflecting attestation to analysis and approval of reports.
Control 13.2 – Audit Committee minutes reflect ratified and approved 10-Q and 10-K reports that were
discussed with appropriate signatories with evidence of corrections and changes clearly documented and
maintained.
Control 13.3 – Chart of Accounts and IT general and application controls and reports are monitored for
modifications and operational effectiveness as part of the 10-Q and 10-K meetings.
14. Organization internally communicates objectives and responsibilities for IC.
Control 14.1 – see also, principle 5 – Entity obtains regular employee verification of their awareness and
responsibility for internal controls with sufficient transparency for their responsibilities in-line with Policy,
Procedures, Organization charts and Authorization matrices.
15. Organization communicates with external parties regarding matters affecting the functioning of IC.
Control 15.1 – 302 and 404 quarterly and annual certifications, respectively asserted by management and
annual 404 certification opined by the independent auditor.
Control 15.2 – SOC 1 Type II (formerly SAS 70 Type II) report obtained from any service organizations.
Note that SSAE 16 and SOC 1 are the same.

10. PART 1 – COSO 2013 10
Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov,
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public
Accountants, aicpa.org.
MONITORING ACTIVITIES (5):
16. Organization selects, develops and performs ongoing and /or separate evaluations to ascertain the
presence and functioning of ICFR.
Control 16.1 – see principle 1 - control 1.2.
Control 16.2 – see principle 2 - control 2.2.
Control 16.3 – Internal audit function adheres to professional standards, such as the Institute of Internal
Auditors (“IIA”), as evidenced by transparent audit plans and programs that consider risk and are
supported by sufficient audit evidence that can be independently verified.
Control 16.4 – IAD has authority to examine all aspects of the entity’s operations with results clearly
reported to management and the Audit Committee. Refer also to principle 1 – control 1.3.
17. Organization evaluates and communicates IC deficiencies in a timely manner to those responsible for
taking corrective action (senior management and Board, as appropriate).
Control 17.1 – see principle 2 - control 2.3.