WIXLIB

Control Environment: Principle #3 and Points of Focus3.Management establishes, with board oversight, structures, reporting lines, andappropriate authorities and responsibilities in the pursuit of objectives.Points of Focus Considers all structures of the entity Management and the BoD considers multiple structures (including operating units, legalentities, geographic distribution, and outsourced service providers) to support theachievement of objectivesEstablishes reporting lines Management designs and evaluates lines of reporting for each entity structure toenable execution of authorities and responsibilities and the flow of information tomanage the activities of the entityDefines, assigns, and limits authorities and responsibilities Management and the BoD delegate authority, define responsibilities and useappropriate processes and technology to assign responsibility and segregate duties atvarious levels of the organization (e.g., the Board; senior executives; management;personnel; outsourced service providers). 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623415

Control Environment: Principle #4 and Points of Focus4. The organization demonstrates a commitment to attract, develop, and retaincompetent individuals in alignment with objectives.Points of Focus Establishes policies and practices Polices and practices reflect expectations of competence necessary to support theobjectivesEvaluates competence and addresses shortcomings The Board of Directors and management evaluate competence across the organizationand at outsourced service providers in relation to established policies and practicesand act as necessary to address shortcomingsAttracts, develops, and retains individuals The organization mentors and trains to attract, develop, and retain sufficient andcompetent personnel and outsourced service providers to support the achievement ofobjectivesPlans and prepares for succession Senior management and the Board of Directors develop contingency plans forassignment of responsibility important for internal control 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623416

Control Environment: Principle #5 and Points of Focus5. The organization holds individuals accountable for their internal controlresponsibilities in the pursuit of objectives.Points of Focus Enforces accountability through structures, authorities, and responsibilities Establishes the mechanisms to communicate and holds individuals accountable forinternal control responsibilities across the organization and implement corrective action Establishes performance measures, incentives, and rewards . . . . appropriate for responsibilities at all levels of the entity, reflecting performanceand Standards of Conduct, considering achievement of ST and LT objectives Evaluates performance measures, incentives, and rewards for ongoing performance Aligns incentives and rewards with the fulfillment of internal control responsibilities inthe achievement of objectives Considers excessive pressures Evaluates and adjusts pressures associated with the achievement of objectives as theyassign responsibilities, develop performance measures and evaluate performance Evaluates performance and rewards or disciplines individuals Evaluates performance of internal control responsibilities, including adherence toStandard of Conduct and expected competence; provides rewards or disciplinary actionas appropriate 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623417

Risk AssessmentRisk assessment involves a dynamic and iterative process for identifying and assessing risks to theachievement of objectives. Risks from across the entity are considered relative to established risk tolerances.Thus, risk assessment forms the basis for determining how risks will be managed.Management specifies objectives relating to operations, reporting, and compliance with sufficient clarity to beable to identify and analyze risks to those objectives. Risk assessment requires management to consider theimpact of possible changes in the external environment and within its own business model that may renderinternal control ineffective.Risk Assessment – 2013 Framework changes Clarifies that risk assessment includes processes for risk identification,risk analysis, and risk responseExpands the discussion on risk tolerances (acceptable risk levels) and risk can be managedthrough accepting, avoiding and sharing risks the risk severity beyond impact and likelihood to include suchvelocity and persistence the need to understand significant changes in internal and externalfactors and the impact on the system of internal controlIncludes specific assessment of fraud risk relating to materialmisstatement of reporting, inadequate safeguarding of assets, andcorruption as part of the risk assessment process 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623418

Risk Assessment: Principle #6 and Points of Focus6. The organization specifies objectives with sufficient clarity to enable theidentification and assessment of risks relating to objectives.Points of Focus Separately set out characteristics related to operations; external financial reporting;external non-financial reporting; internal reporting; compliance objectivesExternal Financial Reporting Objectives Complies with applicable accounting standards Financial reporting objectives are consistent with accounting principles suitable andavailable for the entity Accounting principles selected are appropriate in the circumstancesConsiders Materiality Management considers materiality in financial statement presentationReflects entity activities External reporting reflects the underlying transactions and events to show qualitativecharacteristics and assertions 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623419

Risk Assessment: Principle #7 and Points of Focus7. The organization identifies risks to the achievement of its objectives across theentity and analyzes risks as a basis for determining how the risks should bemanaged.Points of Focus Includes entity, subsidiary, division, operating unit, and functional levels The organization identifies and assesses risks at the entity, subsidiary, division,operating unit and functional levels relevant to the achievement of objectivesAnalyzes internal and external factors Risk identification considers both internal and external factors and their impact on theachievement of objectivesInvolves appropriate levels of management The organization puts into place effective risk assessment mechanisms that involveappropriate levels of managementEstimates significance of risks identified Identified risks are analyzed through a process that includes estimating the potentialsignificance of the riskDetermines how to respond to risks Risk assessment includes considering how the risk should be managed and whether toaccept, avoid, reduce or share the risk 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623420

Risk Assessment: Principle #8 and Points of Focus8. The organization considers the potential for fraud in assessing risks to theachievement of objectives.Points of Focus Considers various types of fraud The assessment of fraud considers fraudulent reporting, possible loss of assets, andcorruption [and management override of controls] resulting from the various ways thatfraud and misconduct can occurAssesses incentives and pressures The assessment of fraud risk considers incentives and pressuresAssesses opportunities The assessment of fraud risk considers opportunities for unauthorized acquisition,use, or disposal of assets, altering of the entity’s reporting records, or committingother inappropriate actsAssesses attitudes and rationalizations The assessment of fraud risk considers how management and other personnel mightengage in or justify inappropriate actions 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623421

Risk Assessment: Principle #9 and Points of Focus9. The organization identifies and assesses changes that could significantly impact thesystem of internal control.Points of Focus Assesses changes in the external environment The risk identification process considers changes in the regulatory, economic, andphysical environment in which the entity operatesAssesses changes in the business model The organization considers the potential impact of new business lines, dramaticallyaltered compositions of existing lines, acquired or divested business operations on thesystem of internal control, rapid growth, changing reliance on foreign geographies andnew technologiesAssesses changes in leadership The organization considers changes in the management and respective attitudes andphilosophies on the system of internal control 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623422

Control ActivitiesControl activities are the actions established through policies and procedures to mitigate risks to theachievement of objectives. Control activities are performed at all levels of the entity, at various stageswithin business processes, and over the technology environment. They may be preventive ordetective in nature and may encompass a range of manual and automated activities such asauthorizations and approvals, verifications, reconciliations, and business performance reviews.Segregation of duties is typically built into the selection and development of control activities. Wheresegregation of duties is not practical, management selects and develops alternative control activities.Control Activities - 2013 Framework changes Updates the evolution in technology since 1992 (e.g., replacing datacenter concepts with a more general discussion on the technologyinfrastructure) Addresses the linkage between business processes, automatedcontrol activities and GITCs Contrasts transaction-level controls from controls at other levels of theorganization Updates GITC applicability (IT infrastructure; security management;technology acquisition, development and maintenance) across alltechnology platforms Clarifies that control activities are actions established by policies andprocedures rather than being the policies and procedures themselves 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623423

Control Activities: Principle #10 and Points of Focus10. The organization selects and develops control activities that contribute to themitigation of risks to the achievement of objectives to acceptable levels.Points of Focus Integrates with Risk Assessment Control activities help ensure that the risk responses that address and mitigate risks arecarried outConsiders entity-specific factors Management considers how the environment, complexity, nature and scope of itsoperations affect the selection and development of control activitiesDetermines relevant business processes Management determines which relevant business processes require controls activitiesEvaluates a mix of control types Control activities include a range and variety of controls; considering both manual andautomated controls, and preventative and detective controlsConsiders at what level controls are applied Management considers control activities at various levels of the organizationAddresses segregation of duties Management segregates incompatible duties and where not practical, selects anddevelops alternative control activities 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623424

Control Activities: Principle #11 and Points of Focus11. The organization selects and develops general control activities over technology tosupport the achievement of objectives.Points of Focus Determines dependency between the use of technology in business processes andGITCs Management understands and determines dependency and linkage between businessprocesses, automated controls activities and GITCsEstablishes relevant Technology Infrastructure control activities . . . which are designed and implemented to help the completeness, accuracy andavailability of technology processingEstablishes relevant Security Management Process control activities . . . which are designed and implemented to restrict technology access rights toauthorized users commensurate with their job responsibilities and to protect the entity’sassets from external threatsEstablishes relevant Technology Acquisition, Development, and MaintenanceProcess control activities Management selects and develops control activities over the acquisition, developmentand maintenance of technology and its infrastructure to achieve objectives 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623425

Control Activities: Principle #12 and Points of Focus12. The organization deploys control activities through policies that establish what isexpected and in procedures that put policies into action.Points of Focus Establishes policies and procedures to support deployment of management’sdirectives Controls are built into business processes through specific policies and procedures Establishes responsibility and accountability for executing policies and procedures Management assigns responsibility and accountability for the controls in the businessunit or function where the risk resides Performs in a timely manner Responsible personnel perform controls in a timely manner Takes corrective action Responsible personnel investigate and act on matters identified as a result of executingthe control Performs using competent personnel Competent personnel with sufficient authority perform controls with diligence andcontinuing focus Reassesses policies and procedures Management periodically reviews controls to determine their continued relevance andrefreshes them when necessary 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623426

Information and CommunicationInformation is necessary for the entity to carry out internal control responsibilities to support theachievement of its objectives. Management obtains or generates and uses relevant and quality informationfrom both internal and external sources to support the functioning of other components of internal control.Communication is the continual, iterative process of providing, sharing, and obtaining necessaryinformation. Internal communication is the means by which information is disseminated throughout theorganization, flowing up, down, and across the entity. It enables personnel to receive a clear message fromsenior management that control responsibilities must be taken seriously. External communication is twofold:it enables inbound communication of relevant external information, and it provides information to externalparties in response to requirements and expectations.Information & Communication – 2013 Framework Changes Emphasizes importance of quality of information including how the entity manages information from and communicateswith third-party service providers and those that operate outside its legaland operational boundariesExpands the discussion on the impact of regulatory requirements on reliability and protection ofinformation the volume and sources of information in light of increased complexity ofbusiness processes, greater interaction with external parties, andtechnology advancesReflects the impact of technology and other communication mechanisms onthe speed, means, and quality of the flow of information 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.NDPPS 15623427

Information and Communication: Principle #13 and Points of Focus13. The organization obtains or generates and uses relevant, quality information tosupport the functioning of other components of internal control.Points of Focus Identifies information requirements A process is in place to identify the information required and expected to be support thefunctioning of the other components and achievement of the entity’s objectivesCaptures internal and external sources of data Information systems captures internal and external sources of dataProcesses relevant data into information Information systems process and transform relevant data into informationMaintains quality throughout processing Information systems produce information that is timely, current, accurate, complete,accessible, protected and verifiable and retained. Information is reviewed to assess itsrelevance in supporting the componentsConsiders costs and benefits The nature, quantity and precision of information communicated is commensurate withand support the achievement of objectives 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserve

Introduction to COSO 2013 Updated Internal Control -Integrated Framework (2013 Framework) issued on May 14, 2013 Companion documents: Internal Control -Integrated Framework: Executive Summary Illustrative Tools for Assessing Effectiveness of a System of Internal Control Internal Control over External Financial