February 11, 2019
Internal Controls – Information & Communication
We’ve discussed the reasons to love internal controls and the first three components of The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework that many organizations follow when developing and implementing internal controls that are right-sized to them. This blog focuses on the fourth component.
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring Activities
Information and communication is an increasingly hot topic as we continue to place more reliance on technology. The three main principles are:
- The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- The organization communicates with external parties regarding matters affecting the functioning of internal control.
What should management consider, in relation to the above principles?
The first principle is concerned with the information an organization needs to carry out its objectives and internal control activities. Management should identify what information is needed at each level of the organization to fulfill the objectives and complete the control activities. Does the organization have an information system capable of capturing data from relevant internal and external sources and transforming that data into quality information? The organization should develop information management policies and procedures to ensure appropriate data governance.
The second principle focuses on the kinds of information that should be communicated internally as well as the appropriate methods, channels, and frequency of communication. Organization-wide communications should address the organization’s objectives, internal control policies/procedures necessary to meet said objectives, and the expectation of personnel at all levels to communicate significant internal control matters to appropriate parties. Consideration should be given to the method used to disseminate information (e.g., in-person meetings versus email), in relation to the importance of the information being shared (e.g., significant organization changes versus monthly financial reporting).
The upward exchange of information is as critical as the downward exchange. As such, management and those charged with governance should discuss any significant internal control matters at appropriate intervals. Employees should have access to those charged with governance without management interference. This will help to encourage communication of matters employees may not typically be comfortable communicating to management. The organization should offer alternative channels for anonymous or confidential communications.
The third principle addresses outbound and inbound communication with external parties, such as customers, members, regulators, and vendors. Although the tenets regarding the appropriate methods, channels, and frequency of communication are the same, the information being sent and received differs. The organization must understand what it is required to communicate by law (e.g., audit results, data breaches, etc.). It should also consider what information it would like to communicate with outside parties (e.g., announcements on organizational changes). Lastly, the organization should have appropriate channels in place to receive information from external parties. For example, it may consider offering a secure information portal to exchange sensitive data with its customers, members, or vendors. Once the information has been received, the organization should have processes in place to review and respond appropriately.
Considering these principles and executing formal policies and procedures on information and communication as they relate to internal controls will support the entire organization’s control functions and is key to a strong internal control environment.