Objectives Setting and Internal Control

An organization adopts a mission and vision, sets strategies, establishes objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole, or be targeted to specific activities within the entity. Though many objectives are specific to a particular entity, some are widely shared. For example,
objectives common to most entities are sustaining organizational success, reporting to stakeholders, recruiting and retaining motivated and competent employees, achieving and maintaining a positive reputation, and complying with laws and regulations.

Supporting the organization in its efforts to achieve objectives are five components of internal control:

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring Activities

Relationship of Objectives, Components, and the Entity:

A direct relationship exists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube.

•      The three categories of objectives operations, reporting, and compliance are represented by the columns.
•       The five components are represented by the rows.
•       The entity structure, which represents the overall entity,  divisions, subsidiaries, operating units, or functions, including business processes such as sales, purchasing, production, and marketing and to which internal control relates, are depicted by the third dimension of the cube.

Each component cuts across and applies to all three categories of objectives. For example, attracting, developing, and retaining competent people who are able to conduct internal control—part of the control environment component—is relevant to all three objectives categories.

The three categories of objectives are not parts or units of the entity. For instance, operations objectives relate to the efficiency and effectiveness of operations, not specific operating units or functions such as sales, marketing, procurement, or human resources.

Accordingly, when considering the category of objectives related to reporting, for example, knowledge of a wide array of information about the entity’s operations is needed. In that case, focus is on the middle column of the model—reporting objectives—rather than on the operations objectives category.

Internal control is a dynamic, iterative, and integrated process. For example, risk assessment not only influences the control environment and control activities, but also may highlight a need to reconsider the entity’s requirements for information and communication, or for its monitoring activities. Thus, internal control is not a linear process where one component affects only the next. It is an integrated process in which components can and will impact another.

No two entities will, or should, have the same system of internal control. Entities, objectives, and systems of internal control differ dramatically by industry and regulatory environment, as well as by internal considerations such as the size, nature of the management operating model, tolerance for risk, reliance on technology, and competence and number of personnel. Thus, while all entities require each of the components to maintain effective internal control over their activities, one entity’s system of internal control usually looks different from another’s.

Objectives

Management, with board oversight, sets entity-level objectives that align with the entity’s mission, vision, and strategies. These high-level objectives reflect choices made by management and board of directors about how the organization seeks to create, preserve, and realize value for its stakeholders. Such objectives may focus on the entity’s unique operations needs, or align with laws, rules, regulations, and standards imposed by legislators, regulators, and standard setters, or some combination of the two. Setting objectives is a prerequisite to internal control and a key part of the management process relating to strategic planning.

Individuals who are part of the system of internal control need to understand the overall strategies and objectives set by the organization. As part of internal control, management specifies suitable objectives so that risks to the achievement of such objectives can be identified and assessed. Specifying objectives includes the articulation of specific, measurable or observable, attainable, relevant, and time-bound objectives.

However there may be instances where an entity might not explicitly document an objective. Objectives specified in appropriate detail can be readily understood by the people who are working toward achieving them.

Categories of Objectives

The Framework groups entity objectives into the three categories of operations, reporting, and compliance.

Operations Objectives

Operations objectives relate to achievement of an entity's basic mission - the fundamental reason for its existence. These objectives vary based on management's choices relating to structure, industry considerations, and performance of the entity. Entity-level objectives cascade into related sub-objectives for operations within the divisions, subsidiaries, operating units, and functions, directed at enhancing effectiveness and efficiency in moving the entity toward its ultimate goal.

As such, operations objectives may relate to improving financial performance, productivity (e.g., avoiding waste and rework), quality, environmental practices, innovation, and customer and employee satisfaction. These objectives pertain to all types of entities. For example, a for-profit entity may focus on revenue, profitability, return on assets, and liquidity. In contrast, a not-for-profit entity, though certainly concerned with revenues or levels of spending, may focus more on increasing donor participation. A governmental agency may focus primarily on executing its spending in line with the designated purposes of its appropriators to ensure that the spending supports its mission objectives. If an entity’s operations objectives are not well conceived or clearly specified, its resources may be misdirected.

Safeguarding of Assets

The operations category of objectives includes safeguarding of assets, which refers to protecting and preserving entity assets. For instance, an entity may set objectives relating to the prevention of loss of assets and the timely detection and reporting of any such losses. These objectives form the basis of assessing risk relating to safeguarding of assets and selecting and developing controls needed to mitigate such risk.

The efficient use of an entity’s assets, and prevention of loss through waste, inefficiency, or poor business decisions (e.g., selling product at too low a price, extending credit to bad risks, failing to retain key employees, preventing patent infringement, incurring unforeseen liabilities) relate to a broader operations objectives and are not a specific consideration relating to safeguarding of assets.

Laws, rules, regulations, and standards have created an expectation that management reporting on internal control includes controls relating to preventing and detecting unauthorized acquisition, use, or disposition of the assets. In addition, some entities consider safeguarding of assets a separate category of objective, and that view can be accommodated within the application of the Framework.

Categories of Objectives

The Framework groups entity objectives into the three categories of operations, reporting, and compliance.

Reporting Objectives

Reporting objectives pertain to the preparation of reports for use by organizations and stakeholders. Reporting objectives may relate to financial or non-financial reporting and to internal or external reporting. Internal reporting objectives are driven by internal requirements in response to a variety of potential needs such as the entity’s strategic directions, operating plans, and performance metrics at various levels. External reporting objectives are driven primarily by regulations and/or standards established by regulators, and standard-setting bodies.

• External Financial Reporting Objectives - Entities need to achieve external financial reporting objectives to meet obligations to and expectations of stakeholders. Financial statements are necessary for accessing capital markets and may be critical to being awarded contracts or in dealing with suppliers and vendors. Investors, analysts, and creditors often rely on an entity’s external financial statements to assess its performance against peers and alternative investments. Management may also be required to publish financial statements using objectives set forth by rules, regulations, and standards.

• External Non-Financial Reporting Objectives - Management may report external non-financial information in accordance with regulations, standards, or frameworks. An entity may engage an independent auditor to report on
  its conformance with standards published by standard-setting bodies. Nonfinancial reporting requirements as set forth by regulations and standards for management reporting on the effectiveness of internal control over financial
  reporting are part of external non-financial reporting objectives. For purposes of the Framework, external reporting in the absence of a regulation, standard, or framework represents external communication..

• Internal Financial and Non-Financial Reporting Objectives - Internal reporting to management and the board of directors includes information deemed necessary to manage the organization. It supports decision making and assessment of the entity’s activities and performance. Internal reporting objectives are based on preferences and judgments of management and the board. Internal reporting objectives vary among entities because different organizations have different strategic directions, operating plans, and expectations. 

Relationship within Reporting Category of Objective:
The overall relationship between the four sub-categories of reporting objectives is depicted in the graphic below.

Reporting objectives are different from the information and communication component of internal control. Management establishes, with board oversight, reporting objectives when the organization needs reasonable assurance of achieving a particular reporting objective. In these situations all five components of internal control are needed. For instance, in preparing internal non-financial reporting to the board on the status of merger integration efforts, the organization specifies internal reporting objectives (e.g., prepares reliable, relevant, and useful reports), assigns competent individuals, assesses risks relating to specified objectives, selects and develops controls within the five components necessary to mitigate such risks, and monitors components of internal control supporting the specified non-financial reporting objective.

In contrast, the Information and Communication component supports the functioning of all components of reporting objectives, as well as operations and compliance objectives. For instance, controls within information and communication support the preparation of the above report, helping to provide relevant and quality information underlying the report, but these controls are only part of the overall system of internal control. 

Categories of Objectives

The Framework groups entity objectives into the three categories of operations, reporting, and compliance.

Compliance Objectives

Entities must conduct activities, and often take specific actions, in accordance with applicable laws and regulations. As part of specifying compliance objectives, the organization needs to understand which laws, rules and regulations apply across the entity. Many laws and regulations are generally well known, such as those relating to human resources, taxation, and environmental compliance, but others may be more obscure, such as those that apply to an entity conducting operations in a remote foreign territory.

Laws and regulations establish minimum standards of conduct expected of the entity. The organization is expected to incorporate these standards into the objectives set for the entity. Some organizations will set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. For instance, a particular law may limit minors working outside school hours to eighteen hours in a school week. However, a retail food service company may choose to limit its minor-age staff to working fifteen hours per week.

For purposes of the Framework, compliance with an entity’s internal policies and procedures, as opposed to compliance with external laws and regulations as discussed above, relates to operations objectives.

Overlap of Objectives Categories

An objective in one category may overlap or support an objective in another. For example, "closing financial reporting period within five workdays" may be a goal supporting primarily an operations objective-to support management in reviewing business performance. But it also supports timely reporting and timely filings with regulatory agencies.

The category in which an objective falls may vary depending on the circumstances. For instance, controls to prevent theft of assets—such as maintaining a fence around inventory, or having a gatekeeper to verify proper authorization of requests for movement of goods—fall under the operations category. These controls may not be relevant to reporting where inventory losses are detected after a periodic physical inspection and recording in the financial statements. However, if for reporting purposes management relies solely on perpetual inventory records, as may be the case for interim or internal financial reporting, the physical security controls would then also fall within the reporting category. These physical security controls, along with controls over the perpetual inventory records, are needed to achieve reporting objectives. A clear understanding is needed of the entity’s business processes, policies and procedures, and the respective impact on each category of objectives.

Basis of Objectives Categories

Some objectives are derived from the regulatory or industry environments in which the entity operates. For example:

• Some entities submit information to environmental agencies.
• Publicly traded companies file information with securities regulators.
• Universities report grant expenditures to government agencies.

These objectives are established largely by law or regulation, and fall into the category of compliance, external reporting, or, in these examples, both.

Conversely, operations and internal reporting objectives are based more on the organization’s preferences, judgments, and choices. These objectives vary widely among entities simply because informed and competent people may select different objectives. For example, one organization might choose to be an early adopter of emerging technologies in developing new products, whereas another might be a quick follower, and yet another a late adopter. These choices would reflect the entity’s strategies and the competencies, technologies, and controls within its research and development function. Consequently, no one formulation of objectives can be optimal for all entities.

Objectives and Sub-Objectives

Management links specified entity-level objectives to more specific sub-objectives that cascade throughout the organization. Sub-objectives also are established as part of or flowing from the strategy-setting process, and relate to the entity and its subunits and functional activities such as sales, production, engineering, marketing, productivity, employee engagement, innovation, and information technology. Management aligns these sub-objectives with entity-level objectives and coordinates these across the entity.

Where entity-level objectives are consistent with prior practice and performance, the linkage between activities is usually known. Where objectives depart from an entity’s past practices, management addresses the linkages or accepts increased risks. For example, an entity-level objective relating to customer satisfaction depends on linked sub-objectives dealing with the introduction of services that use a newer and less proven technology infrastructure. These sub-objectives might need to be substantially changed if past practice used older, proven technologies.

Sub-objectives for operating units and functional activities also need to be specific, measurable or observable, attainable, relevant, and time-bound. In addition, they must be readily understood by the people who are working toward achieving them. Management and other personnel require a mutual understanding of both what is to be accomplished and the means of determining to what extent it is accomplished in order to ensure individual and team accountability. 

Entities may specify multiple sub-objectives for each activity, flowing both from the entity-level objectives and from established standards relating to compliance and reporting objectives, as deemed suitable in the circumstances. For example, procurement operations objectives may be to:

• Purchase goods that meet established engineering specifications.
• Purchase goods from companies that meet the entity's environmental, health, and safety specifications as set forth in a code of conduct (e.g., no child labor, good working conditions).
• Negotiate acceptable prices and other terms.  

As another example, when specifying suitable external reporting objectives relating to the preparation of external financial statements, management considers accounting standards, financial statement assertions, and qualitative characteristics that are applicable to the entity and its subunits. For example, management may set an entity-level external financial reporting objective as follows: “Our company prepares reliable financial statements reflecting transactions and events in accordance with generally accepted accounting principles.”

Management also specifies suitable sub-objectives for divisions, subsidiaries, operating units, and functions with sufficient clarity to support entity-level objectives. For instance, management specifies sub-objectives for sales transactions that apply appropriate accounting standards based on the circumstances and that address relevant financial statement assertions and qualitative characteristics, such as

• All sales transactions that occur are recorded on a timely basis.
• Sales transactions are recorded at correct amounts in the right accounts.
• Sales transactions are accurately and completely summarized in the entity’s books and records.
• Presentation and disclosures relating to sales are properly described, sorted, and classified.
  

Limitations of Internal Control

Internal control, no matter how well designed, implemented and conducted, can provide only reasonable assurance to management and the board of directors of the achievement of an entity’s objectives. The likelihood of achievement is affected by limitations inherent in all systems of internal control. These include the realities that human judgment in decision making can be faulty, external events outside the organization’s control may arise, and breakdowns can occur because of human failures such as making errors. Additionally, controls can be circumvented by two or more people colluding, and because management can override the system of internal control

Internal control has been viewed by some observers as ensuring that an entity will not fail—that is, the entity will always achieve its operations, reporting, and compliance objectives. In this sense, internal control sometimes is looked upon as a cure-all for all real and potential business ills. This view is misguided. Internal control is not a panacea

In considering limitations of internal control, two distinct concepts must be recognized. The first set of limitations acknowledges that certain events or conditions are simply beyond management’s control. The second acknowledges that no system of internal control will always do what it is designed to do. The best that can be expected in any system of internal control is that reasonable assurance be obtained, which is the focus of this chapter. Second, internal control cannot provide absolute assurance for any of the objective categories

The first set of limitations acknowledges that certain events or conditions are simply outside management’s control. The second acknowledges that no system of internal control will always do what it is designed to do. The best that can be expected in any of system of internal control is that reasonable assurance be obtained, which is the focus of this chapter.

Reasonable assurance does not imply that systems of internal control will frequently fail. Many factors, individually and collectively, serve to strengthen the concept of reasonable assurance. Controls that support multiple objectives or that effect multiple principles within or across components reduce the risk that an entity may not achieve its objectives. Furthermore, the normal, everyday operating activities and responsibilities of people functioning at various levels of an organization are directed at achieving the entity’s objectives. Indeed, it is likely that these activities often apprise management about the process toward the entity’s operations objectives, and also support the achievement of compliance and reporting objectives. However, because of the inherent limitations discussed here, there is no guarantee that, for example, an uncontrollable event, mistake, or improper incident could never occur. In other words, even an effective system of internal control may experience failures. Reasonable assurance is not absolute assurance

Preconditions of Internal Control

The Framework specifies several areas that are part of the management process but not part of internal control. Two such areas relate to the governance process that extends the board’s role beyond internal control and establishing objectives as a precondition to internal control. There is a dependency established on these areas, among others, to also be effective. For example, an entity’s weak governance processes for selecting, developing, and evaluating board members may limit its ability to provide appropriate oversight of internal control. Similarly, ineffective strategy-setting or objective-setting processes would challenge the entity’s ability to identify poorly specified, unrealistic, or unsuitable objectives. A system of internal control cannot encompass all activities undertaken by the entity, and weaknesses in these areas may impede the organization from having effective internal control.

External Events

Internal control, even effective internal control, operates at different levels for different objectives. For objectives relating to the effectiveness and efficiency of an entity’s operations—achieving its mission, value propositions (e.g., productivity, quality, and customer service), profitability goals, and the like—internal control cannot provide reasonable assurance of the achievement when external events may have a significant impact on the achievement of objectives and the impact cannot be mitigated to an acceptable level. In these situations, internal control can only provide reasonable assurance that the organization is aware of the entity’s progress, or lack of it, toward achieving such objectives.

Management Override

Even an entity with an effective system of internal control may have a manager who is willing and able to override internal control. The term “management override” is used here to mean overruling prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an enhanced presentation of an entity’s performance or compliance. A manager of a division or operating unit, or a member of senior management, might override the control for many reasons such as to:

• Increase reported revenue to cover an unanticipated decrease in market share
• Enhance reported earnings to meet unrealistic budgets
• Boost the market value of the entity prior to a public offering or sale
• Meet sales or earnings projections to bolster bonus payouts tied to performance
• Appear to cover violations of debt covenant agreements
• Hide lack of compliance with legal requirements

Override practices include deliberately making misrepresentations to bankers, lawyers, accountants, and vendors, and intentionally issuing false documents such as purchase orders and sales invoices.

Management override should not be confused with management intervention, which represents management’s actions to depart from prescribed controls for legitimate purposes. Management intervention is necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately. Provision for management intervention is necessary because no process can be designed to anticipate every risk and every condition. Management’s actions to intervene are generally overt and subject to policies and procedures or otherwise disclosed to appropriate personnel. Actions to override usually are not documented or disclosed, and have the intent to cover up the actions.

Collusion

Collusion can result in internal control deficiencies. Individuals acting collectively to perpetrate and conceal an action from detection often can alter financial or other management information so that it cannot be detected or prevented by the system of internal control. Collusion can occur, for example, between an employee who performs controls and a customer, supplier, or another employee, Sales and/or operating unit management might collude to circumvent controls so that reported results meet budgets or incentive targets.

Roles and Responsibilites of Internal Control

Introduction

Internal control is effected by personnel internal to the organization, including the board of directors or equivalent oversight body and its committees, management and personnel, business-enabling functions, and internal auditors. Collectively, they contribute to providing reasonable assurance that specified objectives are achieved. When outsourced service providers perform controls on behalf of the entity, management retains responsibility for those controls.

An organization may view internal control through three lines of defense:

• Management and other personnel on the front line provide the first line of defense as they are responsible for maintaining effective internal control day to day; they are compensated based on performance in relation to all applicable objectives.


• Business-enabling functions such as risk, control, legal, and compliance provide the second line of defense as they clarify internal control requirements and evaluate adherence to defined standards. While they are functionally aligned to the business, their compensation is not directly tied to performance of the area to which they render expert advice.


• Internal auditors provide the third line of defense as they assess and report on internal control and recommend corrective actions or enhancements for management to consider and implement; their position and compensation are separate and distinct from the business areas they review.

Responsible Parties

Every individual within an entity has a role in effecting internal control. Roles vary in responsibility and level of involvement, as discussed below.

The Board of Directors and Its Committees

Depending on the jurisdiction and nature of the organization, different governance structures may be established, such as a board of directors, supervisory board, trustees, and/or general partners, with committees as appropriate. In the Framework, these governance structures are commonly referred to as the board of directors.

The board is responsible for overseeing the system of internal control. With the power to engage or terminate the chief executive officer, the board has a key role in defining expectations about integrity and ethical values, transparency, and accountability for the performance of internal control responsibilities. Board members are objective, capable, and inquisitive. They have a working knowledge of the entity’s activities and environment, and they commit the time necessary to fulfill their governance responsibilities. They utilize resources as needed to investigate any issues, and they have an open and unrestricted communications channel with all entity personnel, the internal auditors, independent auditors, external reviewers, and legal counsel.

Boards of directors often carry out certain duties through committees, whose use varies depending on regulatory requirements and other considerations. Board committees may be used for oversight of audit, compensation, nominations and governance, risk, and other topics significant for the organization. Each committee can bring specific emphasis to certain components of internal control. Where a particular committee has not been established, the related functions are carried out by the board itself.

Board-level committees can include the following:

• Audit Committee - Regulatory and professional standard-setting bodies often require the use of audit committees. The role and scope of authority of an audit committee can vary depending on the organization’s regulatory jurisdiction, industry norm, or other variables. This is sometimes also called the audit and risk committee to emphasize the importance of risk oversight. Management is responsible for the reliability of the financial statements, but an effective audit committee plays a critical oversight role. The board of directors, often through its audit committee, has the authority and responsibility to question senior management regarding how it is carrying out its internal and external reporting responsibilities and to verify that timely corrective actions are taken, as necessary.
  
  As a result of its independence the audit committee, along with a strong internal audit function as applicable, is often best positioned, to identify and promptly act in situations where senior management overrides controls or deviates from expected standards of conduct. The audit committee interacts with external auditors, meeting regularly to discuss the scope of planned audit procedures and results of audit procedures. Meetings with external auditors include executive sessions without management present to provide a forum for further dialogue between external auditors and audit committees. While board composition requirements vary, independent directors are important as they can provide an objective perspective. For example, the UK, German, and other corporate governance codes, and the New York Stock Exchange (NYSE) and NASDAQ listing requirements define the number and criteria for audit committee members to be independent from management and financially literate (e.g., at least one member with accounting or financial management expertise).


• Compensation Committee - Establishes the compensation for the chief executive officer or equivalent and provides oversight of compensation arrangements to motivate without providing incentives for undue risk-taking so as to ultimately protect and promote the interest of shareholders or other owners of the entity. It oversees senior management in its role to balance performance measures, incentives, and rewards with the pressures created by the entity’s objectives, and helps structure compensation practices to support the achievement of the entity’s objectives without unduly emphasizing short-term results over long-term performance.


• Nomination/Governance Committee - Provides control over the selection of candidates for directors and senior management. It regularly assesses and nominates members of the board of directors; makes recommendations regarding the board’s composition, operations, and performance; oversees the succession planning process for the chief executive officer and other key executives; and develops oversight discipline, processes, and structures. It promotes director orientations and training and evaluates oversight structures and processes (e.g., board/committee evaluations).


• Other Committees - There may be other committees of the board of directors that oversee specific areas. These committees are often established in large organizations or due to particular circumstances of the entity. For example, in an industry where compliance with certain laws and regulations is fundamental to the survival or development of the organization, a board-level compliance committee may be necessary. Risk committees are formed to focus on changes in risk levels and related impacts, and oversight of risk responses. Further to board committees that provide oversight, management-level committees often exist to provide guidance in the execution of specific areas, such as compliance committees, new product committees, and others.

Business-Enabling Functions

Various organizational functions or operating units support the entity through specialized skills, such as risk management, finance, controllers, product/service quality management, technology, compliance, legal, human resources, and others. They provide guidance and assessment of internal control related to their areas of expertise, and it is incumbent on them to share and evaluate issues and trends that transcend organizational
units or functions. They keep the organization informed of relevant requirements as they evolve over time (e.g., new or changing laws and regulations across a multitude of jurisdictions). Such business-enabling functions are referred to as the second line of defense, while front-line personnel execute their control activities.

While all controls function to serve a purpose, their efforts are coordinated and integrated as appropriate. For example, a company’s new customer acceptance process may be reviewed by the compliance function from a regulatory perspective, by the risk management function from a concentration risk perspective, and by the internal audit function to assess the design and effectiveness of controls. Disruptions to the business process are minimized when the timing and approach to reviews and management of issues are coordinated to the extent possible. Integration of efforts helps create a common language and platform for evaluating and addressing internal control matters, as business-enabling functions guide the organization in achieving its objectives.

Risk and Control Personnel

Risk and control functions are part of the second line of defense. Depending on the size and complexity of the organization, dedicated risk and control personnel may support functional management to manage different risk types (e.g., operational, financial, quantitative, qualitative) by providing specialized skills and guidance to front-line management and other personnel and evaluating internal control. These activities can be part of an entity’s centralized or corporate organization or they can be set up with “dotted line” reporting to functional heads. Risk and control functions are central to the way management maintains control over business activitie

Responsibilities of risk and control personnel include identifying known and emerging risks, helping management develop processes to manage such relevant risks, communicating and providing education on these processes across the organization, and evaluating and reporting on the effectiveness of such processes. The chief risk/control
officer is responsible for reporting to senior management and the board on significant risks to the business and whether these risks are managed within the entity’s established tolerance levels, with adequate internal control in place. Despite such significant responsibilities, risk and control personnel are not responsible for executing controls, but support overall the achievement of internal control.

Legal and Compliance Personnel

Counsel from legal professionals is key to defining effective controls for compliance with regulations and managing the possibility of lawsuits. In large and complex organizations, specialized compliance professionals can be helpful in defining and assessing controls for adherence to both external and internal requirements. The chief legal/compliance officer is responsible for ensuring that legal, regulatory, and other requirements are understood and communicated to those responsible for effecting compliance.

A close working relationship between business management and legal and compliance personnel provides a strong basis for designing, implementing, and conducting internal control to manage adverse outcomes such as regulatory sanctions, legal liability, and failure to adhere to internal compliance policies and procedures. At smaller organizations, legal and compliance roles may be shared by the same professional, or one of these roles can be outsourced with close oversight by management.

Other Personnel

Internal control is the responsibility of everyone in an entity and therefore constitutes an explicit or implicit part of everyone’s job description. Front-line personnel constitute the first line of defense in the performance of internal control responsibilities. Examples include:

• Control Environment - Reading, understanding, and applying the standards of conduct of the organization


• Risk Assessment - Identifying and evaluating risks to the achievement of objectives and understanding established risk tolerances relating to their areas of responsibility


• Control Activities - Performing reconciliations, following up on exception reports, performing physical inspections, and investigating reasons for cost variances or other performance indicators


• Information and Communication - Producing and sharing information used in the internal control system (e.g., inventory records, work-in-process data, sales or expense reports) or taking other actions needed to effect control


• Monitoring Activities - Supporting efforts to identify and communicate to higher-level management issues in operations, non-compliance with the code of conduct, or other violations of policy or illegal actions

The care with which those activities are performed directly affects the effectiveness of the internal control system. Internal control relies on checks and balances, including segregation of duties, and on employees not “looking the other way.” Personnel understands the need to resist pressure from superiors to participate in improper activities, and channels outside normal reporting lines are available to permit reporting of such circumstances.

Internal Auditors

As the third line of defense, internal auditors provide assurance and advisory support to management on internal control. Depending on the jurisdiction, size of the entity, and nature of the business, this function may be required or optional, internal or outsourced, large or small. In all cases, internal audit activities are expected to be carried out by competent and professional resources aligned to the risks relevant to the entity.

The internal audit activity includes evaluating the adequacy and effectiveness of controls in responding to risks within the organization’s oversight, operations, and information systems regarding. For example:

• Reliability and integrity of financial and operational information


• Effectiveness and efficiency of operations and programs


• Safeguarding of assets


• Compliance with laws, regulations, policies, procedures, and contracts

All activities within an organization are potentially within the scope of the internal auditor’s responsibility. In some entities, the internal audit function is heavily involved with controls over operations. For example, internal auditors may periodically monitor production quality, test the timeliness of shipments to customers, or evaluate the efficiency of the plant layout. In other entities, the internal audit function may focus primarily on compliance or financial reporting–related activities. In all cases, they demonstrate the necessary knowledge of the business and independence to provide a meaningful evaluation of internal control.

The scope of internal auditing is typically expected to include oversight, risk management, and internal control, and assisting the organization in maintaining effective control by evaluating their effectiveness and efficiency and by promoting continual improvement. Internal audit communicates findings and interacts directly with management, the audit committee, and/or the board of directors.

Internal auditors maintain an impartial view of the activities they audit through their skills and authority within the entity. Internal auditors have functional reporting to the audit committee and/or the board of directors and administrative reporting to the chief executive officer or other members of senior management.

Internal auditors are objective when not placed in a position of subordinating their judgment on audit matters to that of others and when protected from other threats to their objectivity. The primary protection against these threats is appropriate internal auditor reporting lines and staff assignments. These assignments are made to avoid potential and actual conflicts of interest and bias. Internal auditors do not assume operating responsibilities, nor are they assigned to audit activities with which they were involved recently in connection with prior operating assignments.

External Parties

A number of external parties can contribute to the achievement of the entity’s objectives, whether by performing activities as outsourced service providers or by providing data or analysis to functional/operational personnel. In both cases, functional/operational management always retains full responsibility for the internal control.

Outsourced Service Providers

Many organizations outsource business functions, delegating their roles and responsibilities for day-to-day management to outside service providers. Administrative, finance, human resources, technology, legal, and even select internal operations can be executed by parties outside the organization, with the objective of obtaining access to enhanced capabilities at a lower cost. For example, a financial institution may outsource its loan review process to a third party, a technology company may outsource the operation and maintenance of its information technology processing, and a retail company may outsource its internal audit function. While these external parties execute activities for or on behalf of the organization, management cannot abdicate its responsibility to manage the associated risks. It must implement a program to evaluate those activities performed by others on their behalf to assess the effectiveness of the system of internal control over the activities performed by outsourced service providers.

Other Parties Interacting with the Entity

Customers, vendors, and others transacting business with the entity are an important source of information used in conducting control activities. For example:

• A customer can inform a company about shipping delays, inferior product quality, or failure to otherwise meet the customer’s needs for product or service. Or a customer may be more proactive and work with an entity in developing needed product enhancements.
• A vendor can provide statements or information regarding completed or open shipments and billings, which may be used to identify and correct discrepancies and to reconcile balances.
• A potential supplier can notify senior management of an employee’s request for a kickback.
• Experts can provide market data to help the organization adapt its business model and supporting processes and controls to new challenges and opportunities.
• A non-governmental organization or newspaper may publish reports on working or environmental conditions at a supplier or sub-supplier.

Such information sharing between management and external parties can be important to the entity in achieving its operations, reporting, and compliance objectives. The entity has mechanisms in place with which to receive such information and to take appropriate action on a timely basis - that is, it not only addresses the particular situation reported, but also investigates the underlying source of an issue and fixes it.

In addition to customers and vendors, other parties, such as creditors, can provide insight on the achievement of an entity’s objectives. A bank, for example, may request reports on an entity’s compliance with certain debt covenants and recommend performance indicators or other desired targets or controls.

Independent Auditors

In some jurisdictions, an independent auditor is engaged to audit or examine the effectiveness of internal control over external financial reporting in addition to auditing the entity’s financial statements. (In some jurisdictions, the auditor is also legally required to express an opinion on the effectiveness of the internal control over external financial reporting in addition to his or her opinion on the financial statements.) Results of these audits enable the auditor to provide information to management that will be useful in conducting its oversight responsibilities. These reports and communications may include:

• Observations including analytical information and recommendations for use in taking actions necessary to achieve established objectives
• Findings of internal control deficiencies that come to attention of the auditor, and recommendations for improvement

Notwithstanding the depth and nature of the independent auditor’s work, this is not a replacement or a supplement to an adequate system of internal control, which remains the full responsibility of management.

Such information frequently relates not only to financial reporting but to operations and compliance activities as well. The information is reported to and acted upon by management and, depending on its significance, to the board of directors or audit committee.

External Reviewers

Subject matter specialists can be solicited or mandated to review specific areas of the organization’s internal control. Recognizing the various requirements or expectations of its stakeholders, an organization often seeks expert advice to translate these into policies and procedures, as well as communications and training, and evaluation of adherence to such requirements and standards. Workplace safety, environmental concerns, and fair trade practices are some examples of areas where an organization proactively seeks to ensure that it is complying with governing rules and standards. Certain functional areas may also be reviewed to promote greater effectiveness and efficiency of operations, such as compliance reviews, information systems penetration testing, and employment practices assessments.

Legislators and Regulators

Legislators and regulators can affect the internal control systems through specific requirements to establish internal control across the organization and/or through examinations of particular operating units. Many entities have long been subject to legal requirements for internal control. For example, companies listed on a US stock exchange are expected to establish and maintain a system of internal control, and legislation requires that senior executives of publicly listed companies certify to the effectiveness of their company’s internal control over financial reporting.

Various regulations require that public companies establish and maintain internal accounting control systems that satisfy specified objectives. Various laws and regulations apply to financial assistance programs, which address a variety of activities ranging from civil rights to cash management, and specify required internal control procedures or practices. Several regulatory agencies directly examine entities for which they have oversight responsibility. For example, federal and state bank examiners conduct examinations of banks and often focus on certain aspects of the banks’ internal control systems. These agencies make recommendations and are frequently empowered to take enforcement action. Thus, legislators and regulators affect the internal control systems in several ways:

• They establish rules that provide the impetus for management to establish an internal control system that meets statutory and regulatory requirements.
• Through examination of a particular entity, they provide information used by the entity’s internal control system and provide comment letters, recommendations, and sometimes directives to management on needed internal control system improvements.
• They may receive and, in turn, investigate, whistle-blower allegations.

Financial Analysts, Bond Rating Agencies, and the News Media

Financial analysts, bond rating agencies, and news media personnel analyze management’s performance against strategies and objectives by considering historical financial statements and prospective financial information, actions taken in response to conditions in the economy and marketplace, potential for success in the short and long term, and industry performance and peer-group comparisons, among other factors. Such investigative activities can provide insights, among many other outcomes, into the state of internal control and how management is responding to enhancing internal control.

Principles of the Internal Control Framework

Role of Principles
Principles are fundamental concepts associated with components. As such, the Framework views the seventeen principles as suitable to all entities. Relevance refers to a determination that each principle has a significant bearing on the presence and functioning of its associated component.

The Framework presumes that principles are relevant. However, there may be a rare industry, operating, or regulatory situation in which management has determined that a principle is not relevant to the associated component. Considerations in applying this judgment may include the entity structure recognizing any legal, regulatory, industry, or contractual requirements for governance of the entity, and the level of use and dependence on technology used by the entity.

If management decides that a principle is not relevant, management must support that determination, including the rationale of how, in the absence of that principle, the associated component could be present and functioning. When a relevant principle is deemed not to be present and functioning, a major deficiency exists in the system of
internal control.

In determining whether a component is present and functioning, senior management and the board of directors need to determine to what extent relevant principles are present and functioning. However, a principle being present and functioning does not imply that the organization strives for the highest level of performance in applying that particular principle. Rather, management exercises judgment in balancing the cost and benefit of designing, implementing, and conducting internal control.

Listing of all principles for the integrated framework

Control Environment

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.

1. The organization demonstrates a commitment to integrity and ethical values.


2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.


3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.


4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.


5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment

Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.


7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.


8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.


9. The organization identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

Control activities are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various stages within business processes, and over the technology environment.

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.


11. The organization selects and develops general control activities over technology to support the achievement of objectives.


12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Information and Communication

Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day controls. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives

13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.


14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.


15. The organization communicates with external parties regarding  matters affecting the functioning of other components of internal control.

Monitoring Activities

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board.

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.


17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.