Overview
The control environment is the foundation for an internal control system. It provides the discipline and structure, which affect the overall quality of internal control. It influences how objectives are defined and how control activities are structured. The oversight body and management establish and maintain an environment throughout the entity that sets a positive attitude toward internal control.
Principles
1.1 The oversight body and management should demonstrate a commitment to integrity and ethical values.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Tone at the Top
1.2 The oversight body and management demonstrate the importance of integrity and ethical values through their directives, attitudes, and behavior.
1.3 The oversight body and management lead by an example that demonstrates the organization’s values, philosophy, and operating style. The oversight body and management set the tone at the top and throughout the organization by their example, which is fundamental to an effective internal control system. In larger entities, the various layers of management in the organizational structure may also set “tone in the middle.”
1.4 The oversight body’s and management’s directives, attitudes, and behaviors reflect the integrity and ethical values expected throughout the entity. The oversight body and management reinforce the commitment to doing what is right, not just maintaining a minimum level of performance necessary to comply with applicable laws and regulations, so that these priorities are understood by all stakeholders, such as regulators, employees, and the general public.1.5 Tone at the top can be either a driver, as shown in the preceding paragraphs, or a barrier to internal control. Without a strong tone at the top to support an internal control system, the entity’s risk identification may be incomplete, risk responses may be inappropriate, control activities may not be appropriately designed or implemented, information and communication may falter, and results of monitoring may not be understood or acted upon to remediate deficiencies.
Standards of Conduct
1.6 Management establishes standards of conduct to communicate expectations concerning integrity and ethical values. The entity uses ethical values to balance the needs and concerns of different stakeholders, such as regulators, employees, and the general public. The standards of conduct guide the directives, attitudes, and behaviors of the organization in achieving the entity’s objectives.
1.7 Management, with oversight from the oversight body, defines the organization’s expectations of ethical values in the standards of conduct. Management may consider using policies, operating principles, or guidelines to communicate the standards of conduct to the organization.
Adherence to Standards of Conduct
1.8 Management establishes processes to evaluate performance against the entity’s expected standards of conduct and address any deviations in a timely manner.
1.9 Management uses established standards of conduct as the basis for evaluating adherence to integrity and ethical values across the organization. Management evaluates the adherence to standards of conduct across all levels of the entity. To gain assurance that the entity’s standards of conduct are implemented effectively, management evaluates the directives, attitudes, and behaviors of individuals and teams. Evaluations may consist of ongoing monitoring or separate evaluations. Individual personnel can also report issues through reporting lines, such as regular staff meetings, upward feedback processes, a whistle-blowing program, or an ethics hotline. The oversight body evaluates management’s adherence to the standards of conduct as well as the overall adherence by the entity.
1.10 Management determines the tolerance level for deviations. Management may determine that the entity will have zero tolerance for deviations from certain expected standards of conduct, while deviations from others may be addressed with warnings to personnel. Management establishes a process for evaluations of individual and team adherence to standards of conduct that escalates and remediates deviations.
Management addresses deviations from expected standards of conduct timely and consistently. Depending on the severity of the deviation determined through the evaluation process, management, with oversight from the oversight body, takes appropriate actions and may also need to consider applicable laws and regulations. The standards of conduct to which management holds personnel, however, remain consistent.
2.1 The oversight body should oversee the entity’s internal control system.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Oversight Structure
2.2 The entity determines an oversight structure to fulfill responsibilities set forth by applicable laws and regulations, relevant government guidance, and feedback from key stakeholders. The entity will select, or if mandated by law will have selected for it, an oversight body. When the oversight body is composed of entity management, activities referenced in the Green Book as performed by “management” exclude these members of management when in their roles as the oversight body.
Responsibilities of an Oversight Body
2.3 When the oversight structure of an entity is led by senior management, senior management may distinguish itself from divisional or functional management through the establishment of an oversight body. An oversight body oversees the entity’s operations; provides constructive criticism to management; and where appropriate, makes oversight decisions so that the entity achieves its objectives in alignment with the entity’s integrity and ethical values.
Qualifications for an Oversight Body
2.4 In selecting members for an oversight body, the entity or applicable body defines the entity knowledge, relevant expertise, number of members, and possible independence needed to fulfill the oversight responsibilities for the entity.
2.5 Members of an oversight body understand the entity’s objectives, its related risks, and expectations of its stakeholders. In addition to an oversight body, an organization within the federal government may have several bodies that are key stakeholders for the entity, such as the White House, Congress, the Office of Management and Budget, and the Department of the Treasury. An oversight body works with key stakeholders to understand their expectations and help the entity fulfill these expectations if appropriate.
2.6 The entity or applicable body also considers the expertise needed by members to oversee, question, and evaluate management. Capabilities expected of all members of an oversight body include integrity and ethical values, leadership, critical thinking, and problem-solving abilities.
2.7 Further, in determining the number of members of an oversight body, the entity or applicable body considers the need for members of the oversight body to have specialized skills to enable discussion, offer constructive criticism to management, and make appropriate oversight decisions. Some specialized skills may include the following:
2.8 If authorized by applicable laws and regulations, the entity may also consider including independent members as part of an oversight body. Members of an oversight body scrutinize and question management’s activities, present alternative views, and act when faced with obvious or suspected wrongdoing. Independent members with relevant expertise provide value through their impartial evaluation of the entity and its operations in achieving objectives.
Oversight for the Internal Control System
2.9 The oversight body oversees management’s design, implementation, and operation of the entity’s internal control system. The oversight body’s responsibilities for the entity’s internal control system include the following:
2.10 These responsibilities are supported by the organizational structure that management establishes. The oversight body oversees management’s design, implementation, and operation of the entity’s organizational structure so that the processes necessary to enable the oversight body to fulfill its responsibilities exist and are operating effectively.
Input for Remediation of Deficiencies
2.11 The oversight body provides input to management’s plans for remediation of deficiencies in the internal control system as appropriate.
2.12 Management reports deficiencies identified in the internal control system to the oversight body. The oversight body oversees and provides direction to management on the remediation of these deficiencies. The oversight body also provides direction when a deficiency crosses organizational boundaries or units, or when the interests of management may conflict with remediation efforts. When appropriate and authorized, the oversight body may direct the creation of teams to address or oversee specific matters critical to achieving the entity’s objectives.
2.13 The oversight body is responsible for overseeing the remediation of deficiencies as appropriate and for providing direction to management on appropriate time frames for correcting these deficiencies.
3.1 Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Organizational Stucture
3.2 Management establishes the organizational structure necessary to enable the entity to plan, execute, control, and assess the organization in achieving its objectives. Management develops the overall responsibilities from the entity’s objectives that enable the entity to achieve its objectives and address related risks.
3.3 Management develops an organizational structure with an understanding of the overall responsibilities, and assigns these responsibilities to discrete units to enable the organization to operate in an efficient and effective manner, comply with applicable laws and regulations, and reliably report quality information. Based on the nature of the assigned responsibility, management chooses the type and number of discrete units, such as divisions, offices, and related subunits.
3.4 As part of establishing an organizational structure, management considers how units interact in order to fulfill their overall responsibilities. Management establishes reporting lines within an organizational structure so that units can communicate the quality information necessary for each unit to fulfill its overall responsibilities. Reporting lines are defined at all levels of the organization and provide methods of communication that can flow down, across, up, and around the structure. Management also considers the entity’s overall responsibilities to external stakeholders and establishes reporting lines that allow the entity to both communicate and receive information from external stakeholders.
3.5 Management periodically evaluates the organizational structure so that it meets the entity’s objectives and has adapted to any new objectives for the entity, such as a new law or regulation.
Assignment of Responsibility and Delegation of Authority
3.6 To achieve the entity’s objectives, management assigns responsibility and delegates authority to key roles throughout the entity. A key role is a position in the organizational structure that is assigned an overall responsibility of the entity. Generally, key roles relate to senior management positions within an entity.
3.7 Management considers the overall responsibilities assigned to each unit, determines what key roles are needed to fulfill the assigned responsibilities, and establishes the key roles. Those in key roles can further assign responsibility for internal control to roles below them in the organizational structure, but retain ownership for fulfilling the overall responsibilities assigned to the unit.
3.8 Management determines what level of authority each key role needs to fulfill a responsibility. Management delegates authority only to the extent required to achieve the entity’s objectives. As part of delegating authority, management evaluates the delegation for proper segregation of duties within the unit and in the organizational structure. Segregation of duties helps prevent fraud, waste, and abuse in the entity by considering the need to separate authority, custody, and accounting in the organizational structure. As with assigning responsibility, those in key roles can delegate their authority for internal control to roles below them in the organizational structure.
Documentation of the Internal Control System
3.9 Management develops and maintains documentation of its internal control system.
3.10 Effective documentation assists in management’s design of internal control by establishing and communicating the who, what, when, where, and why of internal control execution to personnel. Documentation also provides a means to retain organizational knowledge and mitigate the risk of having that knowledge limited to a few personnel, as well as a means to communicate that knowledge as needed to external parties, such as external auditors.
3.11 Management documents internal control to meet operational needs. Documentation of controls, including changes to controls, is evidence that controls are identified, capable of being communicated to those responsible for their performance, and capable of being monitored and evaluated by the entity.
3.12 The extent of documentation needed to support the design, implementation, and operating effectiveness of the five components of internal control is a matter of judgment for management. Management considers the cost benefit of documentation requirements for the entity as well as the size, nature, and complexity of the entity and its objectives. Some level of documentation, however, is necessary so that the components of internal control can be designed, implemented, and operating effectively.
4.1 Management should demonstrate a commitment to recruit, develop, and retain competent individuals.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Expectations of Competence
4.2 Management establishes expectations of competence for key roles, and other roles at management’s discretion, to help the entity achieve its objectives. Competence is the qualification to carry out assigned responsibilities. It requires relevant knowledge, skills, and abilities, which are gained largely from professional experience, training, and certifications. It is demonstrated by the behavior of individuals as they carry out their responsibilities.
4.3 Management considers standards of conduct, assigned responsibility, and delegated authority when establishing expectations. Management establishes expectations of competence for key roles. Management may also establish expectations of competence for all personnel through policies within the entity’s internal control system.
4.4 Personnel need to possess and maintain a level of competence that allows them to accomplish their assigned responsibilities, as well as understand the importance of effective internal control. Holding individuals accountable to established policies by evaluating personnel’s competence is integral to attracting, developing, and retaining individuals. Management evaluates competence of personnel across the entity in relation to established policies. Management acts as necessary to address any deviations from the established policies. The oversight body evaluates the competence of management as well as the competence overall of entity personnel.
Recruitment, Development, and Retention of Individuals
4.5 Management recruits, develops, and retains competent personnel to achieve the entity’s objectives. Management considers the following:
Succession and Contingency Plans and Preparation
4.6 Management defines succession and contingency plans for key roles to help the entity continue achieving its objectives. Succession plans address the entity’s need to replace competent personnel over the long term, whereas contingency plans address the entity’s need to respond to sudden personnel changes that could compromise the internal control system.
4.7 Management defines succession plans for key roles, chooses succession candidates, and trains succession candidates to assume the key roles. If management relies on a service organization to fulfill the assigned responsibilities of key roles in the entity, management assesses whether the service organization can continue in these key roles, identifies other candidate organizations for the roles, and implements processes to enable knowledge sharing with the succession candidate organization.
4.8 Management defines contingency plans for assigning responsibilities if a key role in the entity is vacated without advance notice. The importance of the key role in the internal control system and the impact to the entity of its vacancy dictates the formality and depth of the contingency plan.
5.1 Management should evaluate performance and hold individuals accountable for their internal control responsibilities.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Enforcement of Accountability
5.2 Management enforces accountability of individuals performing their internal control responsibilities. Accountability is driven by the tone at the top and supported by the commitment to integrity and ethical values, organizational structure, and expectations of competence, which influence the control culture of the entity. Accountability for performance of internal control responsibility supports day-to-day decision making, attitudes, and behaviors. Management holds personnel accountable through mechanisms such as performance appraisals and disciplinary actions.
5.3 Management holds entity personnel accountable for performing their assigned internal control responsibilities. The oversight body, in turn, holds management accountable as well as the organization as a whole for its internal control responsibilities.
5.4 If management establishes incentives, management recognizes that such actions can yield unintended consequences and evaluates incentives so that they align with the entity’s standards of conduct.
5.5 Management holds service organizations accountable for their assigned internal control responsibilities. Management may contract with service organizations to perform roles in the organizational structure. Management communicates to the service organization the objectives of the entity and their related risks, the entity’s standards of conduct, the role of the service organization in the organizational structure, the assigned responsibilities and authorities of the role, and the expectations of competence for its role that will enable the service organization to perform its internal control responsibilities.
5.6 Management, with oversight from the oversight body, takes corrective action as necessary to enforce accountability for internal control in the entity. These actions can range from informal feedback provided by the direct supervisor to disciplinary action taken by the oversight body, depending on the significance of the deficiency to the internal control system.
Consideration of Excessive Pressures
5.7 Management adjusts excessive pressures on personnel in the entity. Pressure can appear in an entity because of goals established by management to meet objectives or cyclical demands of various processes performed by the entity, such as year-end financial statement preparation. Excessive pressure can result in personnel “cutting corners” to meet the established goals.
5.8 Management is responsible for evaluating pressure on personnel to help personnel fulfill their assigned responsibilities in accordance with the entity’s standards of conduct. Management can adjust excessive pressures using many different tools, such as rebalancing workloads or increasing resource levels.