Factors of Effective Internal Control
OV3.01 The purpose of this section is to provide management with factors to consider in evaluating the effectiveness of an internal control system. For federal entities, OMB Circular No. A-123 provides specific requirements on how to perform evaluations and report on internal control in the federal government. Nonfederal entities may refer to applicable laws and regulations as well as input from key external stakeholders when determining how to appropriately evaluate and report on internal control.
OV3.02 An effective internal control system provides reasonable assurance that the organization will achieve its objectives. As stated in section 2 of the Overview, an effective internal control system has
OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective.
Evaluation of Internal Control
OV3.04 In the federal government, FMFIA mandates that the head of each executive branch agency annually prepare a statement as to whether the agency’s systems of internal accounting and administrative controls comply with the requirements of the act. If the systems do not comply, the head of the agency will prepare a report in which any material weaknesses in the agency’s system of internal accounting and administrative control are identified and the plans and schedule for correcting any such weakness are described. OMB issues guidance for evaluating these requirements in OMB Circular No. A-123. Nonfederal entities may refer to applicable laws and regulations for guidance in preparing statements regarding internal control.
Design and Implementation
OV3.05 When evaluating design of internal control, management determines if controls individually and in combination with other controls are capable of achieving an objective and addressing related risks. When evaluating implementation, management determines if the control exists and if the entity has placed the control into operation. A control cannot be effectively implemented if it was not effectively designed. A deficiency in design exists when (1) a control necessary to meet a control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a properly designed control is not implemented correctly in the internal control system.
Operating Effectiveness
OV3.06 In evaluating operating effectiveness, management determines if controls were applied at relevant times during the period under evaluation, the consistency with which they were applied, and by whom or by what means they were applied. If substantially different controls were used at different times during the period under evaluation, management evaluates operating effectiveness separately for each unique control system. A control cannot be effectively operating if it was not effectively designed and implemented. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
Effect of Deficiencies on the Internal Control System
OV3.07 Management evaluates control deficiencies identified by management’s ongoing monitoring of the internal control system as well as any separate evaluations performed by both internal and external sources. A deficiency in internal control exists when the design, implementation, or operation of a control does not allow management or personnel, in the normal course of performing their assigned functions, to achieve control objectives and address related risks.
OV3.08 Management evaluates the significance of identified deficiencies. Significance refers to the relative importance of a deficiency to the entity’s achieving a defined objective. To evaluate the significance of the deficiency, management assesses its effect on achieving the defined objectives at both the entity and transaction level. Management evaluates the significance of a deficiency by considering the magnitude of impact, likelihood of occurrence, and nature of the deficiency. Magnitude of impact refers to the likely effect that the deficiency could have on the entity achieving its objectives and is affected by factors such as the size, pace, and duration of the deficiency’s impact. A deficiency may be more significant to one objective than another. Likelihood of occurrence refers to the possibility of a deficiency impacting an entity’s ability to achieve its objectives. The nature of the deficiency involves factors such as the degree of subjectivity involved with the deficiency and whether the deficiency arises from fraud or misconduct. The oversight body oversees management’s evaluation of the significance of deficiencies so that deficiencies have been properly considered.
OV3.09 Deficiencies are evaluated both on an individual basis and in the aggregate. Management considers the correlation among different deficiencies or groups of deficiencies when evaluating their significance. Deficiency evaluation varies by entity because of differences in entities’ objectives.
OV3.10 For each principle, management makes a summary determination as to whether the principle is designed, implemented, and operating effectively. Management considers the impact of deficiencies identified in achieving documentation requirements as part of this summary determination. Management may consider the related attributes as part of this summary determination. If a principle is not designed, implemented, or operating effectively, then the respective component cannot be effective.
OV3.11 Based on the results of the summary determination for each principle, management concludes on the design, implementation, and operating effectiveness of each of the five components of internal control. Management also considers if the five components operate together effectively. If one or more of the five components are not effectively designed, implemented, or operating effectively or if they are not operating together in an integrated manner, then an internal control system is ineffective. Judgment is used in making such determinations, which includes exercising reasonable care.