Summary

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.

The control environment is influenced by a variety of internal and external  factors, including the entity’s history, values, market, and the competitive and regulatory landscape. It is defined by the standards, processes, and structures that guide people at all levels in carrying out their responsibilities for internal control and making decisions. It creates the discipline that supports the assessment of risks to the achievement of the entity’s objectives, performance of control activities, use of information and communication systems, and conduct of monitoring activities.

An organization that establishes and maintains a strong control environment positions itself to be more resilient in the face of internal and external pressures. It does this by demonstrating behavior consistent with the organization’s commitment to integrity and ethical values, adequate oversight processes and structures, organizational design that enables the achievement of the entity’s objectives with appropriate assignment of authority and responsibility, a high degree of competence, and a strong sense of accountability for the achievement of objectives.

Organizational culture supports the control environment insofar as it sets expectations of behavior that reflects a commitment to integrity and ethical values, oversight, accountability, and performance evaluation. Establishing a strong culture considers, for example, how clearly and consistently ethical and behavioral standards are communicated and reinforced in practice. As such, culture is part of an organization’s control environment, but also encompasses elements of other components of internal control, such as policies and procedures, ease of access to information, and responsiveness to results of monitoring activities. Therefore culture is influenced by the control environment and other components of internal control, and vice versa.

 

 

 

 

Principles relating to the Control Environment component

1. The organization demonstrates a commitment to integrity and ethical values.


2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.


3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.


4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.


5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Demonstrates Commitment to Integrity and Ethical Values

Principle 1: The organization demonstrates a commitment to integrity and ethical values.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Sets the Tone at the Top—The board of directors and management at all levels of the entity demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
• Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners.
• Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
• Addresses Deviations in a Timely Manner—Deviations of the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.

Exercises Oversight Responsibility

Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Establishes Oversight Responsibilities—The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
• Applies Relevant Expertise—The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions.
• Operates Independently—The board of directors has sufficient members who are independent from management and objective in evaluations and decision making.
• Provides Oversight for the System of Internal Control—The board of directors retains oversight responsibility for management’s design, implementation, and conduct of internal control:
  • Control Environment—Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountability to the board.
  • Risk Assessment—Overseeing management’s assessment of risks to the achievement of objectives, including the potential impact of significant changes, fraud, and management override of internal control.
  • Control Activities—Providing oversight to senior management in the development and performance of control activities.
  • Information and Communication—Analyzing and discussing information relating to the entity’s achievement of objectives.
  • Monitoring Activities—Assessing and overseeing the nature and scope of monitoring activities and management’s evaluation and remediation of deficiencies.

 

 

 

 

Establishes Structure, Authority, and Responsibility

Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Considers All Structures of the Entity—Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.
• Establishes Reporting Lines—Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity.
• Defines, Assigns, and Limits Authorities and Responsibilities—Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization:
  • Board of Directors—Retains authority over significant decisions and reviews management’s assignments and limitations of authorities and responsibilities.
  • Senior Management—Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities.
  • Management—Guides and facilitates the execution of senior management directives at entity and its subunits.
  • Personnel—Understands the entity’s standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives.
  • Outsourced Service Providers—Adheres to management’s definition of the scope of authority and responsibility for all non-employees engaged.

 

 

 

 

Demonstrates Commitment to Competence

Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Establishes Policies and Practices—Policies and practices reflect expectations of competence necessary to support the achievement of objectives.
• Evaluates Competence and Addresses Shortcomings—The board of directors and management evaluate competence across the organization and in outsourced service providers in relation to established policies and practices, and acts, as necessary to address shortcomings.
• Attracts, Develops, and Retains Individuals—The organization provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives.
• Plans and Prepares for Succession—Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.

Enforces Accountability

Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Enforces Accountability through Structures, Authorities, and Responsibilities—Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary.
• Establishes Performance Measures, Incentives, and Rewards—Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives.
• Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance—Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives.
• Considers Excessive Pressures—Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance.
• Evaluates Performance and Rewards or Disciplines Individuals—Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence and provide rewards or exercise disciplinary action as appropriate.