Principles with Points of Focus of the Internal Control Framework
Role of Principles
Principles are fundamental concepts associated with components. As such, the Framework views the seventeen principles as suitable to all entities. Relevance refers to a determination that each principle has a significant bearing on the presence and functioning of its associated component.
The Framework presumes that principles are relevant. However, there may be a rare industry, operating, or regulatory situation in which management has determined that a principle is not relevant to the associated component. Considerations in applying this judgment may include the entity structure recognizing any legal, regulatory, industry, or contractual requirements for governance of the entity, and the level of use and dependence on technology used by the entity.
If management decides that a principle is not relevant, management must support that determination, including the rationale of how, in the absence of that principle, the associated component could be present and functioning. When a relevant principle is deemed not to be present and functioning, a major deficiency exists in the system of
internal control.
In determining whether a component is present and functioning, senior management and the board of directors need to determine to what extent relevant principles are present and functioning. However, a principle being present and functioning does not imply that the organization strives for the highest level of performance in applying that particular principle. Rather, management exercises judgment in balancing the cost and benefit of designing, implementing, and conducting internal control.
Points of Focus
The Framework describes points of focus that are typically important characteristics of principles. Management is expected to obtain persuasive evidence to support its determination that the components and relevant principles of internal control are present and functioning. To that end, points of focus assist management in designing, implementing, and conducting internal control and in assessing whether the relevant principles are, in fact, present and functioning. The Framework does not require that management assess separately whether points of focus are in place. Instead management considers points of focus in connection with its determination of whether principles are present and functioning.
In designing and implementing a system of internal control, management may determine that some of these characteristics are not suitable or relevant and may identify and consider others that are based on specific circumstances of the entity.
Management, in its judgment, identifies and considers suitable and relevant points of focus, including those presented in the Framework, that reflect the entity’s industry, operating, and regulatory environments. Once management has determined which points of focus are suitable and relevant for a particular principle, those points of focus become important considerations when assessing the presence and functioning of a principle.
Points of focus are presented at the beginning of the discussion of the principles within each component chapter.
Listing of all principles for the integrated framework
Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
- Sets the Tone at the Top—The board of directors and management at all levels of the entity demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
- Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners.
- Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
- Addresses Deviations in a Timely Manner—Deviations of the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
- Establishes Oversight Responsibilities—The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
- Applies Relevant Expertise—The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions.
- Operates Independently—The board of directors has sufficient members who are independent from management and objective in evaluations and decision making.
- Provides Oversight for the System of Internal Control—The board of directors retains oversight responsibility for management’s design, implementation, and conduct of internal control:
- Control Environment—Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountability to the board.
- Risk Assessment—Overseeing management’s assessment of risks to the achievement of objectives, including the potential impact of significant changes, fraud, and management override of internal control.
- Control Activities—Providing oversight to senior management in the development and performance of control activities.
- Information and Communication—Analyzing and discussing information relating to the entity’s achievement of objectives.
- Monitoring Activities—Assessing and overseeing the nature and scope of monitoring activities and management’s evaluation and remediation of deficiencies.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- Considers All Structures of the Entity—Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.
- Establishes Reporting Lines—Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity.
- Defines, Assigns, and Limits Authorities and Responsibilities—Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization:
- Board of Directors—Retains authority over significant decisions and reviews management’s assignments and limitations of authorities and responsibilities.
- Senior Management—Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities.
- Management—Guides and facilitates the execution of senior management directives at entity and its subunits.
- Personnel—Understands the entity’s standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives.
- Outsourced Service Providers—Adheres to management’s definition of the scope of authority and responsibility for all non-employees engaged.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- Establishes Policies and Practices—Policies and practices reflect expectations of competence necessary to support the achievement of objectives.
- Evaluates Competence and Addresses Shortcomings—The board of directors and management evaluate competence across the organization and in outsourced service providers in relation to established policies and practices, and acts, as necessary to address shortcomings.
- Attracts, Develops, and Retains Individuals—The organization provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives.
- Plans and Prepares for Succession—Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
- Enforces Accountability through Structures, Authorities, and Responsibilities—Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary.
- Establishes Performance Measures, Incentives, and Rewards—Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives.
- Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance—Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives.
- Considers Excessive Pressures—Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance.
- Evaluates Performance and Rewards or Disciplines Individuals—Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence and provide rewards or exercise disciplinary action as appropriate.
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Operations Objectives
- Reflects Management’s Choices—Operations objectives reflect management’s choices about structure, industry considerations, and performance of the entity.
- Considers Tolerances for Risk—Management considers the acceptable levels of variation relative to the achievement of operations objectives.
- Includes Operations and Financial Performance Goals—The organization reflects the desired level of operations and financial performance for the entity within operations objectives.
- Forms a Basis for Committing of Resources—Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance.
External Financial Reporting
- Complies with Applicable Accounting Standards—Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances.
- Considers Materiality—Management considers materiality in financial statement presentation.
- Reflects Entity Activities—External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions.
External Non-Financial Reporting
- Complies with Externally Established Standards and Frameworks—Management establishes objectives consistent with laws and regulations, or standards and frameworks of recognized external organizations.
- Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs and as based on criteria established by third parties in non-financial reporting.
- Reflects Entity Activities—External reporting reflects the underlying transactions and events within a range of acceptable limits.
Internal Reporting Objectives
- Reflects Management’s Choices—Internal reporting provides management with accurate and complete information regarding management’s choices and information needed in managing the entity.
- Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs in non-financial reporting objectives and materiality within financial reporting objectives.
- Reflects Entity Activities—Internal reporting reflects the underlying transactions and events within a range of acceptable limits.
Compliance Objectives
- Reflects External Laws and Regulations—Laws and regulations establish minimum standards of conduct which the entity integrates into compliance objectives.
- Considers Tolerances for Risk—Management considers the acceptable levels of variation relative to the achievement of compliance objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels—The organization identifies and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives.
- Analyzes Internal and External Factors—Risk identification considers both internal and external factors and their impact on the achievement of objectives.
- Involves Appropriate Levels of Management—The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management.
- Estimates Significance of Risks Identified—Identified risks are analyzed through a process that includes estimating the potential significance of the risk.
- Determines How to Respond to Risks—Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- Considers Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
- Assesses Incentive and Pressures—The assessment of fraud risk considers incentives and pressures.
- Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate acts.
- Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
- Assesses Changes in the External Environment—The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates.
- Assesses Changes in the Business Model—The organization considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies.
- Assesses Changes in Leadership—The organization considers changes in management and respective attitudes and philosophies on the system of internal control.
Control Activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- Integrates with Risk Assessment—Control activities help ensure that risk responses that address and mitigate risks are carried out.
- Considers Entity-Specific Factors—Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities.
- Determines Relevant Business Processes—Management determines which relevant business processes require control activities.
- Evaluates a Mix of Control Activity Types—Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
- Determines Dependency between the Use of Technology in Business Processes and Technology General Controls—Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls.
- Establishes Relevant Technology Infrastructure Control Activities—Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
- Establishes Relevant Security Management Process Control Activities— Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.
- Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities—Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives.
12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.
- Establishes Policies and Procedures to Support Deployment of Management’s Directives—Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.
- Establishes Responsibility and Accountability for Executing Policies and Procedures—Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside.
- Performs in a Timely Manner—Responsible personnel perform control activities in a timely manner as defined by the policies and procedures.
- Takes Corrective Action—Responsible personnel investigate and act on matters identified as a result of executing control activities.
- Performs Using Competent Personnel—Competent personnel with sufficient authority perform control activities with diligence and continuing focus.
- Reassesses Policies and Procedures—Management periodically reviews control activities to determine their continued relevance, and refreshes them when necessary.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.
- Identifies Information Requirements—A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives.
- Captures Internal and External Sources of Data—Information systems capture internal and external sources of data.
- Processes Relevant Data into Information—Information systems process and transform relevant data into information.
- Maintains Quality throughout Processing—Information systems produce information that is timely, current, accurate, complete, accessible, protected, and verifiable and retained. Information is reviewed to assess its relevance in supporting the internal control components.
- Considers Costs and Benefits—The nature, quantity, and precision of information communicated are commensurate with and support the achievement of objectives.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
- Communicates Internal Control Information—A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities.
- Communicates with the Board of Directors—Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives.
- Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
- Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the information.
15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
- Communicates to External Parties—Processes are in place to communicate relevant and timely information to external parties including shareholders, partners, owners, regulators, customers, and financial analysts and other external parties.
- Enables Inbound Communications—Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
- Communicates with the Board of Directors—Relevant information resulting from assessments conducted by external parties is communicated to the board of directors.
- Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
- Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations.
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- Considers a Mix of Ongoing and Separate Evaluations—Management includes a balance of ongoing and separate evaluations.
- Considers Rate of Change—Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
- Establishes Baseline Understanding—The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.
- Uses Knowledgeable Personnel—Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
- Integrates with Business Processes—Ongoing evaluations are built into the business processes and adjust to changing conditions.
- Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk.
- Objectively Evaluates—Separate evaluations are performed periodically to provide objective feedback.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
- Assesses Results—Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations.
- Communicates Deficiencies—Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.
- Monitors Corrective Actions—Management tracks whether deficiencies are remediated on a timely basis.