Principles of the Internal Control Framework
Role of Principles
Principles are fundamental concepts associated with components. As such, the Framework views the seventeen principles as suitable to all entities. Relevance refers to a determination that each principle has a significant bearing on the presence and functioning of its associated component.
The Framework presumes that principles are relevant. However, there may be a rare industry, operating, or regulatory situation in which management has determined that a principle is not relevant to the associated component. Considerations in applying this judgment may include the entity structure recognizing any legal, regulatory, industry, or contractual requirements for governance of the entity, and the level of use and dependence on technology used by the entity.
If management decides that a principle is not relevant, management must support that determination, including the rationale of how, in the absence of that principle, the associated component could be present and functioning. When a relevant principle is deemed not to be present and functioning, a major deficiency exists in the system of
internal control.
In determining whether a component is present and functioning, senior management and the board of directors need to determine to what extent relevant principles are present and functioning. However, a principle being present and functioning does not imply that the organization strives for the highest level of performance in applying that particular principle. Rather, management exercises judgment in balancing the cost and benefit of designing, implementing, and conducting internal control.
Listing of all principles for the integrated framework
Control Environment
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Risk Assessment
Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
Control Activities
Control activities are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various stages within business processes, and over the technology environment.
- The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.
Information and Communication
Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day controls. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives
- The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
- The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
Monitoring Activities
Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board.
- The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.