Committee of Sponsoring Organizations (COSO)
Internal Control Integrated Framework

Information and Communication

Summary

Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.

The Information and Communication component of the Framework supports the functioning of all components of internal control. In combination with the other components, information and communication supports the achievement of the entity’s objectives, including objectives relevant to internal and external reporting. Controls within Information and Communication support the organization’s ability to use the right information within the system of internal control and to carry out internal control responsibilities.

Information is the data that is combined and summarized based on relevance to information requirements. Information requirements are determined by the ongoing functioning of the other internal control components, taking into consideration the expectations of all users, both internal and external. Information systems support informed decision making and the functioning of the other components of internal control by processing relevant, timely, and quality information from internal and external sources.

Communication enables the organization to share relevant and quality information internally and externally. Management communicates information internally to enable personnel to understand the entity’s objectives and the importance of their control responsibilities. Internal communication facilitates the functioning of other components of internal control by sharing information up, down, and across the entity. External communication enables management to obtain and share information between the entity and external parties about risks, regulatory matters, changes in circumstances, customer satisfaction, and other information relevant to the functioning of the other components of internal control.

An information system is the set of activities, involving people, processes, data and/or technology, which enable the organization to obtain, generate, use, and communicate transactions and information to maintain accountability and measure and review the entity’s performance or progress toward achievement of objectives.

The Framework distinguishes this component from the internal reporting category of objectives. Information and Communication is only one component of the Framework. Controls within this component help to provide relevant, quality information to support all components of internal control. On the other hand, an organization seeking reasonable assurance regarding a specified reporting objective is achieved through all five components of internal control being present and functioning, and operating together.

Communication relates to sharing information used in designing, implementing, or conducting internal control, or in assessing its effectiveness. Communication can appear broad at times (e.g., information communicated about external trends or events), but when it is used in the context of the Framework, this communication may enable a user to carry out controls within Risk Assessment.

 

 

Principles relating to the Information & Communication component

  1. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.

  2. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control. 

  3. The organization communicates with external parties regarding  matters affecting the functioning of other components of internal control.

Uses Relevant Information

Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

  • Identifies Information Requirements—A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives.
  • Captures Internal and External Sources of Data—Information systems capture internal and external sources of data.
  • Processes Relevant Data into Information—Information systems process and transform relevant data into information.
  • Maintains Quality throughout Processing—Information systems produce information that is timely, current, accurate, complete, accessible, protected, and verifiable and retained. Information is reviewed to assess its relevance in supporting the internal control components.
  • Considers Costs and Benefits—The nature, quantity, and precision of information communicated are commensurate with and support the achievement of objectives.

Communicates Internally

Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

  • Communicates Internal Control Information—A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities.
  • Communicates with the Board of Directors—Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives.
  • Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
  • Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the information.

Communicates Externally

Principle 15: The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

  • Communicates to External Parties—Processes are in place to communicate relevant and timely information to external parties including shareholders, partners, owners, regulators, customers, and financial analysts and other external parties.
  • Enables Inbound Communications—Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
  • Communicates with the Board of Directors—Relevant information resulting from assessments conducted by external parties is communicated to the board of directors.
  • Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
  • Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations.


U.S. Government Accountability Office (GAO)
Standards for Internal Control in the Federal Government

Information and Communication

Overview

Management uses quality information to support the internal control system. Effective information and communication are vital for an entity to achieve its objectives. Entity management needs access to relevant and reliable communication related to internal as well as external events.

Principles

  1. Management should use quality information to achieve the entity’s objectives.

  2. Management should internally communicate the necessary quality information to achieve the entity’s objectives.

  3. Management should externally communicate the necessary quality information to achieve the entity’s objectives.



Principle 13 - Use Quality Information

13.01 Management should use quality information to achieve the entity’s objectives.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Identification of Information Requirements

  • Relevant Data from Reliable Sources

  • Data Processed into Quality Information

Identification of Information Requirements

13.02 Management designs a process that uses the entity’s objectives and related risks to identify the information requirements needed to achieve the objectives and address the risks. Information requirements consider the expectations of both internal and external users. Management defines the identified information requirements at the relevant level and requisite specificity for appropriate personnel.

13.03 Management identifies information requirements in an iterative and ongoing process that occurs throughout an effective internal control system. As change in the entity and its objectives and risks occurs, management changes information requirements as needed to meet these modified objectives and address these modified risks.

Relevant Data from Reliable Sources

13.04 Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements. Relevant data have a logical connection with, or bearing upon, the identified information requirements. Reliable internal and external sources provide data that are reasonably free from error and bias and faithfully represent what they purport to represent. Management evaluates both internal and external sources of data for reliability. Sources of data can be operational, financial, or compliance related. Management obtains data on a timely basis so that they can be used for effective monitoring.

Data Processed into Quality Information

13.05 Management processes the obtained data into quality information that supports the internal control system. This involves processing data into information and then evaluating the processed information so that it is quality information. Quality information meets the identified information requirements when relevant data from reliable sources are used. Quality information is appropriate, current, complete, accurate, accessible, and provided on a timely basis. Management considers these characteristics as well as the information processing objectives in evaluating processed information and makes revisions when necessary so that the information is quality information. Management uses the quality information to make informed decisions and evaluate the entity’s performance in achieving key objectives and addressing risks.

13.06 Management processes relevant data from reliable sources into quality information within the entity’s information system. An information system is the people, processes, data, and technology that management organizes to obtain, communicate, or dispose of information.



Principle 14 - Communicate Internally

14.01 Management should internally communicate the necessary quality information to achieve the entity’s objectives.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Communication throughout the Entity

  • Appropriate Methods of Communication

Communication throughout the Entity

14.02 Management communicates quality information throughout the entity using established reporting lines. Quality information is communicated down, across, up, and around reporting lines to all levels of the entity.

14.03 Management communicates quality information down and across reporting lines to enable personnel to perform key roles in achieving objectives, addressing risks, and supporting the internal control system. In these communications, management assigns the internal control responsibilities for key roles.

14.04 Management receives quality information about the entity’s operational processes that flows up the reporting lines from personnel to help management achieve the entity’s objectives.

14.05 The oversight body receives quality information that flows up the reporting lines from management and personnel. Information relating to internal control communicated to the oversight body includes significant matters about adherence to, changes in, or issues arising from the internal control system. This upward communication is necessary for the effective oversight of internal control.

14.06 Personnel use separate reporting lines to go around upward reporting lines when these lines are compromised. Laws and regulations may require entities to establish separate lines of communication, such as whistleblower and ethics hotlines, for communicating confidential information. Management informs employees of these separate reporting lines, how they operate, how they are to be used, and how the information will remain confidential.

Appropriate Methods of Communication

14.07 Management selects appropriate methods to communicate internally. Management considers a variety of factors in selecting an appropriate method of communication. Some factors to consider follow:

  • Audience - The intended recipients of the communication
  • Nature of information - The purpose and type of information being communicated
  • Availability - Information readily available to the audience when needed
  • Cost - The resources used to communicate the information
  • Legal or regulatory requirements - Requirements in laws and regulations that may impact communication

14.08 Based on consideration of the factors, management selects appropriate methods of communication, such as a written document—in hard copy or electronic format—or a face-to-face meeting. Management periodically evaluates the entity’s methods of communication so that the organization has the appropriate tools to communicate quality information throughout the entity on a timely basis.



Principle 15 - Communicate Externally

15.01 Management should externally communicate the necessary quality information to achieve the entity’s objectives.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Communication with External Parties

  • Appropriate Methods of Communication

Communication with External Parties

15.02 Management communicates with, and obtains quality information from, external parties using established reporting lines. Open two-way external reporting lines allow for this communication. External parties include suppliers, contractors, service organizations, regulators, external auditors, government entities, and the general public.

15.03 Management communicates quality information externally through reporting lines so that external parties can help the entity achieve its objectives and address related risks. Management includes in these communications information relating to the entity’s events and activities that impact the internal control system.

15.04 Management receives information through reporting lines from external parties. Information communicated to management includes significant matters relating to risks, changes, or issues that impact the entity’s internal control system. This communication is necessary for the effective operation of internal control. Management evaluates external information received against the characteristics of quality information and information processing objectives and takes any necessary actions so that the information is quality information.

15.05 The oversight body receives information through reporting lines from external parties. Information communicated to the oversight body includes significant matters relating to risks, changes, or issues that impact the entity’s internal control system. This communication is necessary for the effective oversight of internal control.

15.06 External parties use separate reporting lines when external reporting lines are compromised. Laws and regulations may require entities to establish separate lines of communication, such as whistleblower and ethics hotlines, for communicating confidential information. Management informs external parties of these separate reporting lines, how they operate, how they are to be used, and how the information will remain confidential.

Appropriate Methods of Communication

15.07 Management selects appropriate methods to communicate externally. Management considers a variety of factors in selecting an appropriate method of communication. Some factors to consider follow:

  • Audience - The intended recipients of the communication
  • Nature of information - The purpose and type of information being communicated
  • Availability - Information readily available to the audience when needed
  • Cost - The resources used to communicate the information
  • Legal or regulatory requirements - Requirements in laws and regulations that may impact communication

15.08 Based on consideration of the factors, management selects appropriate methods of communication, such as a written document—in hard copy or electronic format—or a face-to-face meeting. Management periodically evaluates the entity’s methods of communication so that the organization has the appropriate tools to communicate quality information throughout and outside of the entity on a timely basis.

15.09 Government entities not only report to the head of the government, legislators, and regulators but to the general public as well. In the federal government, entities not only report to the President and Congress but also to the general public. Entities consider appropriate methods when communicating with such a broad audience.