Organization
A. Supporting the Organization's Objectives
Internal control should be used to support the organization in achieving its objectives by managing its risks, while complying with rules, regulations, and organizational policies. The organization should therefore make internal control part of risk management and integrate both in its overall governance system.
What should the scope of internal control be?
Internal control is often perceived and treated as a compliance requirement, rather than as an enabler of improved organizational performance. Effective internal control can help organizations improve their performance by enabling them to take on additional opportunities and challenges in a more controlled way. Therefore, there needs to be a better understanding of how organizational performance relates to effective risk management and the role and effectiveness of internal control.
B. Determining Roles and Responsibilities
The organization should determine the various roles and responsibilities with respect to internal control, including the governing body, management at all levels, employees, and internal and external assurance providers, as well as coordinate the collaboration among participants.
Who should be responsible for internal control?
Responsibility with respect to internal control should reside with those who have the highest level of authority, instead of being delegated to staff who lack executive powers.
Individuals
C. Fostering a Motivational Culture
The governing body and management should foster an organizational culture that motivates members of the organization to act in line with risk management strategy and policies on internal control set by the governing body to achieve the organization's objectives. The tone and action at the top are critical in this respect.
What other internal control responsibilities/actions should be expected from the governing body and management?
Poor “tone at the top” is a significant factor in organizational failures.
D. Linking to Individual Performance
The governing body and management should link achievement of the organization's internal control objectives to individual performance objectives. Each person within the organization should be held accountable for the achievement of assigned internal control objectives.
How could management’s genuine attention on internal control objectives be obtained?
Recognizing positive performance can have a huge impact on strengthening internal control. In order to get the appropriate attention of executive and line management, as well as of all other employees in an organization, internal control objectives should not only be linked to the organization’s objectives but also to individual performance objectives.
E. Ensuring Sufficient Competency
The governing body, management, and other participants in the organization's governance system should be sufficiently competent to fulfill the internal control responsibilities associated with their roles.
How should those involved in the internal control system live up to their responsibilities?
There is a risk that people with assigned internal control responsibilities might not have sufficient knowledge, experience, skills, or time to adequately fulfill those responsibilities. This can seriously weaken and even jeopardize the effectiveness of the internal control system, which can in turn damage an organization.
Reviews
F. Responding to Risk
Controls should always be designed, implemented, and applied as a response to specific risks and their causes and consequences.
How should internal controls be selected, implemented, and applied?
Often, organizations implement internal controls without adequate assessment of the external and internal environment, as well as their objectives, activities, processes, or systems that are sources of risk.
H. Monitoring and Evaluating
Both individual controls as well as the internal control system as a whole should be regularly monitored and evaluated. Identification of unacceptably high levels of risk, control failures, or events that are outside the limits for risk taking could be a sign that an individual control or the internal control system is ineffective and needs to be improved.
How should internal control be monitored and evaluated?
The organization should become aware that a problem with either an individual control or the internal control system has occurred as soon as possible, so that further damage can be prevented or contained and the issue rectified. In many cases, however, not enough attention is given to defining what, exactly, should be monitored and evaluated with respect to internal control, how this should be done, and by whom.
Information
G. Communicating Regularly
Management should ensure that regular communication regarding the internal control system, as well as the outcomes, takes place at all levels within the organization to make sure that the internal control principles are fully understood and correctly applied by all.
How can internal control be better ingrained into the DNA of the organization?
In many organizations, the internal control system exists in written instructions and procedures, but these may not be sufficiently adopted or followed in everyday management or actual operations.
I. Providing for Transparency and Accountability
The governing body, together with management, should periodically report to stakeholders the organization's risk profile as well as the structure and factual performance of the organization's internal control system.
How should the organization report on internal control performance?
The various internal and external stakeholders have a justified interest in the existence and performance of the organization’s risk management and internal control system.