Five Components of Internal Control Framework
The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives.
Description
Preparations to Consider: Review, and update as necessary, documents such as the current organizational chart, code of ethics, employee handbook, and HR manuals.
How Can Management Prepare?
Internal Control Framework
Examples: Oversight committees, standards of conduct, organizational charts, and HR manuals.
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring
Control Environment
Assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.
Description
Preparations to Consider: Perform an internal risk assessment while considering the entity's risk appetite and the risk for both internal and external fraud.
Examples: Forecasting and strategic planning of risks and risk tolerances, and analysis of deficiencies related to operations, non-financial reporting, financial reporting, and compliance.
How Can Management Prepare?
Risk Assessment
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.
Description
Preparations to Consider: Establish effective control activities to accomplish the entity’s goals and objectives, and establish effective ELCs that set standards for the entity’s activity-level controls.
Examples: System application controls, segregation of duties, and physical inventories
How Can Management Prepare?
Control Activities
The quality information management and personnel communicate and use to support the internal control system.
Description
Preparations to Consider: Evaluate how ELCs are communicated and disseminated throughout the entity. Update training manuals as needed and ensure annual trainings are held as necessary to communicate expectations to employees.
Examples: Complete and accurate asset populations, whistleblower policies, ethics hotlines, and quarterly newsletters.
How Can Management Prepare?
Information &
Communication
Monitoring Activities management establishes and operates to assess the quality of performance over time and promptly resolves the findings of audits and other reviews.
Description
Preparations to Consider: Define the frequency of management’s review of ELCs.
Examples: Ongoing evaluations of employee performance and timely remediation of both internal (e.g., internal audit reports and audit committee meeting minutes) and external feedback (e.g., general public and regulatory agencies).
How Can Management Prepare?
Monitoring