In our previous COSO Framework article, we covered Control Activities. This article will focus on the internal control component of Information and Communication, which is the next internal control component of the COSO Framework.
There are three principles related to the Information and Communication component of internal control.
- The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
- The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
- The entity communicates with external parties regarding matters affecting the functioning of internal control.
In previous articles, it was discussed that an Organization needs to specify the overall objectives it needs to identify and assess risks relating to financial reporting objectives, along with determining the control activities necessary to mitigate such risks. Thus, the next step is ensuring the entity is using accurate, quality information systems to protect the integrity of the information, as well as communicating policies to employees and customers.
The first step in this process is to ensure the financial reporting system (i.e. hardware, software, people, automated vs. manual procedures, and data) is accurate. Management needs to have an understanding of how these different processes work, in order to determine what procedures should be implemented to protect the system in the future and continue working to achieve the objectives of the Organization.
What types of transactions are initiated automatically vs. manually? Who is authorizing and approving transactions and is the level of such approval adequate? Who has access to recording transactions and who can edit, void, reconcile, etc.? How easily can the financial reports be generated and how automated is the process? Does someone ensure the generated reports agree to the source information? All of these questions affect management’s ability to assess the overall financial health of the Organization and make appropriate decisions, and strong internal control processes are needed to complete this process and aid in the end result of timely, accurate financial statements.
For example, before calculating any estimates in monthly financial statements, controllers should consider meeting with other department heads to discuss the monthly activity and get comfortable with how estimates should be recorded. Management should consider using industry trends, competitors (when the information is accessible), and the general “feel” of the economy as a benchmark for the Organization’s overall health. Management should consider meeting with department heads on a regular basis to get comfortable that the hardware/software is meeting the Organization’s need and providing automated, accurate information.
Next, how should the best practices that management determines create solid internal controls be communicated to employees? Additionally, this is management’s way to communicate the ever-important “tone at the top,” and how can such a task be accomplished? This is easier to accomplish when management makes contact with employees, emphasizes the importance of internal controls and how they benefit the Organization, compliance with laws/regulations, ethical behavior, and promoting “open-door” communications. These communications could take place during regular meetings. Next, job descriptions should be developed that indicate specific responsibilities relating to internal control. Lastly, during the training process, the appropriate level of management should explain the Organization’s values regarding ethical behavior, internal control objectives, and responsibilities. Essentially, the more the employees are exposed to positive comments reinforcing the importance of the Organization’s internal controls, compliance with laws/regulations, and ethical behavior, the more likely they are going to follow the positive “tone at the top.”
Additionally, in order for the Organization’s overall communication to be effective, employees must constantly communicate with Management as well, as employees are oftentimes the ones on the “front lines” communicating with customers. For example:
- If any issues with customers are noted, Management should be notified
- If employees note changing preferences/needs amongst customers, Management should be notified to continue to offer the proper products and services that meet customer demands
- If employees become aware of ways to make processes more efficient, Management should be notified
Furthermore, it is important to keep open lines of communication with board members, as well as employees. The frequency of such communications, as well as the formality in which they are delivered will vary by Organization, but board members should still be kept abreast of operating/financial performance, new/different risks that have arisen, new business opportunities, etc.
Lastly, although the internal communication within the Organization is imperative, communications with outside parties, including customers, are critical as well. Customers can provide valuable feedback as to how the Organization is performing and whether demand needs are being met.
In an increasingly technology-based society, such communications, whether internal or external, can take many different forms, depending on the most cost-effective approach that still gets the point across. For example, some Organizations may deem that oral communications are the most appropriate, particularly if the size of the Organization is smaller. This type of communication will suffice in those instances, but Management should remember to be cognizant of the tone of voice and body language to properly deliver the message regarding internal control best practices. Additionally, maybe a written form is still considered the best approach for some Organizations, but that may no longer take the form of a traditional letter. These communications could occur with email messages, social media postings, text messages, or posting of information on the website/intranet.
With a combination of an accurate and timely financial reporting system to support strong internal controls, as well as consistent communication to both employees and customers, etc. an Organization will be on its way to achieving this component of the internal control framework.
Future KT newsletters will review the remaining component of internal control and their corresponding COSO Framework Principles. Please contact Traci Hanson, Shelley Goodrich, or Sandra Weaver with specific questions. The Framework can be purchased from COSO’s website at www.coso.org.