Control environment is the attitude toward internal control and control consciousness established and maintained by the management and the employees of an organization. It is a product of management’s philosophy, style and supportive attitude, as well as the competence, ethical values, integrity, and morale of the organization’s people. The organization structure and accountability relationships are key factors in the control environment. Show Principles for the Control Environment1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 2. Communication and InformationCommunication is the exchange of useful information between and among people and organizations to support decisions and coordinate activities. Within an organization, information should be communicated to management and other employees who need it in a form and within a time frame that helps them to carry out their responsibilities. Communication also takes place with outside parties such as customers, suppliers and regulators. Principles for Communication and Information6. Uses relevant information 7. Communicates internally 8. Communicates externally 3. Risk AssessmentRisks are events that threaten the accomplishment of objectives. They ultimately impact an organization’s ability to accomplish its mission. Risk assessment is the process of identifying, evaluating and determining how to manage these events. At every level within an organization there are both internal and external risks that could prevent the accomplishment of established objectives. Ideally, management should seek to prevent these risks. However, sometimes management cannot prevent the risk from occurring. In such cases, management should decide whether to accept the risk, reduce the risk to acceptable levels, or avoid the risk. To have reasonable assurance that the organization will achieve its objectives, management should ensure each risk is assessed and handled properly. Principles for Risk Assessment9. Specifies suitable objectives 10. Identifies and analyses risk 11. Assesses fraud risk 12. Identifies and analyses significant change Impact – Is generally beyond the organization’s control in the short-to-medium term. What are the possible risks in your area of operations and what is the likely impact of each? How to Deal With Risk Managing Risk - Accept the risk: Do not establish control activities - Prevent or reduce the risk: Establish control activities - Avoid the risk: Do not carry out the function Preventing or Reducing Risk - What is the cause of the risk? - What is the cost of control vs. the cost of the unfavorable event? - What is the priority of this risk? Managing Risk during Change 4. Control ActivitiesControl activities are tools - both manual and automated - that help prevent or reduce the risks that can impede accomplishment of the organization’s objectives and mission. Management should establish control activities to effectively and efficiently accomplish the organization’s objectives and mission. Principles for Control Activities13. Selects and develops control activities 14. Selects and develops general controls over technology 15. Deploys through policies and procedures 5. MonitoringMonitoring is the review of an organization’s activities and transactions to assess the quality of performance over time and to determine whether controls are effective. Management should focus monitoring efforts on internal control and achievement of organization objectives. For monitoring to be most effective, all employees need to understand the organization’s mission, objectives, and responsibilities and risk tolerance levels. Principles for Monitoring16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies
Internal control is all of the policies and procedures management uses to achieve the following goals. Management Responsibility: Administrative management is responsible for maintaining an adequate system of internal control. Management is responsible for communicating the expectations and duties of staff as part of a control environment. They are also responsible for assuring that the other major areas of an internal control framework are addressed. Staff Responsibility: Staff and operating personnel are responsible for carrying out the internal control activities set forth by management. The framework of a good internal control system includes: Internal control activities are the policies and procedures as well as the daily activities that occur within an internal control system. A good internal control system should include the control activities listed below. These activities generally fit into two types of activities. Click on the links below for information regarding these activities including best practices.
Other Internal Control Best PracticesWith a good internal control system in place, other considerations to keep in mind include:
Additional InformationWashington State Office of Financial Management's guide to internal control and auditing |