The Role of Information and Communication in Internal Control

Information and Communication is one of the five components of the COSO Internal Control-Integrated Framework, a model companies use to design and evaluate their control systems. Its purpose is to provide the organization with the information needed to carry out control responsibilities, which supports decision-making and clarifies roles.

The scope of this component extends beyond information technology systems, encompassing how relevant and quality information is identified, captured, and distributed. This includes data from both internal and external sources. The framework guides how this information is shared to ensure personnel understand their role in the control system.

The Role of Information in Internal Control

Effective internal control depends on processing relevant, high-quality information. The COSO framework states that an organization must obtain or generate and use such information to support the functioning of its controls. The utility of this information is determined by several attributes that ensure it is appropriate for decision-making.

For information to be considered high-quality, it must be:

• Relevant, meaning it directly pertains to the control objectives being addressed.
• Timely, allowing for prompt action.
• Accurate, so it can be relied upon.
• Complete, providing a full picture of the area being monitored.
• Accessible to those who need it to perform their duties.

Organizations use a mix of internal and external information sources. Internal information is generated from within the business and includes operational reports, financial statements, and employee feedback. For example, daily production variance reports help management oversee operational objectives by identifying inefficiencies.

External information originates from outside the organization, including market analysis, updates on new laws, and customer feedback. A change in federal environmental regulations is external information that impacts a company’s compliance objectives, requiring process adjustments to avoid penalties. This data helps the organization manage risks from its operating environment.

The Role of Communication in Internal Control

Communication is the ongoing process through which information is shared, provided, and obtained. It ensures that quality information is disseminated effectively to support all aspects of the internal control system. This is a structured flow designed to clearly convey responsibilities, results, and expectations.

Downward communication flows from senior management to staff and is the primary channel for disseminating policies, procedure manuals, and strategic objectives. For instance, management may issue a new travel and expense policy that is communicated to all employees.

Upward communication travels from staff to management, providing feedback on performance, control deficiencies, and operational problems. An employee reporting suspected fraud through a formal channel is an example of upward communication that allows management to investigate and take corrective action.

Horizontal communication occurs between departments at the same level. For example, the sales department must communicate its forecasts to the production department to ensure inventory levels are aligned with anticipated demand. Communication also extends to external parties, such as providing financial reports to shareholders and responding to inquiries from regulators.

Documenting and Assessing Information and Communication Systems

Formalizing and evaluating information and communication processes are necessary steps to ensure they are functioning as intended. Documentation provides tangible evidence of how the system is designed to operate, while assessment involves testing its actual effectiveness.

Documentation involves creating and maintaining the records that define the system. This includes:

• Detailed policy and procedure manuals that outline expected conduct and control activities.
• Process narratives and flowcharts developed to describe the flow of information.
• Organizational charts used to define formal reporting lines.
• Specific communication protocols for handling events like a data breach.

The assessment of information and communication systems uses various methods to test their effectiveness. Management regularly reviews key reports to verify their accuracy and timeliness. The internal audit function performs tests, such as walkthroughs, to confirm that information is processed and communicated correctly. Employee surveys can be used to gauge the clarity of internal communications, while monitoring whistleblower hotlines provides insight into the upward flow of sensitive information.