Information & Communication Component of Internal Control

Written By Parker Skaats

After exploring the control environment, risk assessment, and control activities in previous posts, we now focus on another crucial component of internal control—control activities. This post is the third in our series of five, providing a comprehensive overview of the five components of internal control as specified in the Green Book.

Information & Communication

Understanding Information & Communication

The Information & Communication component says that stakeholders need to be kept up to date with relevant and timely information on what is happening within the organization. The lack of quality information for decision-making can be a challenge for many government entities. Stakeholders need to be evaluate whether the organization is being successful. This says to the organization, what information and who needs to know it.

The Three Principles of Information & Communication

Principle #13: Management should use quality information to achieve the entity’s objectives.

  • Management designs a process that uses the entity’s objectives and related risks to identify the information requirements needed to achieve the objectives and address the risks. Information requirements consider the expectations of both internal and external users.

  • Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements. Reliable internal and external sources provide data that are reasonably free from error and bias and faithfully represent what they purport to represent. Management evaluates both internal and external sources of data for reliability.

  • Management processes the obtained data into quality information that supports the internal control system. This involves processing data into information and then evaluating the processed information so that it is quality information

Principle #14: Management should internally communicate the necessary quality information to achieve the entity’s objectives.

  • Management communicates quality information throughout the entity using established reporting lines. Quality information is communicated down, across, up, and around reporting lines to all levels of the entity.

  • Management selects appropriate methods to communicate internally. Management considers a variety of factors in selecting an appropriate method of communication. Some factors to consider follow:

    • Audience - The intended recipients of the communication

    • Nature of information - The purpose and type of information being communicated

    • Availability - Information readily available to the audience when needed

    • Cost - The resources used to communicate the information

    • Legal or regulatory requirements - Requirements in laws and regulations that may impact communication

Principle #15: Management should externally communicate the necessary quality information to achieve the entity’s objectives.

  • Management communicates with, and obtains quality information from, external parties using established reporting lines. Open two-way external reporting lines allow for this communication. External parties include suppliers, contractors, service organizations, regulators, external auditors, government entities, and the general public.

  • Management selects appropriate methods to communicate externally. Management considers the same factors in selecting an appropriate method of communication as in Principle #14.

Evaluating Information & Communication During Performance Audits

Auditors begin by examining how management identifies the information requirements necessary to achieve the entity’s objectives and address its risks. This involves assessing whether the information used by the organization is relevant to its decision-making processes and if it adequately addresses the needs of both internal and external stakeholders. Auditors review the processes by which management obtains, processes, and evaluates data to ensure it is free from error and bias, and truly represents the intended information. This includes evaluating the sources of data—both internal and external—to determine their reliability and the adequacy of the systems in place to convert this data into high-quality information.

The effectiveness of internal communication strategies is also a critical area of focus. Auditors assess how information is communicated within the organization—whether it flows freely up, down, and across different levels and departments. The aim is to verify that all operational levels of the entity have timely access to relevant information necessary to perform their duties effectively. Auditors consider the methods used to disseminate information, evaluating whether they are appropriate given the nature of the information, the intended audience, and the organizational structure. Factors such as the cost of communication methods, their accessibility, and compliance with legal and regulatory requirements are also reviewed to ensure that the communication strategies are effective and efficient.

External communication processes are scrutinized to understand how the entity interacts with external parties such as suppliers, regulators, external auditors, and the general public. Auditors evaluate the effectiveness of these communication channels to ensure that they support two-way communication, allowing the entity not only to disseminate but also to receive important information from external sources. This includes assessing the appropriateness of the communication methods used, based on similar criteria used for internal communications, and examining how these methods facilitate timely and accurate information exchange that supports the entity’s strategic and operational objectives.

Conclusion

The effective management of the Information & Communication component is vital for the success of any organization. Through the rigorous evaluation of how information is obtained, processed, and communicated—both internally and externally—auditors play a critical role in ensuring that all stakeholders have access to accurate and relevant information. This comprehensive approach not only enhances decision-making but also reinforces the transparency and accountability of government operations. As we continue to explore the various components of internal control in our series, the interconnectedness of these elements in building a robust governance framework becomes increasingly apparent, highlighting the importance of maintaining a strong Information & Communication system within the broader internal control structure.

Parker Skaats
Previous

Monitoring Activities
Next

Evaluating Control Activities During Performance Audits