Principle 13: Uses Relevant Information
The organization obtains or produces and uses relevant, qualified information to support the functioning of internal control.
The information is necessary for the organization to fulfill its internal control responsibilities in a manner that supports achieving its objectives. Management obtains, produces, and uses relevant and qualified information from internal and external sources to help other internal control components perform their functions. Communication is a continuous and iterative process of providing, sharing, and obtaining necessary information.
Inside communication is how information is distributed from bottom to top, top to bottom, and crosswise throughout the organization. This type of communication ensures that staff receive a clear message from senior management that their control responsibilities must be taken seriously. External Communication, on the other hand, is two-sided, enables the relevant external information to flow inward, and provides information to external parties to meet their requests and information.
Focus Points
The following focal points highlight essential features of this principle:
Defines Information Requirements
Information regarding the organization’s objectives is obtained from the board and senior management activities and summarized so that management and others can understand the organization’s goals and their roles in achieving them. For management to obtain relevant information, it must define information requirements at the relevant level and with the required concreteness. Defining information requirements is an iterative and continuous process as long as an effective internal control system operates.
Management develops and implements controls to identify relevant information supporting components’ operation. The following examples illustrate how information supporting other internal control components is identified and defined.
Internal Control Components | Example of Information Used |
Control Environment | Management conducts an organization-wide staff survey yearly to collect information on individual staff behavior relative to the organization’s code of conduct. The survey is part of the process that produces the data that supports the Control Environment component. It can also provide input on selecting, developing, implementing, or maintaining control actions. |
Risk assessment | As a result of changes in customer demands, an organization changes its product mix and delivery mechanisms. The increase in online sales has led to a significant increase in credit card transactions. To assess the risk of non-compliance with security and privacy regulations associated with credit card information, management collects information on the number of transactions in the last financial year, their total value, and the type of data stored. It evaluates their significance during the risk analysis. |
Control Actions | Some devices used in high-volume production environments break down when operated for longer than a specific period. To maximize device life, management obtains and reviews daily operating records and compares them to values established by senior management. This information supports control actions regarding mitigation procedures that should be applied when maximum operating levels are exceeded. |
Monitoring Actions | A sizeable electric company collects, processes, and reports accident and injury records associated with its power generation business. Comparing this information to employee health insurance claims reveals deviations from anticipated expectations. This may indicate that control actions to identify, process, report, investigate, and resolve accident and injury incidents may not work as intended. |
Obtains Internal and External Data Sources
Information is obtained from a wide variety of sources and formats. Examples of internal and external data sources from which management can generate helpful information regarding internal controls are summarized below.
Intra-Organizational Data Source Examples | Intra-Organizational Data Examples |
E-mail messagesInspection of process at the production site minutes or notes of Operations Committee meetingsEmployee time reporting systems reports obtained from production systems responses to customer surveysDirect reporting line | Organizational changes On-time and quality production experience Measures taken in response to energy consumption measurements Hours spent on time-based projects Number of units shipped within a month Factors affecting customer churn rates Complaints regarding manager’s behavior |
Non-Organizational Data Source Examples | Non-Organizational Data Examples |
Data from external service providersSectoral research reports reports from similar companies in the industry regulatory authoritiesSocial media and other blog post trade fairsDirect tip line. | Products shipped by contract manufacturers Competitor Product InformationMarket and industry measurements new or expanded requirementsOpinions about the organization Customers changing preferencesAlleged misuse of funds, bribery |
Management evaluates in detail potential events, actions, and data sources, both internal to the organization and from reliable external sources, and selects the most appropriate and valuable in terms of the current organizational structure, business model, or objectives.
Processes Relevant Data and Converts it into Information
Organizations develop information systems to source, capture, and transform large amounts of data from internal and external sources into meaningful and actionable data to meet predetermined information needs. Information systems support business processes managed within the organization. It includes people, processes backed by data and technology, and relationships with external service providers and other parties interacting with the organization.
Enterprise Resource Planning (ERP) systems, enterprise management systems (AMS), intra-enterprise networks, collaboration tools, interactive social media tools, data warehouses, business intelligence systems, operating systems (e.g., factory automation and energy usage systems), web-based applications and other technology solutions provide management with opportunities to use technology as a lever in the development and implementation of effective and efficient information systems.
Preserves Quality Throughout Information Processing
Protecting the quality of information is essential for an effective internal control system, especially considering today’s data volume and the dependence on advanced and automated information systems. The ability to produce quality information starts with data sources. Inaccurate or incomplete data, or information derived from data of this nature, could lead to erroneous judgments, estimates, or other management decisions.
The quality of the information depends on whether the data in question has the following attributes:
- accessible
- TRUE
- Current
- (Confidentiality) Protected
- stored
- Sufficient
- On-time
- Valid
- Verifiable
- Considers Costs and Benefits
Striking the right balance between benefit and cost and information systems to obtain and manage information is critical in establishing an information system that meets the organization’s needs.
Resources for Internal Control Article
- International Internal Auditing Standards, International Institute of Internal Auditors
- Dr. Davut Pehlivanlı, Current Internal Audit Practices, Beta 2010
- Prof. Dr. Nejat Bozkurt, Accounting Audit, Alfa 1998
- Prof.Dr.Nejat Bozkurt, TÜRMOB Independent Audit Training Lecture Notes, 2012
- Dr.Özgür Çatıkkaş, KGK, Marmara University. Corporate Governance Lecture Notes, 2013
- İSMMMO-Practical Information for Internal Audit in SMEs, 2013
- Turkish Internal Audit Institute, www.tide.org.tr
- Alp Buluch, Article, Internal Control, Hurses, 19 March 2013
- Turkish Commercial Code No. 6102
- International Internal Auditing Standards, www.theiia.org
- www.coso.orgTreadway Commission Supporting Institutions Committee, Internal Control-Integrated Framework, 2013
- Public Financial Management and Control Law
Bu gönderi şu adreste de mevcuttur: Türkçe