Auditing

Auditing

Information and Communication

Information and communication are essential to effecting control; information about an organization's plans, control environment, risks, control activities, and performance must be communicated up, down, and across an organization. Reliable and relevant information from both internal and external sources must be identified, captured, processed, and communicated to the people who need it - in a form and timeframe that is useful. Information systems produce reports containing operational, financial, and compliance-related information that make it possible to run and control an organization.

Information and communication systems can be formal or informal. Formal information and communication systems - which range from sophisticated computer technology to simple staff meetings - should provide input and feedback data relative to operations, financial reporting, and compliance objectives; such systems are vital to an organization's success. Just the same, informal conversations with customers, suppliers, regulators, and employees often provide some of the most critical information needed to identify risks and opportunities.

When assessing internal control over a significant activity (or process), the key questions to ask about information and communication are as follows:

  • Does our department get the information it needs from internal and external sources - in a form and timeframe that is useful?
  • Does our department get information that alerts it to internal or external risks (e.g., legislative, regulatory, and developments)?
  • Does our department get information which measures its performance - information that tells the department whether it is achieving its operations, financial reporting, and compliance objectives:
    • Does our department identify, capture, process, and communicate the information that others need (e.g., information used by our customers or other departments) in a form and timeframe that is useful?
    • Does our department provide information to others that alerts them to internal or external risks?
    • Does our department communicate effectively - internally and externally?

Information and communication are simple concepts. Nevertheless, communicating with people and getting information to people in a form and timeframe that is useful to them is a constant challenge.

Last Updated: November 17, 2008 (vm).