Communicating relevant information is essential to using controls effectively. Reliable information from both internal and external sources must be identified, documented and shared with those who need it quickly and in a useful format.
The following types of information must be communicated up, down and across an organization:
- Organization's plans
- Control environment
- Risks
- Control activities
- Performance
Sharing information efficiently is a constant challenge. To help improve the process, remember to evaluate the quality of information and communication systems when completing a Business Controls Worksheet for a significant activity or process.
Sources of Information
Information systems produce reports containing valuable operational, financial and compliance-related information. They may be formal or informal:
- Formal information and communication systems, which range from sophisticated computer technology to simple staff meetings, should provide input and feedback data relative to operations, financial reporting and compliance objectives.
- Informal conversations with faculty, students, customers, suppliers, regulators and employees often provide some of the most critical information needed to identify risks and opportunities.
Questions to Ask
Here are some key questions to ask when assessing internal control over a significant activity or process:
- Does our department get the information it needs from internal and external sources in a form and timeframe that is useful?
- Does our department get information that alerts it to internal or external risks (for example, legislative, regulatory and new developments)?
- Does our department get information that measures its performance? Does it get information that tells the department whether it is achieving its operations, financial reporting and compliance objectives?
- Does our department identify, document and communicate the information that others need (such as information used by our customers or other departments) efficiently and in a useful format?
- Does our department provide information to others that alerts them to internal or external risks?
- Does our department communicate effectively internally and externally?