Internal Control : Components and Principles

In Software Development Companies, Internal Control Framework sets out principles representing the fundamental concepts associated with each component. Because these principles are drawn directly from the components, an entity can achieve effective internal control by applying all principles. All principles apply to operations, reporting, and compliance objectives. The principles supporting the components of internal control are listed below.

Internal Environment: is the set of standards, processes and structures that provide the basis for carrying out internal control across the Organization. It includes establishing the tone at the top regarding the importance of internal control and expected standards of conduct.  It is the foundation for all other components of internal control.

The principles supporting the Internal Environment component are:

1. Board Oversight: An executive board structure exists that demonstrates independence from management and exercises oversight for the development and performance of internal control

2. Integrity and Ethical Values: Standards of ethical behavior exist and processes are in place to encourage staff to fulfil their duties with integrity.

3. Structure, Authorities and Responsibilities: An organizational structure, including reporting relationships and assignment of responsibility and delegation of authorities, is defined and clearly communicated and the related policies are established in support of the Organization’s objectives.   

4. Human Resources Policies and Practices: Policies and procedures are in place to attract, develop and retain talents in support of the Organization’s objectives including policies and practices for managing performance.   

5. Accountability: Policies and procedures are in place to hold individuals accountable for their internal control responsibilities, including delegation of authority. 

6. Strategic Direction: The strategic direction and priorities of the Organization are established and form the basis for the development of assessing risks and operational effectiveness.

Risk Assessment: involves a process for the identification and analysis of relevant risks to the achievement of objectives, with consideration of established risk tolerances. Risk assessment forms the basis for determining how risks will be managed.

The principles supporting the Risk Assessment component are:

7. Specifying Objectives: Objectives are specified with sufficient clarity to enable the identification and assessment of risks relating to objectives.   

8. Risk Identification: Risks to the achievement of objectives across the Organization are identified and analyzed as a basis for determining how they should be managed, whether to accept, avoid, reduce, or share the risk.   

9. Risk Assessment: The risks to the achievement of its objectives are assessed, including the potential for fraud or other misconduct or breach of rules.  

10. Risk Response: Once the potential significance of the risk has been assessed management considers how the risk should be managed.

Control Activities: are the actions established through policies and procedures to help ensure that management’s directives to manage risks and achieve objectives are carried out.  They are performed at all levels of the Organization, at various stages in the business processes including using information technology to conduct operations. 

The principles supporting the Control Activities component are:

11. Selection and Development of Control Activities: Control activities that contribute to the management of risks to acceptable levels are selected and developed taking into consideration the operational environment.

12. General Control Activities over Technology: General control activities using information technology are selected, developed or assessed to support the achievement of the Organization’s objectives.

13. Policies and Procedures: Control activities include the development and use of policies that establish what is expected or required, and procedures that put the policies into action.  They are built into business processes and day-to-day activities. Compliance and the consequences of non-compliance are also contained within each policies and/or procedure.   

Information and Communication:  involves the identification, capture or generation, and use of relevant and quality information from both internal and external sources to support the functioning of the other components of internal control.  It also involves the communication of necessary information in a form and timeframe that enables management and staff to carry out their responsibilities. 

The principles supporting the Information and Communication component are:

14. Information and Reporting: Relevant and quality information is obtained or generated to support the functioning of internal controls, decision making and oversight.   

15. Internal Communication: An efficient and effective system of internal communication exists to ensure that individual staff members have the information they require to carry out their duties, and to support the functioning of internal control.  

16. External Communication: An efficient and effective system of external communication exists to ensure 1) necessary externally-sourced information is received; and 2) that external stakeholders, such as contributors, NGOs, Member States, governing bodies, donors and technical partners are provided with necessary relevant and quality information in response to requirements and expectations.  

Monitoring:  involves assessing whether each of the five components of internal control is present and functioning. This is accomplished through on-going monitoring activities, separate reviews or a combination of the two. 

The principles supporting the Monitoring component are:  

17. On-going or Separate Monitoring: On-going and/or separate reviews are selected, developed and performed to ascertain that each of the components of internal control that are built into the business process are functioning effectively.  

18. Reporting Internal Control Deficiencies: Deficiencies in the operation of internal control are systematically evaluated and reported to those parties responsible for taking corrective action.  Appropriate corrective action is taken in a timely manner to address the reported deficiencies.

The  principles of internal control and examples of how they may be implemented and applied to management and staff within the Software Development Companies.