Call Us: US - +1 845 478 5244 | UK - +44 20 7193 7850 | AUS - +61 2 8005 4826

Management’s philosophy and operating style

Control Environment

The control environment is established on the basis of the attitude of management toward internal control. It is the basis for all other elements of the system of internal control. AICPA Statement on Auditing Standards No. 78 states that the control environment “sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.” As such, a management philosophy that is dedicated to establishing a sound business process and operating controls would tend to create a stronger internal control environment than a philosophy that is unaware of or unconcerned with internal controls.

The collective effort of various factors affects the control environment, including the following:

  • Integrity and ethical values
  • Commitment to competence
  • Governing board or audit committee participation
  • Management’s philosophy and operating style
  • Organizational structure
  • Assignment of authority and responsibility
  • Human resource policies and practices

The substance of internal controls is more important than the form because of the risk that controls may not be effectively implemented or maintained.

Risk Assessment

Risk assessment is the entity’s identification and analysis of risks relevant to the achievement of its objectives and forms a basis for determining how the risks should be managed. Risks can arise or change as a result of the following factors:

  • Changes in operating environment
  • New personnel
  • New or revamped information systems
  • Rapid growth
  • New technology
  • New grant programs, building projects, or other activities
  • Organizational restructuring
  • Accounting pronouncements
  • Federal regulations
  • Finance-related statutes

Given the dynamic nature of governmental operating environments, the ability to anticipate and mitigate risks from these changes is a key factor in measuring the strength of internal controls. To the extent that the design of controls for new operations is an important aspect of planning efforts, an entity’s level of internal control may be enhanced.

Control Activities

Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities can be divided into four categories:

  • Performance reviews
  • Information processing
  • Physical controls
  • Segregation of duties

The application of controls, such as the segregation of duties, is affected to some degree by the size of the organization. In small entities, procedures will be less formal than in large entities. Additionally, certain types of control activities may not be relevant in small entities.

Information and Communication

Information and communication represent the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Information systems encompass procedures and documents that do the following:

  • Identify and record all valid transactions
  • Describe, on a timely basis, transactions in sufficient detail to permit proper classification for financial reporting
  • Measure the value of transactions in a manner that permits their proper recording in the financial statements
  • Permit the recording of transactions in the proper accounting period
  • Present properly the transactions and related disclosures in the financial statements

Senior management should deliver a clear message to employees about their responsibilities and role in the internal control system. Employees should also have a means for communicating the effectiveness and efficiency of these systems to upper levels of management.


Monitoring is a process that assesses the quality of internal control performance over time. Ongoing monitoring activities include regular management and supervisory activities and other actions taken during the normal performance of management’s responsibilities. Further, periodic reviews of internal controls and related activities, performed with internal personnel or external resources, may be undertaken. The nature and timing of these evaluations depend on the effectiveness of ongoing activities and the risk that internal controls are not performing as intended by management. Deficiencies in the system of internal controls should be reported to the appropriate level of management.