The following points of focus highlight important characteristics relating to this principle:

Communication of information conveyed across the entity include:

The organization establishes and implements policies and procedures that facilitate effective internal communication. This includes specific and directed communication that addresses individual authorities, responsibilities, and standards of conduct across the entity. Senior management communicates the entity's objectives clearly through the organization so that other management and personnel, including non-employees such as contractors, understand their individual roles in the organization. Such communication occurs regardless of where personnel are located, their level of authority, or their functional responsibility. Internal communication begins with the communication of specified objectives. As management cascades the communication of the entity-specific objectives throughout the organization, it is important that the related sub-objectives or specific requirements are communicated to personnel in a manner that allows them to understand how their roles and responsibilities impact the achievement of the entity's objectives.

All personnel also receive a clear message from senior management that their internal control responsibilities must be taken seriously. Through communication of objectives and sub-objectives, personnel understand how their roles, responsibilities, and actions relate to the work of others in the organization; what responsibilities for internal control they have; and what is deemed acceptable and unacceptable behavior. As discussed under Control Environment, by establishing appropriate structures, authorities, and responsibilities, communication to personnel of the expectations for internal control is effected. However, communication about internal control responsibilities may not on its own be sufficient to ensure that management and other personnel embrace their accountability and respond as intended. Often, management must take timely action that is consistent with such communication to reinforce the messages conveyed.

Management selects, develops, and deploys controls that help ensure that information is shared through internal communication and that help management and other personnel carry out control responsibilities across multiple functions, operating units, or divisions. For example:

Communication between management and the board of directors provides the board with information needed to exercise its oversight responsibility for internal control. Information relating to internal control communicated to the board generally includes significant matters about the adherence to, changes in, or issues arising from the system of internal control. The frequency and level of detail of communication between management and the board must be sufficient to enable the board of directors to understand the results of management's separate and ongoing assessments and the impact of those results on the achievement of objectives. Additionally, the frequency and level of detail must be sufficient to enable the board of directors to respond to indications of ineffective internal control in a timely manner.

Direct communication to the board of directors by other personnel is also important. Members of the board of directors should have direct access to employees without interference from management. For example, some organizations encourage board members to meet with management and personnel without senior management present. This allows board members to independently ask questions and assess important matters that employees may not otherwise feel comfortable sharing, such as adherence to the code of conduct, competence of personnel, or potential management override of controls. Additionally, the overall system of internal control is enhanced by the internal audit department that is independent of management. Internal audit communication to the board of directors is generally direct, free from management bias and, where necessary, confidential.

For information to flow up, down, and across the organization, there must be open channels of communication and a clear-cut willingness to report and listen. Management and other personnel must believe their supervisors truly want to know about problems and will deal with them, as necessary. In most cases, normal established reporting lines in an entity are the appropriate channels of communication. However, personnel are quick to pick up on signals if management does not have the time, interest, or resources to deal with problems they have uncovered. Compounding the problem is that an unreceptive or unavailable manager is usually the last to know that the normal communications channel is inoperative or ineffective.

In some circumstances, separate lines of communication are needed to establish a fail-safe mechanism for anonymous or confidential communication when normal channels are inoperative or ineffective. Many entities provide, and make employees aware of, a channel for such communications to be received by the board of directors or a board delegate such as a member of the audit committee. In some cases, laws and regulations require companies to establish such alternative communications channels (e.g., whistle-blower and ethics hotlines). Information systems should include mechanisms for anonymous or confidential reporting. Employees must fully understand how these channels operate, how they should be used, and how they will be protected to have the confidence to use them. Policies and procedures exist requiring all communication through these channels to be assessed, prioritized, and investigated. Escalation procedures ensure that necessary communication will be made to a specific board member who is responsible for ensuring that timely and proper assessments, investigations, and actions are carried out.

These separate mechanisms, which encourage employees to report suspected violations of an entity's code of conduct without fear of reprisal, send a clear message that senior management is committed to open communication channels and will act on information that is reported to them.

Both the clarity of the information and effectiveness with which it is communicated are important to ensuring messages are received as intended. Active forms of communication such as face-to-face meetings are often more effective than passive forms such as broadcast emails and intranet postings. Periodic evaluation of the effectiveness of communication helps to ensure methods are working. This can be done through a variety of existing processes such as employee performance evaluations, annual management reviews, and other feedback programs.

Management selects the method of communication, taking into account the audience, nature of the communication, timeliness, cost, and any legal or regulatory requirements. Communication can take such forms as:

When choosing a method of communication, management considers the following:

Communication of information related to internal control responsibilities alone may not be sufficient to ensure that management and other personnel receive and respond as intended. Consistent and timely actions taken by management with such communication reinforce the messages conveyed.