The following points of focus highlight important characteristics relating to this principle:

Information is necessary for the organization to carry out its internal control responsibilities to support the achievement of objectives. Information about the entity's objectives is gathered from board and senior management activities and summarized in a way that management and others can understand objectives and their role in their achievement.

For example, a wholesale distributor found that its managers did not have a solid understanding of the key objectives for the organization. The business plan was detailed and difficult to concisely communicate. The board of directors worked with senior management to summarize the entity's key objectives into a clear narrative document that accompanied internally distributed financial statements. In addition, the board provided a balanced scorecard that mapped these goals to metrics and actual results, both non-financial and financial, on a monthly basis. Feedback from a subsequent employee survey indicated that management and other personnel better understood the organization's objectives.

Obtaining relevant information requires management to identify and define information requirements at the relevant level and requisite specificity. Identifying information requirements is an iterative and ongoing process that occurs throughout the performance of an effective internal control system.

Management develops and implements controls relating to the identification of relevant information that supports the functioning of components. The following examples illustrate how information in support of the functioning of other internal control components is identified and defined.

Controls embedded within the five components establish information requirements. These requirements facilitate and direct management and other personnel to identify relevant and reliable sources of information and underlying data. The amount of information and underlying data available to management may be more than is needed because of increased sources of information and advances in data collection, processing, and storage. In other cases, data may be difficult to obtain at the relevant level or requisite specificity. Therefore, a clear understanding of the information requirements directs management and other personnel to identify relevant and reliable sources of information and data.

Achieving the right balance between the benefits and the costs to obtain and manage information, and the information systems, is a key consideration in establishing an information system that meets the entity's needs.

Information is received from a variety of sources and in a variety of forms. The following table summarizes examples of internal and external data and sources from which management can generate useful information relevant to internal controls.

Management considers a comprehensive scope of potential events, activities, and data sources, available internally and from reliable external sources, and selects the most relevant and useful to the current organizational structure, business model, or objectives. As change in the entity occurs, the information requirements also change. For example, entities operating in a highly dynamic business and economic environment experience continual changes such as highly innovative and quick-moving competitors, shifting customer expectations, evolving regulatory requirements, globalization, and technology innovation. Therefore, management re-evaluates information requirements and adjusts to meet its ongoing needs.

Organizations develop information systems to source, capture, and process large volumes of data from internal and external sources into meaningful, actionable information to meet defined information requirements. Information systems encompass a combination of people, processes, data, and technology that support business processes managed internally as well as those that are supported through relationships with outsourced service providers and other parties interacting with the entity.

Information may be obtained through a variety of forms including manual input or compilation, or through the use of information technology such as electronic data interchange (EDI) or application programming interfaces (API). Conversations with customers, suppliers, regulators, and employees are also sources of critical data and information needed to identify and assess both risks and opportunities. In some instances, information and underlying data captured requires a series of manual and automated processes to ensure it is at the relevant level and requisite specificity. In other cases, information may be obtained directly from an internal or external source. Management develops and implements control activities over the integrity of data input into information systems and over the completeness and accuracy of processing such data into information used by other controls.

The volume of information accessible to the organization presents both opportunities and risks. Greater access to information can enhance internal control. On the other hand, increased volume of information and underlying data may create additional risks such as operational risks caused by inefficiency due to data overload, compliance risks associated with laws and regulations around data protection and retention, and privacy and security risks arising from the nature of data stored by or on behalf of the entity.

The nature and extent of information requirements, the complexity and volume of information, and the dependence on external parties impacts the range of sophistication of information systems, including the extent of technology deployed. Regardless of the level of sophistication adopted, information systems represent the end-to-end information processing of transactions and data that enable the entity to collect, store, and summarize quality and consistent information across the relevant processes, whether manual, automated, or a combination of both.

Information systems developed with integrated, technology-enabled processes provide opportunities to enhance the efficiency, speed, and accessibility of information to users. Additionally, such information systems may enhance internal control over security and privacy risks associated with information obtained and generated by the organization. Information systems designed and implemented to restrict access to information only to those who need it and to reduce the number of access points enhance the effectiveness of mitigating risks associated with the security and privacy of information.

Enterprise resource planning (ERP) systems, association management systems (AMS), corporate intranets, collaboration tools, interactive social media, data warehouses, business intelligence systems, operational systems (e.g., factory automation and energy-usage systems), web-based applications, and other technology solutions present opportunities for management to leverage technology in developing and implementing effective and efficient information systems.

Maintaining quality of information is necessary to an effective internal control system, particularly with today's volume of data and dependence on sophisticated, automated information systems. The ability to generate quality information begins with the data sourced. Inaccurate or incomplete data, and the information derived from such data, could result in potentially erroneous judgments, estimates, or other management decisions.

The quality of information depends on whether it is:

Management establishes information management policies with clear responsibility and accountability for the quality of the information. These policies address data governance expectations that guide processes to define categories or classes of data and assign requirements for physical handling, storage, security, and privacy. These policies support management and other personnel's responsibilities for protecting data and information from unauthorized access or change and for adhering to retention requirements.

For example, in one case senior management of a decentralized, geographically dispersed government agency identified a risk, specific to achieving an operational objective associated with the quality of operational data collected from its 2,000 field units. Management developed a set of specified data requirements and a reporting format to be used by all field units. Senior management consistently performed monthly reviews of key metrics derived from the data across all units. Those units with the best and poorest performance were required to explain the source of their data to an internal audit team. In addition, agency management used the reports of unit operational data and metrics on field visits and began asking questions to assess the unit's understanding of data on the reports. After six months of implementing this system of reporting, monthly reviews, field visits, and related feedback that was shared throughout the process, the quality of information improved to the level acceptable to management. To maintain this level, management implemented amended policies and processes for reporting the operational data and business intelligence technology to enable consistent, timely reporting of the information.

Information that is obtained from outsourced service providers that manage business processes on behalf of the entity, and other external parties on whom the entity depends, is subject to the same internal control expectations. Information requirements are developed by the organization and communicated to outside service providers and other similar external parties. Controls support the organization's ability to rely on such information, including internal control over outsourced service providers such as vendor due diligence, exercise of right-to-audit clauses, and obtaining an independent assessment over the service provider's controls.

Management considers its requirements to retain communications, particularly those to and from external parties or those that relate to the entity's compliance with laws and regulations. Given the potential volume and ability to store and retrieve such information, this requirement may be challenging when management relies on real-time, technology-enabled communication. Controls over retention of internal control information consider the challenges of advances in technology, including communication and collaboration technologies used to support other components of internal control and achievement of the entity's objectives.