The agency obtains or generates and uses relevant, quality information to support the functioning of internal control. The following points of focus highlight important characteristics relating to this principle.
- Identifies information requirements – Management designs a process that uses the agency’s objectives and related risks to identify the information requirements needed to achieve the objectives and address the risks. Information requirements consider the needs of both internal and external users. Management defines the information requirements and relevant level of specificity for all users.
Management identifies information requirements in an iterative and ongoing process that occurs throughout an effective internal control system. As change in the agency and its objectives and risks occurs, management changes information requirements as needed to meet these modified objectives and address these modified risks.
- Captures relevant data from reliable sources – Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements. Relevant data have a logical connection with, or bearing upon, the identified information requirements. Reliable internal and external sources provide data that are reasonably free from error and bias and faithfully represent what they purport to represent.
Management evaluates both internal and external sources of data for reliability. Sources of data can be operational, financial, or compliance related. Management obtains data on a timely basis so that they can be used for effective monitoring.
- Processes data into information – Management processes the obtained data into quality information that supports the internal control system. Quality information is appropriate, current, complete, accurate, accessible, and provided on a timely basis. Management uses the quality information to make informed decisions and evaluate the agency’s performance in achieving key objectives and addressing risks.