The Green Book defines internal control as a process effected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. These objectives and related risks can be broadly classified into one or more of the following three categories:
Operations - Effectiveness and efficiency of operations
Reporting - Reliability of reporting for internal and external use
Compliance - Compliance with applicable laws and regulations
These are distinct but overlapping categories. A particular objective can fall under more than one category, can address different needs, and may be the direct responsibility of different individuals.
An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity's objectives will be achieved.
Internal control is not one event, but a series of actions that occur throughout an entity's operations. Internal control is recognized as an integral part of the operational processes management uses to guide its operations rather than as a separate system within an entity. In this sense, internal control is built into the entity as a part of the organizational structure to help managers achieve the entity's objectives on an ongoing basis.
People are what make internal control work. Management is responsible for an effective internal control system. As part of this responsibility, management sets the entity's objectives, implements controls, and evaluates the internal control system. However, personnel throughout an entity play important roles in implementing and operating an effective internal control system.
An effective internal control system increases the likelihood that an entity will achieve its objectives. However, no matter how well designed, implemented, or operated, an internal control system cannot provide absolute assurance that all of an organization's objectives will be met. Factors outside the control or influence of management can affect the entity's ability to achieve all of its objectives. For example, a natural disaster can affect an organization's ability to achieve its objectives. Therefore, once in place, effective internal control provides reasonable, not absolute, assurance that an organization will achieve its objectives.