10.1 Internal Control Principles and the Integration of Internal Control, Risk Management, and Governance

This chapter explores how internal controls for TRIO organizations can be fully integrated with enterprise risk and opportunity management (EROM). It provides an extension and follow-up to earlier sections in this book (notably Sections3.6 and 4.7) and is intended to be responsive to the recently issued requirements of the Office of Management and Budget (OMB) in Circular A-123 (OMB 2016) concerning EROM and internal controls. It also recommends innovative approaches that exceed the minimum OMB requirements in several areas.

In a nutshell, the following key principles for internal controls are advocated in this book:

• Internal controls should be derived from the organization's strategic objectives, tactical objectives, and core standards of operation and from considerations of the risk and opportunity drivers that affect the organization's ability to meet those objectives and standards.
• The drivers are determined from the factors that most significantly affect aggregate risks and opportunities rather than just from individual risks and opportunities.
• The identification and evaluation of internal controls focus largely on protection of the assumptions and/or correction of the actual and potential weaknesses that need to be addressed for the aggregate risks and opportunities to be effectively and efficiently ...