The components of an internal control system

The Components of an Internal Control System

ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment states that auditors need to understand an entity's internal controls. To assist this process it identifies five components of an internal control system:

  • the control environment;
  • the entity's risk assessment process;
  • the information system;
  • the control activities; and
  • the monitoring of controls.

The control environment

The control environment includes the governance and management function of an organisation. It focuses largely on the attitude, awareness and actions of those responsible for designing, implementing and monitoring internal controls. Elements of the control environment that are relevant when the auditor obtains an understanding include the following:

  • communication and enforcement of integrity and ethical values;
  • commitment to competence;
  • participation by those charged with governance;
  • management's philosophy and operating style;       
  • organisational structure;
  • assignment of authority and responsibility; and
  • human resource policies and practices.

Evidence regarding the control environment is usually obtained through a mixture of enquiry and observation, although inspection of key internal documents (e.g. codes of conduct and organisation charts) is possible.

The risk assessment process

The risk assessment process forms the basis for how management determines the risks to be managed. These processes will vary hugely depending upon the nature, size and complexity of the organisation. However, larger organisations (usually listed ones) will have internal audit departments, whose roles focus heavily on risk identification and assessment.

If the client has robust procedures for assessing the business risks it faces, the risk of misstatement, overall, will be lower.

The information system

The information systems relevant to financial reporting objectives include all the procedures and records which are designed to:

  • Initiate, record, process and report transactions;
  • Maintain accountability for assets, liabilities and equity;
  • Resolve incorrect processing of transactions;
  • Process and account for system overrides;
  • Transfer information to the general/nominal ledger;
  • Capture information relevant to financial reporting for other events and conditions; and
  • Ensure information required to be disclosed is appropriately reported.

Control activities

The control activities include all policies and procedures designed to ensure that management directives are carried out throughout the organisation. Examples of specific control activities include those relating to:

  • Authorisation;
  • Performance review;
  • Information processing;
  • Physical controls; and
  • Segregation of duties.

Monitoring of controls

This is the process of assessing the effectiveness of controls over time and taking necessary remedial action. Clearly if a control is not implemented properly or is simply considered ineffective then misstatements may pass undetected into the financial statements.

Monitoring can be either ongoing or performed on a separate evaluation basis (or a combination of both). Either way, it needs to be effective for the system to work. Monitoring of internal controls is often the key role of internal auditors.

Created at 10/3/2012 5:39 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 11/2/2016 11:25 AM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Controls;systems of control;Risk assessment;control environment

Recent Discussions

There are no items to show in this view.