Components of Internal Control
Internal control consists of the following five interrelated components and the seventeen principles associated with them.
1. Control Environment
Control environment is the attitude toward internal control and control consciousness established and maintained by the management and the employees of an organization. It is a product of management’s philosophy, style and supportive attitude, as well as the competence, ethical values, integrity, and morale of the organization’s people. The organization structure and accountability relationships are key factors in the control environment.
Principles for the Control Environment
- Demonstrates commitment to integrity and ethical values
- Exercises oversight responsibility
- Establishes structure, authority and responsibility
- Demonstrates commitment to competence
- Enforces accountability
2. Communication (and Information)
Communication is the exchange of useful information between and among people and organizations to support decisions and coordinate activities. Within an organization, information should be communicated to management and other employees who need it in a form and within a time frame that helps them to carry out their responsibilities. Communication also takes place with outside parties such as customers, suppliers and regulators.
Principles for Communication and Information
- Uses relevant information
- Communicates internally
- Communicates externally
3. Risk Assessment
Risks are events that threaten the accomplishment of objectives. They ultimately impact an organization’s ability to accomplish its mission. Risk assessment is the process of identifying, evaluating and determining how to manage these events. At every level within an organization there are both internal and external risks that could prevent the accomplishment of established objectives. Ideally, management should seek to prevent these risks. However, sometimes management cannot prevent the risk from occurring. In such cases, management should decide whether to accept the risk, reduce the risk to acceptable levels, or avoid the risk. To have reasonable assurance that the organization will achieve its objectives, management should ensure each risk is assessed and handled properly.
Principles for Risk Assessment
- Specifies suitable objectives
- Identifies and analyses risk
- Assesses fraud risk
- Identifies and analyses significant change
Impact – Is generally beyond the organization’s control in the short-to-medium term.
Likelihood – Is the main focus of an organization’s internal control
What are the possible risks in your area of operations and what is the likely impact of each?
How to Deal With Risk
- Accept the risk: Do not establish control activities
- Prevent or reduce the risk: Establish control activities
- Avoid the risk: Do not carry out the function
Preventing or Reducing Risk
- What is the cause of the risk?
- What is the cost of control vs. the cost of the unfavorable event?
- What is the priority of this risk?
Managing Risk during Change
- What necessary training needs to be carried out?
- What necessary review and oversight needs to be carried out during the period of change?
4. Control Activities
Control activities are tools - both manual and automated - that help prevent or reduce the risks that can impede accomplishment of the organization’s objectives and mission. Management should establish control activities to effectively and efficiently accomplish the organization’s objectives and mission.
Principles for Control Activities
- Selects and develops control activities
- Selects and develops general controls over technology
- Deploys through policies and procedures
Monitoring is the review of an organization’s activities and transactions to assess the quality of performance over time and to determine whether controls are effective. Management should focus monitoring efforts on internal control and achievement of organization objectives. For monitoring to be most effective, all employees need to understand the organization’s mission, objectives, and responsibilities and risk tolerance levels.
Principles for Monitoring
- Conducts ongoing and/or separate evaluations
- Evaluates and communicates deficiencies