Components of Internal Control
Internal control consists of the following five interrelated components.
1. Control Environment
Control environment is the attitude toward internal control and control consciousness established and maintained by the management and the employees of an organization. It is a product of management’s philosophy, style and supportive attitude, as well as the competence, ethical values, integrity, and morale of the organization’s people. The organization structure and accountability relationships are key factors in the control environment.
Elements of the Control Environment
- Ethical Values and Integrity
- Management’s Operating Style and Philosophy
- Supportive Attitude
Communication is the exchange of useful information between and among people and organizations to support decisions and coordinate activities. Within an organization, information should be communicated to management and other employees who need it in a form and within a time frame that helps them to carry out their responsibilities. Communication also takes place with outside parties such as customers, suppliers and regulators.
Elements of Communication
- Sufficient but not excessive detail
- Appropriate to user
- Clear and open horizontal and vertical
3. Assessing and Managing Risk
Risks are events that threaten the accomplishment of objectives. They ultimately impact an organization’s ability to accomplish its mission. Risk assessment is the process of identifying, evaluating and determining how to manage these events. At every level within an organization there are both internal and external risks that could prevent the accomplishment of established objectives. Ideally, management should seek to prevent these risks. However, sometimes management cannot prevent the risk from occurring. In such cases, management should decide whether to accept the risk, reduce the risk to acceptable levels, or avoid the risk. To have reasonable assurance that the organization will achieve its objectives, management should ensure each risk is assessed and handled properly.
Assessing Risk (Ask the questions…)
- What obstacles could stand in the way of achieving your objective?
- What can go wrong?
- What is the worst thing that could happen?
- What is the worst thing that has happened?
- Are there new Processes?
- Are there processes that have changed?
- Are there new goals and legislation?
- Are there staffing changes?
- What keeps you awake at night?
Impact – Is generally beyond the organization’s control in the short-to-medium term.
Likelihood – Is the main focus of an organization’s internal control
What are the possible risks in your area of operations and what is the likely impact of each?
How to Deal With Risk
- Accept the risk: Do not establish control activities
- Prevent or reduce the risk: Establish control activities
- Avoid the risk: Do not carry out the function
Preventing or Reducing Risk
- What is the cause of the risk?
- What is the cost of control vs. the cost of the unfavorable event?
- What is the priority of this risk?
Managing Risk during Change
- What necessary training needs to be carried out?
- What necessary review and oversight needs to be carried out during the period of change?
4. Control Activities
Control activities are tools - both manual and automated - that help prevent or reduce the risks that can impede accomplishment of the organization’s objectives and mission. Management should establish control activities to effectively and efficiently accomplish the organization’s objectives and mission.
Examples of Control Activities
- Approval and Authorization
- Separation of Duties
- Safeguarding Assets
- Computer Systems Controls
o Backup and Disaster Recovery
o Input Controls
o Output Controls
Monitoring is the review of an organization’s activities and transactions to assess the quality of performance over time and to determine whether controls are effective. Management should focus monitoring efforts on internal control and achievement of organization objectives. For monitoring to be most effective, all employees need to understand the organization’s mission, objectives, and responsibilities and risk tolerance levels.
Major Areas for Monitoring
- Control Activities
- Control Environment
- Risks and Opportunities