Describe and explain the five components of internal control

ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment states that auditors need to understand an entity's internal controls. To assist this process it identifies five components of an internal control system:

• thecontrolenvironment;
• the entity's risk assessment process;
• theinformationsystem;
• thecontrolactivities;
• themonitoringofcontrols.

Thecontrolenvironment

The control environment includes the governance and management function of an organisation. It focuses largely on the attitude, awareness and actions of those responsible for designing, implementing and monitoring internal controls. Elements of the control environment that are relevant when the auditor obtains an understanding include the following:

• communication and enforcement of integrity and ethical values;
• commitmenttocompetence;
• participation by those charged with governance;
• management's philosophy and operating style;
• organisationalstructure;
• assignment of authority and responsibility; and
• human resource policies and practices.

Evidence regarding the control environment is usually obtained through a mixture of enquiry and observation, although inspection of key internal documents (e.g. codes of conduct and organisation charts) is possible.

The risk assessment process

The risk assessment process forms the basis for how management determines the risks to be managed. These processes will vary hugely depending upon the nature, size and complexity of the organisation. However, larger organisations (usually listed ones) will have internal audit departments, whose roles focus heavily on risk identification and assessment.

If the client has robust procedures for assessing the business risks it faces, the risk of misstatement, overall, will be lower.

The information system

The information systems relevant to financial reporting objectives include all the procedures and records which are designed to:

• Initiate, record, process and report transactions;
• Maintain accountability for assets, liabilities and equity;
• Resolve incorrect processing of transactions;
• Process and account for system overrides;
• Transfer information to the general/nominal ledger;
• Capture information relevant to financial reporting for other events and conditions; and
• Ensure information required to be disclosed is appropriately reported.

Control activities

The control activities include all policies and procedures designed to ensure that management directives are carried out throughout the organisation. Examplesofspecificcontrolactivitiesincludethoserelatingto:

• Authorisation;
• Performancereview;
• Informationprocessing;
• Physicalcontrols; and
• Segregationofduties.

Monitoringofcontrols

This is the process of assessing the effectiveness of controls over time and taking necessary remedial action. Clearly if a control is not implemented properly or is simply considered ineffective then misstatements may pass undetected into the financial statements.

Monitoring can be either ongoing or performed on a separate evaluation basis (or a combination of both). Either way, it needs to be effective for the system to work. Monitoring of internal controls is often the key role of internal auditors.