There are five main components of internal controls. An effective internal control system requires all five components to be present and functioning together.
Such internal control components are:
- Control environment;
- Risk assessment;
- Control activities;
- Information and Communication; and
Components Of Internal Controls
Let’s discuss the five internal control components in further detail.
The first internal control component relates to the control environment. The control environment sets the tone from the top. The board of directors provides oversight and guidance to the senior management to implement the strategies and plans defined by the board of directors. The management forms the set of processes, reporting lines, systems, and structures that provide the basis for carrying out internal controls across the organization. Control environment relates to the commitment of management and employees to integrity and ethical values.
For internal controls to be effective, an appropriate control environment should be enforced by and be developed under the involvement of the board of directors. The following six elements are best practice:
- The board of directors should review policies and procedures periodically and ensure their compliance.
- The board of directors should determine whether there is an effective audit and control system in place to periodically test and monitor compliance with internal control policies and procedures with the capacity to timely report instances of noncompliance.
- The board of directors should ensure independence of internal and external auditors. This includes that internal auditors directly report to the board and that external auditors may present material findings to the board directly.
- The board of directors should also ensure that appropriate remedial action are being taken when instances of non-compliance are reported and that systems are improved to avoid recurring errors.
- The board should ensure that an effective management information systems is in place, which provides adequate information and records to the board.
- Finally, the board should effectively communicate the organization’s code of conduct, the applicable ethical and behavioral guidelines, and the expectation of compliance to all employees of the organization.
The second internal control component relates to assessing risks by means of a risk assessment. The risk assessment aims to determine how risks will be identified, assessed, and managed by the senior management, middle management, and lower management of the organization through the application of relevant internal controls.
A risk is defined as “the possibility that an action or event will occur and adversely affect the achievement of the organization’s mission and objectives.”
Risk assessment activities require all levels of management and employees to consider the impact of possible changes in the internal and external environment. Based on the results of the risk assessment, management adopts mitigating actions to manage the adverse impacts of identified risks.
An effective process of risk assessment requires the board of directors and senior management to plan for and take appropriate measures to respond to the existing and potential risks. Such a risk assessment system requires two elements:
- The board of directors and senior management of the organization must have professionals with a background in internal controls or audits. They are subject matter experts who perform risk and controls assessment and evaluation. These experts should be provided with adequate resources to perform their duties.
- Risks evolve and change with time. Therefore, the board of directors and senior management of the organization, with due involvement of subject matter experts, should appropriately and timely evaluate the risks and identify issues or gaps in internal controls related to existing processes and activities.
The third internal control component relates to control activities themselves. An effective internal control system requires the management of the organization to develop control activities such as the development of policies, procedures, and standards that help management and employees mitigate identified risks. The purpose of control activities is to achieve the objectives and mission of the organization and manage the risks to which the organization is exposed.
The control activities that are being designed and implemented may either be preventive or detective in nature. Preventive controls are designed and implemented by management to prevent the occurrence of risks. Detective controls, on the other hand, are the controls which aim to detect incidents that have already occurred.
The first internal control component relates to effective internal control information. Commonly, information is obtained by the organization’s management from both internal and external sources. Information is required to support all the components of internal controls.
Management communicates with internal and external stakeholders and such communication is used to disseminate important information throughout the organization. The internal communication of information throughout an organization also allows senior management to demonstrate that control activities should be taken seriously by all the employees and staff working in different departments and functions.
The fifth and final internal control component relates to the continuous monitoring of internal control activities. Oftentimes, monitoring activities are periodically performed by internal control reviewers or audit staff, such as internal or external auditors, to verify that each of the five components of internal controls is present and functioning together in an organization.
Monitoring activities are an integral part of a robust internal control system. Monitoring activities may include one or all of the following four exemplary activities:
- The board and senior management execute oversight over the internal control system, perform periodic internal control reviews, and instruct internal or external audits of departments and functions. For this purpose, the board and management define criteria according to which internal control review activities are performed.
- Issues and deviations must be identified and reported to the relevant board sub-committees such as the board audit committee or senior management for resolution.
- The board or senior management must review the qualifications and independence of the personnel evaluating controls (for example: external auditors, internal auditors, or internal control managers).
- Internal control issues must be observed and shared with relevant control owners to obtain their response on such issues and observations.
Companies must run their processes as efficiently and effectively as possible in order to be profitable. For obvious reasons, planning how companies carry out these processes is critical to ensuring profitability. However, simply planning their processes is insufficient. Companies must also have systems in place to ensure that their processes run as planned. As a result, these businesses must have an internal control system in place.