Internal control system is implemented by the management or those charged with governance to assure that entity’s objectives regarding reporting, compliance with applicable laws and effectiveness and efficiency of operations is achieved. However, this becomes possible because internal control system serve this purpose through its different components or subsystems working collectively like a clockwork and are known as components of internal control system.
Internal control system has five components which are as follows:
- Control Environment
It simply means controlled environment of the entity in which operations of the business are carried out. It is this control environment that keeps anyone in the entity from committing any wrong doing. For example, if management is honest and encourages honesty and is strict towards falsehood than employees would expect harsh consequences and only this will keep the employees to commit any fraud individually or in collusion with others.
Another thing to understand is that it supplements the other functions (components) of internal control system.
An auditor is required to obtain understanding whether such environment has been developed by management through its management philosophy and behaviour in the entity.
- Risk assessment process
One of the key roles of internal control system is to prevent or identify and correct misstatements. However, entity would not wait for misstatement to happen and only it should be prevent or detected and corrected. Most of the time entity establish its own risk assessment process to identify the risk of material misstatement to happen before time. Auditor obtains understanding of how entity’s risk assessment process whether it is working as per expectations in the light of business risk or not by considering:
- expected risks
- affects of such risks
- likelihood that risk will realize
- decisions taken to cater such risks
- Information and communication
Information in every aspect of our lives including in business environment has taken a pivotal role. During audit engagement auditor gains understanding regarding the information and communication system of the entity that acts as one of the component of internal control system. However, information system does not only mean the accounting system. It is the system through which entity or to be precise management establishes and communicates within and outside entity.
Entity’s information system must not be confused with information technology. Although these days IT has helped us develop much better information systems but information system is simply a system through which entity records, processes and communicates information regarding entity’s financial position, performance etc and this system can be in manual form and even today around the world manual information system is maintained along side IT based information system. Information system helps entity to capture business transactions and classify, measure, records and report on timely basis and in this process IT can help us in different ways.
- Control activities
Control activities are put in place by the management to make financial information authentic and reliable. For example, debtors cannot be written off withouth permission finance director or any other person given authority to write off debts. Similarly, credit sales cannot be made unless recommendation is sought from credit control department. Such control activities does not necessarily are in the nature of authorization. Requirement to enter password to access certain modules of information system is an example of information system. Similarly a validation check in the database system to make sure that contact number of supplier can only be in numbers or email address has been entered in a particular format containing ‘@’ etc. All such checks will ensure that information is accurate.
The last component of an internal control system is monitoring process. It can be considered as an inbuilt service to the internal control system that assesses the effectiveness of internal control system. Monitoring process is carried out evaluating the current operations of internal control system and separate evaluations that includes routine and non-routine system checks. Such evaluations may consider external information for example customer’s feedback. In light of such information management or those charged with governance take necessary steps to keep the internal control system up to the mark so that risk of material misstatement is dealt appropriately and updates of the system are done as and when necessary.
I really hope that the following three-dimensional figure will aid you in observing how each component of internal control system is connected to the other.