The 5 components of Internal Control

NotesVideoQuizCBEMock

There are 5 key components of an internal control system

These are

  1. Control Activities

  2. Risk Assessment

  3. Information Systems

  4. Monitoring of Controls

  5. Strong Control Environment

Control Activities

This includes all procedures designed to ensure management directives are carried out

  • Approval and Control of Documents

    • Documents should be approved by an appropriate person.  For example, wages calculations and payments should be approved by a senior manager.

  • Controls over IT

    • Passwords, usernames, back-ups and any other appropriate controls should be in place.

  • Reconciliations

    • Key account balances such as bank and debtors should be reconciled on a regular basis.

  • Arithmetical Accuracy

    • Items such as invoices etc should be checked to ensure they are arithmetically correct.

  • Control Accounts

    • Control accounts for accounts such as wages, PAYE, VAT should be maintained.

  • Restricted access to physical assets

    • Only authorised staff should have access to certain areas of the business such as valuable or sensitive assets.

  • Compare physical counts with accounting records

    • Items such as cash and inventory should be counted periodically and compared to the amount in the accounting records.

  • Segregation of Duties

    • Responsibilities should be divided to reduce the risk of fraud and error by employees

Risk Assessment

  1. The auditor should understand how management assess risk and how they take action to mitigate risks discovered

  2. Management should be undertaking regular risk assessments to ensure that all risks are identified and mitigated.

Information System

The auditor must ‘obtain an understanding of the information system, including the related business processes, relevant to financial reporting.’

The auditor must decide what areas of the information system are relevant to the financial reporting of the entity and only concentrate on those systems.

  • The ISA defines these areas as:

    • The classes of transactions in the entities operations which are significant to the financial statements.

    • The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed and reported in the financial statements.

    • The related accounting records, whether electronic or manual, supporting information and specific accounts in the financial statements, in respect of initiating, recording, processing and reporting transactions.

    • How the information system captures events and conditions other than classes of transactions, that are significant to the financial statements.

    • The financial reporting procedure used to prepare the entities financial statements, including significant accounting estimates and disclosures.

  • This is a key area to the exam as a question will often require you to understand business systems in a scenario.  Read and ensure you understand the above areas.

Monitoring of Controls

  1. Controls may be monitored either by management or by the internal audit function if one exists.

  2. The auditor may be able to rely on some of the work of internal audit as we will see later, but must first gain an understanding of how controls are monitored and how effective the monitoring is.

The Control Environment

  • The control environment refers to the framework around which the controls of the organisation operate.

    Management attitude will largely determine the nature of the control environment.

  • ISA 315 requires the auditor to consider the following aspects:

    • Communication and enforcement of integrity and ethical values.

    • Commitment to competence.

    • Participation of those charged with governance.

    • Management philosophy and operating style.

    • Organisational structure.

    • Assignment of authority and responsibility.

    • Human resources policies and practices.

NotesVideoQuizCBEMock