How to Identify the Five Components of Internal Controls
When you are performing an audit, to judge the reliability of a client’s internal control procedures, you first have to be aware of the five components that make up internal controls. For each client, you need to understand each component to plan your audit. Your understanding of these components lets you grasp the design of internal controls relevant to the preparation of financial statements and lets you see whether each internal control is actually in operation.
Many models have been established to help your clients identify and offset control risk. The Sarbanes-Oxley Act of 2002 recommends the Committee of Sponsoring Organizations (COSO) model as a means for companies to identify and mitigate risk that can lead to financial misstatement. The COSO model is just one representation that can be used, and at its heart it guides management through the implementation of a control framework that is measurable and targeted at reducing risk.
Here are the five components of internal controls:
Control environment: This term refers to the attitude of the company, management, and staff regarding internal controls. Do they take internal controls seriously, or do they ignore them? Your client’s environment isn’t very good if, during your interviews with management and staff, you see a lack of effective controls or notice that previous audits show many errors.
Risk assessment: In a nutshell, you should evaluate whether management has identified its riskiest areas and implemented controls to prevent or detect errors or fraud that could result in material misstatements. For example, has management considered the risk of unrecorded revenue or expense transactions?
Control activities: These are the policies and procedures that help ensure that management’s directives are carried out. One example is a policy that all company checks for amounts more than $5,000 require two signatures.
Information and communication: You have to understand management’s information technology, accounting, and communication systems and processes. This includes internal controls to safeguard assets, maintain accounting records, and back up data.
For example, to safeguard assets, does the client tag all computers with identifying stickers and periodically take a count to make sure all computers are present? Regarding the accounting system, is it computerized or manual? If it’s computerized, are authorization levels set for employees so they can access only their piece of the accounting puzzle? For data, are backups done frequently and kept off-site in case of fire?
Monitoring: This component involves understanding how management monitors its controls — and how effective the monitoring is. The best internal controls are worthless if the company doesn’t monitor them and make changes when they aren’t working. For example, if management discovers that tagged computers are missing, it has to set better controls in place. The client may need to establish a policy that no computer gear leaves the facility without managerial approval.