Components of Internal Control

SA 315 explains the five components of any internal control as they relate to a financial statement audit. 

The five components are;

I. Control Environment

II. Risk Assessment

III. Control Activities

IV. Information and Communication

V. Monitoring of Controls

I. Control Environment

        It includes;


Integrity and Ethical Values

Commitment to Competence

Board of Directors and Audit Committee

Management’s Philosophy and Operating Style

Organizational Structure

Assignment of Authority and Responsibility

Human Resource Policies and Procedures

        The Control Environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. 

        The board of directors and senior management establish the tone at the top regarding the importance of internal control, including expected standards of conduct.

        The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its  governance responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance.


        For example: While auditing the auditor finds that client’s environment isn’t very good. During interviews with management and staff, Auditor sees a lack of effective controls or notice that previous audits show many errors. 

II. Risk Assessment

        It includes;

        Company-wide Objectives

        Process-level Objectives

        Risk Identification and Analysis

        Managing Change

                   Every entity faces a variety of risks from external and internal resources. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances.

                 Thus, risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. 

Example: Has management considered the risk of unrecorded revenue or expense transactions?

III. Control Activities

        It includes;

            Policies and Procedures

            Security (Application and Network)

            Application Change Management

            Business Continuity/Backups


            Control Activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. 

            Control activities are performed at all levels of entity, at various stages with business processes, and over technology environment.

            It includes the elements that operate to ensure that transactions are authorized, duties are segregated, assets are safeguarded, records are maintained, and independent check over performance and valuation of record.

            Control activities are developed to manage and mitigate the risks.

Example: Whether the initiator and authorizer of transaction are different personnel?

IV. Information & Communication

        It Includes;

        Quality of Information

        Effectiveness of Communication


        Information is necessary for the entity to carry out internal control responsibilities in support of the achievement of its objectives. 

        Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. 


        Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. 

        Internal communication is how information is disseminated throughout the enterprise, flowing up, down, and across the entity. 

        It enables personnel to receive a clear message from senior management that control responsibilities should be taken seriously.  

        External communication is two-folds it enables inbound communication of relevant external information and provides information to external parties.

Example: To safeguard assets, does the client tag all computers with identifying stickers and periodically take a count to make sure all computers are present?

v. Monitoring of Controls

        it includes;

        On-going Monitoring

        Separate Evaluations

        Reporting Deficiencies

                Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component are present and functioning. 

                Ongoing evaluations provide timely information. 

                Findings are evaluated against management’s criteria and deficiencies are communicated to management and the board of directors as appropriate.

Example: If management discovers that tagged computers are missing, it has to set better controls in place. The organization may need to establish a policy that no computer gear leaves the facility without managerial approval.

Limitations of internal controls;

Internal control, no matter how effective, can provide an entity with only reasonable assurance and not absolute assurance about achieving the entity’s operational, financial reporting and compliance objectives. 

Internal control systems are subject to certain inherent limitations, such as:

Sr. No.

Limitations of Internal control

Memory Hint(Key word)


Management’s consideration that the cost of an internal control does not exceed the expected benefits to be derived.

Cost doesn’t exceed benefit


The fact that most internal controls do not tend to be directed at transactions of unusual nature. The potential for human error, such as, due to carelessness, distraction, mistakes of judgment and misunderstanding of instructions.

Unusual transaction and human error


The possibility of circumvention of internal controls through collusion with employees or with parties outside the entity.



The possibility that a person responsible for exercising an internal control could abuse that responsibility, for example, a member of management overriding an internal control.

Abuse of Responsibility


Manipulations by management with respect to transactions or estimates and judgments required in the preparation of financial statements.

Manipulation by management

Request for DEMO Talk to Our Expert