Education
SA 315 explains the five components of any internal control as they relate to a financial statement audit.
The five components are;
I. Control Environment
II. Risk Assessment
III. Control Activities
IV. Information and Communication
V. Monitoring of Controls
It includes;
Integrity and Ethical Values
Commitment to Competence
Board of Directors and Audit Committee
Management’s Philosophy and Operating Style
Organizational Structure
Assignment of Authority and Responsibility
Human Resource Policies and Procedures
The Control Environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
The board of directors and senior management establish the tone at the top regarding the importance of internal control, including expected standards of conduct.
The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance.
For example: While auditing the auditor finds that client’s environment isn’t very good. During interviews with management and staff, Auditor sees a lack of effective controls or notice that previous audits show many errors.
It includes;
Company-wide Objectives
Process-level Objectives
Risk Identification and Analysis
Managing Change
Every entity faces a variety of risks from external and internal resources. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances.
Thus, risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity.
Example: Has management considered the risk of unrecorded revenue or expense transactions?
It includes;
Policies and Procedures
Security (Application and Network)
Application Change Management
Business Continuity/Backups
Outsourcing
Control Activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
Control activities are performed at all levels of entity, at various stages with business processes, and over technology environment.
It includes the elements that operate to ensure that transactions are authorized, duties are segregated, assets are safeguarded, records are maintained, and independent check over performance and valuation of record.
Control activities are developed to manage and mitigate the risks.
Example: Whether the initiator and authorizer of transaction are different personnel?
IV. Information & Communication
It Includes;
Quality of Information
Effectiveness of Communication
Information:
Information is necessary for the entity to carry out internal control responsibilities in support of the achievement of its objectives.
Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control.
Communication:
Communication is the continual, iterative process of providing, sharing, and obtaining necessary information.
Internal communication is how information is disseminated throughout the enterprise, flowing up, down, and across the entity.
It enables personnel to receive a clear message from senior management that control responsibilities should be taken seriously.
External communication is two-folds it enables inbound communication of relevant external information and provides information to external parties.
Example: To safeguard assets, does the client tag all computers with identifying stickers and periodically take a count to make sure all computers are present?
it includes;
On-going Monitoring
Separate Evaluations
Reporting Deficiencies
Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component are present and functioning.
Ongoing evaluations provide timely information.
Findings are evaluated against management’s criteria and deficiencies are communicated to management and the board of directors as appropriate.
Example: If management discovers that tagged computers are missing, it has to set better controls in place. The organization may need to establish a policy that no computer gear leaves the facility without managerial approval.
Internal control, no matter how effective, can provide an entity with only reasonable assurance and not absolute assurance about achieving the entity’s operational, financial reporting and compliance objectives.
Internal control systems are subject to certain inherent limitations, such as:
Sr.
No. |
Limitations
of Internal control |
Memory
Hint(Key word) |
i. |
Management’s consideration that the cost
of an internal control does not
exceed the expected benefits to be derived. |
Cost doesn’t exceed benefit |
ii. |
The
fact that most internal controls do not tend to be directed at transactions
of unusual nature. The potential for human error,
such as, due to carelessness, distraction, mistakes of judgment and
misunderstanding of instructions. |
Unusual transaction and human error |
iii. |
The
possibility of circumvention of internal controls through collusion with
employees or with parties outside the entity. |
Collusion |
iv. |
The possibility that a person
responsible for exercising an internal control could abuse that responsibility, for example, a member of management overriding an internal control. |
Abuse of Responsibility |
v. |
Manipulations
by management with respect to transactions or estimates and judgments
required in the preparation of financial
statements. |
Manipulation by management |