Internal Control consists of five interrelated component. Internal control systems operate at different levels of effectiveness. Determining whether a particular internal control system is effective is a judgment resulting from an assessment of whether the five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring - are present and functioning. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.
Control environment:
It is an overall attitude of the management towards the existence and effectiveness of control.The control environment is the control consciousness of an organization. It is the atmosphere in which people conduct their activities and carry out their control responsibilities. An effective control environment is an environment where competent people understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is right and doing it the right way. They are committed to following an organization's policies and procedures and its ethical and behavioral standards.
The control environment encompasses technical competence and ethical commitment; it is an intangible factor that is essential to effective internal control.
A governing board and management enhance an organization's control environment when they establish and effectively communicate written policies and procedures, a code of ethics, and standards of conduct. Moreover, a governing board and management enhance the control environment when they behave in an ethical manner-creating a positive "tone at the top"—and when they require that same standard of conduct from everyone in the organization.
Leaders of each department, area or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include:
· Integrity and ethical values;
· The commitment to competence;
· Leadership philosophy and operating style;
· The way management assigns authority and responsibility, and organizes and develops its people;
· Policies and procedures
Risk Assessment:
Risk is an uncertainty associated with an event the outcome of which could adversely affect the attainment of organization objective. Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economics, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
Objectives must be established before administrators can identify and take necessary steps to manage risks. Operations objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss. Financial reporting objectives pertain to the preparation of reliable published financial statements, including prevention of fraudulent financial reporting. Compliance objectives pertain to laws and regulations which establish minimum standards of behavior. The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage. Risks can pertain to internal and external factors. After risks have been identified they must be evaluated.
Managing change requires a constant assessment of risk and the impact on internal controls. Economic, industry and regulatory environments change and entities' activities evolve. Mechanisms are needed to identify and react to changing conditions.
Control Activities
Control activities are actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks. In other words Control activities are the policies and procedures that help to ensure management directives are carried out. They help in ensuring that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Who is Responsible? In the same way that managers are primarily responsible for identifying the financial and compliance risks for their operations, they also have line responsibility for designing, implementing and monitoring their internal control system.
Control activities usually involve two elements: a policy establishing what should be done and designing procedures to implement the policy. All policies must be implemented thoughtfully, conscientiously and consistently.
Information and CommunicationPertinent information must be identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities. Effective communication must occur in a broad sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream.
Reliable and relevant information from both internal and external sources must be identified, captured, processed, and communicated to the people who need it--in a form and
timeframe that is useful. Information systems produce reports, containing operational, financial, and compliance-related information that makes it possible to run and control an organization.
Information and communication systems can be formal or informal. Formal information and communication systems--which range from sophisticated computer technology to simple staff meetings-should provide input and feedback data relative to operations, financial reporting, and compliance objectives; such systems are vital to an organization's success.
When assessing internal control over a significant activity (or process), the key questions to ask about information and communication are as follows:
Does our department get the information it needs from internal and external sources in a form and
timeframe that is useful?
Does our department get information that alerts it to internal or external risks (e.g. legislative, regulatory, and developments)?
Does our department get information that measures its performance-information that tells the department whether it is achieving its operations, financial reporting, and compliance objectives?
Does our department identifies, capture, process, and communicate the information that others need (e.g., information used by our customers or other departments)-in a form and
timeframe that is useful?
Does our department provide information to others that alerts them to internal or external risks?
Does our department communicate effectively--internally and externally?
Information and communication are simple concepts. Nevertheless, communicating with people and getting information to people in a form and
timeframe that is useful to them is a constant challenge. When completing a Business Controls Worksheet for a significant activity (or process) in a department, evaluate the quality of related information and communication systems.
Monitoring
Monitoring is the assessment of internal control performance over time; it is accomplished by ongoing monitoring activities and by separate evaluations of internal control such as self-assessments, peer reviews, and internal audits. The purpose of monitoring is to determine whether internal control is adequately designed, properly executed, and effective. Internal control is adequately designed and properly executed if all five internal control components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) are present and functioning as designed. Internal control is effective if management and interested stakeholders have reasonable assurance that:
They understand the extent to which operations objectives are being achieved.
Published financial statements are being prepared reliably.
Applicable laws and regulations are being compiled.
While internal control is a process, its effectiveness is an assessment of the condition of the process at one or more points in time. Just as control activities help to ensure that actions to manage risks are carried out, monitoring helps to ensure that control activities and other planned actions to effect internal control are carried out properly and in a timely manner and that the end result is effective internal control.
Ongoing monitoring activities include various management and supervisory activities that evaluate and improve the design, execution, and effectiveness of internal control. Separate evaluations, on the other hand, such as self-assessments and internal audits, are periodic evaluations of internal control components resulting in a formal report on internal control. Department employees perform self-assessments; internal auditors who provide an independent appraisal of internal control perform internal audits. Management's role in the internal control system is critical to its effectiveness. Managers, like auditors, don't have to look at every single piece of information to determine that the controls are functioning and should focus their monitoring activities in high-risk areas. The use of spot checks of transactions or basic sampling techniques can provide a reasonable level of confidence that the controls are functioning as intended.