8.1.2 Component of internal control system

The components of an internal control system can be classified into five key elements, often referred to as the “COSO framework.” These components work together to establish a robust internal control environment within an organization. The components are as follows:

1. Control Environment: The control environment sets the tone for the organization’s internal control system. It encompasses the attitudes, awareness, and actions of management and employees regarding internal control and ethical conduct. This component includes factors such as the organization’s integrity and ethical values, management’s commitment to internal control, the board of directors’ oversight, and the establishment of appropriate organizational structure and reporting lines.
2. Risk Assessment: Risk assessment involves identifying and analyzing the risks that could prevent the organization from achieving its objectives. This component includes processes for assessing internal and external risks, evaluating their potential impact, and determining the likelihood of their occurrence. Risk assessment helps prioritize risks and enables management to develop effective control activities to mitigate them.
3. Control Activities: Control activities are the specific policies, procedures, and practices that are implemented to address identified risks. These activities are designed to ensure that objectives are achieved and that the organization’s policies and procedures are followed. Examples of control activities include segregation of duties, authorization and approval procedures, physical controls, information technology controls, reconciliations, and regular performance reviews. Control activities can be preventive (aimed at avoiding errors or irregularities) or detective (aimed at identifying errors or irregularities if they occur).
4. Information and Communication: The information and communication component ensures that relevant and reliable information is identified, captured, processed, and communicated to support the functioning of the internal control system. It involves the timely communication of information both internally and externally, ensuring that information flows accurately and effectively throughout the organization. This component includes processes for recording and reporting financial and non-financial information, as well as effective communication channels to facilitate the exchange of information within the organization.
5. Monitoring: Monitoring is the ongoing assessment of the effectiveness of the internal control system. It involves the review and evaluation of control activities to ensure they are operating as intended and achieving their objectives. Monitoring can be done through internal audits, management reviews, self-assessments, and other forms of periodic evaluations. The results of monitoring activities are used to identify areas for improvement, address control deficiencies, and enhance the overall effectiveness of the internal control system.