There are five components of an organization's internal control system.
Control Environment: A sound control environment is the foundation for all other components of internal control. The basic elements of the control environment include:
- Integrity and ethical values;
- Leadership view point and operating cycle;
- The commitment to competence; and
- The manner in which management assigns authority and responsibility, organization and development of its employees.
Risk Assessment: This involves management's identification of areas of high risk and implementation of controls to detect errors or fraud that potentially result in material misstatements. Examples include:
- Unrecorded revenue or expense transactions;
- Ghost employees on payroll;
- Payments to fictitious vendors; and
- Confirmation of inventory.
Control Activities: Control activities occur within the internal control system. Internal controls are developed and implemented to prevent or mitigate any risks identified. These are actually the specific policies, procedures, and processes designed to meet the University’s objectives. Examples include:
- Segregation of duties;
- Reconciliation;
- Physical security of assets; and
- Electronic data security.
Information and Communication: This area focuses on the systems and reports that help ensure that management directives to University’s employees are carried out effectively.
Monitoring: This involves assessing the quality and effectiveness of the University’s internal control over time. Monitoring can be an internal or external activity by management, employees, or outside parties. Monitoring can involve the following:
- Assessing the design and operation of controls;
- Assessing the compliance with policies and procedures; and
- Providing for implementation of corrective action plans.