Learning Outcomes
After studying this article, you will be able to describe the five components of an internal control system as required by the ACCA FAU exam. You will be able to explain each component, identify typical control activities, and outline why understanding these components is important for auditors when evaluating the effectiveness of internal control in an organisation.
ACCA Foundations in Audit (FAU) Syllabus
For ACCA Foundations in Audit (FAU), you are required to understand the main features and objectives of internal control within an entity. In particular, you should focus your revision on the following areas:
- The definition and objectives of internal control
- The five components of an internal control system: control environment, risk assessment process, information system and communication, control activities, and monitoring of controls
- Categories and examples of control activities
- The significance of internal control to auditors and how these components are assessed during the audit
- The inherent limitations of internal control
Test Your Knowledge
Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.
- List the five components of a system of internal control as defined by ISA 315.
- Which component includes management’s attitude toward internal controls and corporate culture?
- Give two examples of control activities commonly found in an accounting system.
- Why is understanding the internal control system important for auditors?
Introduction
Internal control is essential for reliable financial reporting, safeguarding assets, and efficient operations. Auditors are required to assess and understand internal controls to evaluate risk and design effective audits. International Standards on Auditing (ISA 315) describe five interrelated components that make up a sound internal control system. Recognising each component and its role is fundamental for both management and auditors.
Key Term: internal control system
The collection of policies and procedures established and maintained by management and other personnel, designed to provide reasonable assurance of achieving objectives relating to financial reporting, efficient operations, and compliance with laws and regulations.
COMPONENTS OF AN INTERNAL CONTROL SYSTEM
Modern internal control systems consist of five key components. Each is briefly explained below, with reference to typical controls and examples relevant to the audit process.
1. Control Environment
The control environment sets the overall tone of the organisation, influencing the effectiveness of all other controls. It reflects management's commitment to integrity, ethical values, and competence. Examples include clear organisational structures, strong personnel policies, and the presence of an internal audit function.
Key Term: control environment
The set of standards, processes, and structures that provide the basis for carrying out internal control across the organisation. It includes the attitudes, awareness, and actions of management and those charged with governance regarding internal control.
2. Entity’s Risk Assessment Process
Organisations must identify, assess, and manage risks that threaten the achievement of objectives. The risk assessment process involves identifying business risks relevant to financial reporting and deciding how to respond. For example, a business facing high credit risk from customers may introduce stricter credit approval procedures.
Key Term: risk assessment process
The systematic process an entity uses to identify and analyse relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
3. Information System and Communication
This component consists of the methods and records established to initiate, record, process, and report transactions. An effective information system ensures accounting records are accurate and complete. Communication refers to how information flows internally and externally, allowing all levels of the entity to understand their internal control responsibilities.
Key Term: information system
The procedures and records by which transactions are initiated, processed, recorded, and reported, supporting the preparation of financial statements.
4. Control Activities
Control activities are the policies and procedures that help ensure management directives are carried out. These include authorisation, reviews, reconciliations, verifications, physical safeguards (such as locks and passwords), and segregation of duties. For example, separating responsibilities for authorising payments and recording transactions reduces the risk of fraud.
Key Term: control activities
Detailed actions and procedures (such as approvals, reconciliations, segregations, and verifications) designed to prevent, detect, and correct errors or irregularities.
5. Monitoring of Controls
Monitoring involves ongoing or separate evaluations to check whether internal controls are present and operating as intended. This may involve management reviews, internal audit assessments, or automated monitoring tools. When deficiencies are identified, they should be communicated to those responsible for corrective action.
Key Term: monitoring of controls
Processes to assess the quality of the internal control system’s performance over time, ensuring that controls are effective and deficiencies are reported and addressed.
Categories of Control Activities
Control activities can be grouped into several categories. Common types include:
- Authorisation and approval (e.g., requiring managerial sign-off for payments)
- Reconciliations (comparing records such as bank statements to accounting records)
- Verifications (checking data accuracy)
- Physical controls (locks, passwords, restricted access)
- Segregation of duties (different staff handling authorisation, custody, and recording)
Key Term: segregation of duties
The practice of allocating responsibilities so that no one person is in a position to both perpetrate and conceal errors or fraud within a process.
Worked Example 1.1
Suppose a company allows one employee to both approve supplier payments and record them in the accounting system. What risk does this pose, and which control activity could mitigate it?
Answer:
Allowing one person both to approve and record payments increases the risk of misappropriation or fraud going undetected. Introducing segregation of duties—so that one employee authorises payment and a different employee records it—reduces this risk.
Inherent Limitations of Internal Control
All systems have inherent limitations. For example:
- Human error or misunderstanding
- Collusion between staff to override controls
- Management override of controls
- Cost constraints (not all risks can be controlled cost-effectively) Therefore, controls provide reasonable, not absolute, assurance.
Revision Tip
Focus on understanding each control component and be prepared to give examples of control activities for common audit transaction cycles (purchases, sales, payroll).
Summary
A robust internal control system includes a supportive control environment, a structured process for identifying risks, reliable information systems, appropriate control activities, and continuous monitoring. Recognising these components will help in both audit exams and practical audit work.
Key Point Checklist
This article has covered the following key knowledge points:
- Define an internal control system and its objectives
- List and describe the five components of internal control: control environment, risk assessment, information system and communication, control activities, and monitoring
- Give practical examples of control activities
- Explain the role of segregation of duties
- Understand the inherent limitations of internal control systems
Key Terms and Concepts
- internal control system
- control environment
- risk assessment process
- information system
- control activities
- monitoring of controls
- segregation of duties