A system of internal control has five components. An accountant must be aware of these five components when designing an accounting system, as does a person who audits the system. The components of an internal control system are as follows:
- Control environment. This is the attitude of management and their employees regarding the need for internal controls. If the controls are taken seriously, this greatly enhances the robustness of the system of internal control.
- Risk assessment. This is the process of reviewing the business to see where the most critical risks lie, and then designing controls to address those risks. This assessment must be conducted on a regular basis, to take into account any new risks introduced by changes in the business.
- Control activities. This is the use of accounting systems, information technology, and other resources to ensure that appropriate controls are put in place and operating properly. For example, there may be accounting systems in place to periodically conduct inventory audits and fixed asset audits. In addition, there may be off-site backups to minimize the risk of lost data.
- Information and communication. Information about controls should be communicated to management in a timely manner, so that shortfalls can be addressed promptly. The amount of information communicated should be appropriate to the needs of the recipient.
- Monitoring. This is the set of processes used by management to examine and assess whether its internal controls are functioning properly. Ideally, management should be able to spot control failures and make adjustments to improve the control environment.